配置SSL、TLS以及HTTPS来确保es、kibana、beats、logstash的安全
ssl分步骤
1、准备工作
为每台机器配置hosts
192.168.1.234 node01
192.168.1.233 node02
192.168.1.240 node03
192.168.1.241 logstash01
192.168.1.242 logstash02
192.168.1.243 filebeat
metricbeat与filebeat服务在同一台机器上,共用一套证书
instances.yml文件内容
instances:
- name: "node01"
dns: ['node01']
- name: "node02"
dns: ['node02']
- name: "node03"
dns: ['node03']
- name: 'kibana'
dns: ['node01']
- name: 'logstash01'
dns: ['logstash01']
- name: 'logstash02'
dns: ['logstash02']
- name: 'filebeat'
dns: ['filebeat']
存储路径
/home/elastic/elasticsearch-7.5.1
生成证书
cd /home/elastic/elasticsearch-7.5.1 bin/elasticsearch-certutil cert ca --pem --in instance.yml --out /root/certs.zip #解压后目录结构 Archive: certs.zip creating: ca/ inflating: ca/ca.crt creating: node01/ inflating: node01/node01.crt inflating: node01/node01.key creating: node02/ inflating: node02/node02.crt inflating: node02/node02.key creating: node03/ inflating: node03/node03.crt inflating: node03/node03.key creating: kibana/ inflating: kibana/kibana.crt inflating: kibana/kibana.key
2、访问es集群设置
es1
cluster.name: es-itcast-cluster
node.name: node01
node.master: true
node.data: true
network.host: 192.168.1.234
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
#配置集群密码
xpack.security.enabled: true
#用HTTPS方式访问es
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
#集群内部通信
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]
es2
cluster.name: es-itcast-cluster
node.name: node02
node.master: true
node.data: true
network.host: 192.168.1.233
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]
es3
cluster.name: es-itcast-cluster
node.name: node03
node.master: true
node.data: true
network.host: 192.168.1.240
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"
3、kibana访问es集群设置
server.port: 5601 server.host: "192.168.1.234"
#kibana访问es集群 elasticsearch.hosts: ["https://192.168.1.234:9200","https://192.168.1.233:9200","https://192.168.1.240:9200"] elasticsearch.username: "kibana" elasticsearch.password: "4CG0LMkw4Gjkh8c5SPsS" i18n.locale: "zh-CN" #用HTTPS方式访问kibana server.ssl.enabled: true server.ssl.certificate: /home/kibana/kibana-7.5.1/config/certs/kibana.crt server.ssl.key: /home/kibana/kibana-7.5.1/config/certs/kibana.key #kibana访问es集群 elasticsearch.ssl.verificationMode: certificate elasticsearch.ssl.certificateAuthorities: ["/home/kibana/kibana-7.5.1/config/certs/ca.crt"]
4、启动kibana并测试kibana的登录信息
4、logstash访问es设置
在es上创建logstash使用的用户
# 注意索引名 POST /_security/role/logstash_write_role { "cluster": [ "monitor", "manage_index_templates" ], "indices": [ { "names": [ "logstash*" ], "privileges": ["write","create","delete","create_index","manage","manage_ilm"], "field_security": { "grant": [ "*" ] } } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } # 设置该用户密码 POST /_security/user/logstash_writer { "username": "logstash_writer", "roles": [ "logstash_write_role" ], "full_name": null, "email": null, "password": "1234567890", "enabled": true }
针对 Beats 输入插件,将 logstash.key 转换为 PKCS#8 格式
1
|
openssl pkcs8 - in logstash.key -topk8 -nocrypt - out logstash.pkcs8.key |
logstash配置
logstash配置文件 logstash01 node.name: logstash01 path.data: /home/logstash/data http.host: "192.168.1.241" http.port: 9700 path.logs: /home/logstash/logs path.config: /home/logstash/logstash-7.5.1/config/conf/*.conf xpack.monitoring.enabled: true xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.password: TBQOrC23OjbivKfqonMg xpack.monitoring.elasticsearch.hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"] xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/logstash-7.5.1/config/certs/ca.crt" logstash02 node.name: logstash02 path.data: /home/logstash/data/ http.host: "192.168.1.242" http.port: 9700 log.level: info path.logs: /home/logstash/logs path.config: /home/logstash/logstash-7.5.1/config/conf/*.conf xpack.monitoring.enabled: true xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.password: TBQOrC23OjbivKfqonMg xpack.monitoring.elasticsearch.hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"] xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/logstash-7.5.1/config/certs/ca.crt" #注意输出的索引名 input { beats { port => 5044 ssl => true ssl_certificate_authorities => ["/home/logstash/logstash-7.5.1/config/certs/ca.crt"] ssl_certificate => "/home/logstash/logstash-7.5.1/config/certs/logstash02.crt" ssl_key => "/home/logstash/logstash-7.5.1/config/certs/logstash02.pkcs8.key" ssl_verify_mode => "force_peer" } } output { stdout { codec => json } elasticsearch { hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"] ssl => true cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt" index => "logstash-data-%{+YYYY.MM.dd}" user => "logstash_writer" password => "logstash" } }
5、filebeat访问logstash设置
output.logstash: hosts: ["logstash01:5044","logstash02:5044"] loadlance: true #logstash负载均衡配置 ssl.certificate_authorities: ["/home/beats/filebeat-7.5.1/certs/ca.crt"] ssl.certificate: "/home/beats/filebeat-7.5.1/certs/filebeat.crt" ssl.key: "/home/beats/filebeat-7.5.1/certs/filebeat.key
6、metricbeat访问elasticsearch设置
#创建用户beats_user,授予权限
#修改配置文件
metricbeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: true reload.period: 10s setup.ilm.enabled: false setup.template.name: "metricbeat" setup.template.pattern: "metricbeat-*" setup.template.settings: index.number_of_shards: 1 index.codec: best_compression output.elasticsearch: hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"] index: "metricbeat-%{+yyyy.MM.dd}" protocol: "https" username: "beats_user" password: "123456" ssl.certificate_authorities: ["/home/beats/filebeat-7.5.1/certs/ca.crt"] ssl.certificate: "/home/beats/filebeat-7.5.1/certs/filebeat.crt" ssl.key: "/home/beats/filebeat-7.5.1/certs/filebeat.key" processors: - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~