配置SSL、TLS以及HTTPS来确保es、kibana、beats、logstash的安全


 

ssl分步骤

1、准备工作

为每台机器配置hosts

复制代码
192.168.1.234 node01
192.168.1.233 node02
192.168.1.240 node03
192.168.1.241 logstash01
192.168.1.242 logstash02
192.168.1.243 filebeat
metricbeat与filebeat服务在同一台机器上,共用一套证书
复制代码

instances.yml文件内容

复制代码
instances:
  - name: "node01"
    dns: ['node01']
  - name: "node02"
    dns: ['node02']
  - name: "node03"
    dns: ['node03']    
  - name: 'kibana'
    dns: ['node01']
  - name: 'logstash01'
    dns: ['logstash01']
  - name: 'logstash02'
    dns: ['logstash02']
  - name: 'filebeat'
    dns: ['filebeat']
复制代码

存储路径

/home/elastic/elasticsearch-7.5.1

生成证书

复制代码
cd /home/elastic/elasticsearch-7.5.1
bin/elasticsearch-certutil cert ca --pem --in instance.yml --out /root/certs.zip
#解压后目录结构
Archive:  certs.zip
   creating: ca/
  inflating: ca/ca.crt               
   creating: node01/
  inflating: node01/node01.crt       
  inflating: node01/node01.key       
   creating: node02/
  inflating: node02/node02.crt       
  inflating: node02/node02.key       
   creating: node03/
  inflating: node03/node03.crt       
  inflating: node03/node03.key       
   creating: kibana/
  inflating: kibana/kibana.crt       
  inflating: kibana/kibana.key 
复制代码

2、访问es集群设置

复制代码
es1

cluster.name: es-itcast-cluster
node.name: node01
node.master: true
node.data: true
network.host: 192.168.1.234
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
#配置集群密码
xpack.security.enabled: true
#用HTTPS方式访问es
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
#集群内部通信
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]

es2

cluster.name: es-itcast-cluster
node.name: node02
node.master: true
node.data: true
network.host: 192.168.1.233
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]

es3

cluster.name: es-itcast-cluster
node.name: node03
node.master: true
node.data: true
network.host: 192.168.1.240
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"
复制代码

3、kibana访问es集群设置

复制代码
server.port: 5601
server.host: "192.168.1.234"
#kibana访问es集群 elasticsearch.hosts: ["https://192.168.1.234:9200","https://192.168.1.233:9200","https://192.168.1.240:9200"] elasticsearch.username: "kibana" elasticsearch.password: "4CG0LMkw4Gjkh8c5SPsS" i18n.locale: "zh-CN" #用HTTPS方式访问kibana server.ssl.enabled: true server.ssl.certificate: /home/kibana/kibana-7.5.1/config/certs/kibana.crt server.ssl.key: /home/kibana/kibana-7.5.1/config/certs/kibana.key #kibana访问es集群 elasticsearch.ssl.verificationMode: certificate elasticsearch.ssl.certificateAuthorities: ["/home/kibana/kibana-7.5.1/config/certs/ca.crt"]
复制代码

4、启动kibana并测试kibana的登录信息

 

4、logstash访问es设置

在es上创建logstash使用的用户

复制代码
# 注意索引名
POST /_security/role/logstash_write_role
{
    "cluster": [
      "monitor",
      "manage_index_templates"
    ],
    "indices": [
      {
        "names": [
          "logstash*"
        ],
        "privileges": ["write","create","delete","create_index","manage","manage_ilm"],
        "field_security": {
          "grant": [
            "*"
          ]
        }
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
}

# 设置该用户密码
POST /_security/user/logstash_writer
{
  "username": "logstash_writer",
  "roles": [
    "logstash_write_role"
  ],
  "full_name": null,
  "email": null,
  "password": "1234567890",
  "enabled": true
}
复制代码

 针对 Beats 输入插件,将 logstash.key 转换为 PKCS#8 格式

1
openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pkcs8.key

 logstash配置

复制代码
logstash配置文件

logstash01

node.name: logstash01
path.data: /home/logstash/data
http.host: "192.168.1.241"
http.port: 9700
path.logs: /home/logstash/logs
path.config: /home/logstash/logstash-7.5.1/config/conf/*.conf

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: TBQOrC23OjbivKfqonMg
xpack.monitoring.elasticsearch.hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/logstash-7.5.1/config/certs/ca.crt"


logstash02

node.name: logstash02
path.data: /home/logstash/data/
http.host: "192.168.1.242"
http.port: 9700
log.level: info
path.logs: /home/logstash/logs
path.config: /home/logstash/logstash-7.5.1/config/conf/*.conf
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: TBQOrC23OjbivKfqonMg
xpack.monitoring.elasticsearch.hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/logstash-7.5.1/config/certs/ca.crt"

#注意输出的索引名

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/home/logstash/logstash-7.5.1/config/certs/ca.crt"]
    ssl_certificate => "/home/logstash/logstash-7.5.1/config/certs/logstash02.crt"
    ssl_key => "/home/logstash/logstash-7.5.1/config/certs/logstash02.pkcs8.key"
    ssl_verify_mode => "force_peer"
  }
}

output {
  stdout {
    codec => json
  }
  elasticsearch {
    hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
    ssl => true
    cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt"
    index => "logstash-data-%{+YYYY.MM.dd}"
    user => "logstash_writer"
    password => "logstash"
  }
}
复制代码

5、filebeat访问logstash设置

output.logstash: 
  hosts: ["logstash01:5044","logstash02:5044"] 
  loadlance: true  #logstash负载均衡配置 
  ssl.certificate_authorities: ["/home/beats/filebeat-7.5.1/certs/ca.crt"] 
  ssl.certificate: "/home/beats/filebeat-7.5.1/certs/filebeat.crt" 
  ssl.key: "/home/beats/filebeat-7.5.1/certs/filebeat.key

6、metricbeat访问elasticsearch设置

复制代码
#创建用户beats_user,授予权限
#修改配置文件
metricbeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: true reload.period: 10s setup.ilm.enabled: false setup.template.name: "metricbeat" setup.template.pattern: "metricbeat-*" setup.template.settings: index.number_of_shards: 1 index.codec: best_compression output.elasticsearch: hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"] index: "metricbeat-%{+yyyy.MM.dd}" protocol: "https" username: "beats_user" password: "123456" ssl.certificate_authorities: ["/home/beats/filebeat-7.5.1/certs/ca.crt"] ssl.certificate: "/home/beats/filebeat-7.5.1/certs/filebeat.crt" ssl.key: "/home/beats/filebeat-7.5.1/certs/filebeat.key" processors: - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~
posted @ 2023-05-21 10:36  技术颜良  阅读(1276)  评论(0编辑  收藏  举报