1. Open xpack security verification
server1 2 3 as es cluster
集群模式需要先创建证书
# cd /usr/share/elasticsearch/
# bin/elasticsearch-certutil ca
# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# cp elastic-certificates.p12 elastic-stack-ca.p12 /etc/elasticsearch
# cd /etc/elasticsearch
# chown elasticsearch elastic-certificates.p12 elastic-stack-ca.p12
scp elastic-certificates.p12 elastic-stack-ca.p12 server2:/etc/elasticsearch/ #证书拷贝到2 3
配置所有的elasticsearch集群节点
# vim /etc/elasticsearch/elasticsearch.yml
node.ingest: true #开启xpack安全认证时,集群内需要一个ingest,保证ingest专门对索引的文档做预处理角色开启,否则会导致安全认证失败
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
ES集群重启正常后,设置用户密码
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
1.head访问
vim /etc/elasticsearch/elasticsearch.yml
65 http.cors.allow-headers: "Authorization,X-Requested-With,Content-Length,Content-Type"
cd /root/elasticsearch-head-master
cnpm run start &
http://172.25.2.1:9100/?auth_user=elastic&auth_password=westos
Monitoring clusters and production data clusters are best separated
server5 logstash kibana
2.设置Logstash连接ES用户密码
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{HTTPD_COMBINEDLOG}" }
}
}
output {
stdout { }
elasticsearch {
hosts => ["172.25.2.1:9200"]
index => "apache-%{+yyyy.MM.dd}"
user => "elastic"
password => "westos"
}
}
3.vim /etc/kibana/kibana.yml #设置kibana连接ES的用户密码
elasticsearch.username: "kibana"
elasticsearch.password: "westos"
Two.elk monitoring
(1) Use the built-in monitoring directly
(2) Use Metricbeat to monitor
1.在安装 Elasticsearch 的同一台服务器上安装 Metricbeat
sever1 2 3
get metricbeat-7.6.1-x86_64.rpm
rpm -ivh metricbeat-7.6.1-x86_64.rpm
2.在 Metricbeat 中启用并配置 Elasticsearch x-pack 模块
metricbeat modules enable elasticsearch-xpack
metricbeat modules list
3.配置 Metricbeat 以发送至监测集群
vim /etc/metricbeat/metricbeat.yml
vim /etc/metricbeat/modules.d/elasticsearch-xpack.yml
4. Start Metricbeat
systemctl restart metricbeat.service
5. The cluster has all started Metricbeat
3. Filebeat log collection
server1 2 3
和上面的 Metricbeat类似
rpm -ivh filebeat-7.6.1-x86_64.rpm #安装
filebeat modules enable elasticsearch #启用模块
vim /etc/filebeat/filebeat.yml #配置
151 output.elasticsearch:
153 hosts: ["172.25.2.1:9200"]
160 username: "elastic"
161 password: "westos"
vim /etc/filebeat/modules.d/elasticsearch.yml
https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-module-elasticsearch.html
systemctl restart filebeat.service
More logs, and streaming
Four. Create a visualization
Use Metricbeat, filebeat to generate visualization templates
vim /etc/metricbeat/metricbeat.yml
61 setup.kibana:
67 host: "172.25.2.5:5601"
metricbeat setup --dashboards
vim /etc/filebeat/filebeat.yml
117 setup.kibana:
123 host: "172.25.2.5:5601"
filebeat setup --dashboards
When deploying, pay attention to the successful operation of each service of elk;
after es turns on the security authentication, the user password must be added to the access connection; the
kibana login uses the es user;
es uses more memory and locks, and pay attention to the memory margin when deploying To prevent es from being killed