配置 SSL、TLS 以及 HTTPS 来确保 Elasticsearch、Kibana、Beats 和 Logstash 的安全

• 配置主机hosts文件

192.168.75.20 filebeat.local kibana.local logstash.local
192.168.75.22 node2.elastic.test.com node2

说明：
192.168.75.20主机上配置filebeat，logstash和kibana
192.168.75.22主机上配置elasticsearch

• instances.yml文件内容
  存储路径：/usr/share/elasticsearch

instances:
  - name: "node2"
    dns: ['node2.elastic.test.com']
  - name: 'kibana'
    dns: ['kibana.local']
  - name: 'logstash'
    dns: ['logstash.local']
  - name: 'filebeat'
    dns: ['filebeat.local']

• 生成证书

cd /usr/share/elasticsearch
bin/elasticsearch-certutil cert ca --pem --in instance.yml --out /root/certs.zip
# 解压后目录结构内容如下：
├── ca
│   └── ca.crt
├── certs.zip
├── filebeat
│   ├── filebeat.crt
│   └── filebeat.key
├── instance.yml
├── kibana
│   ├── kibana.crt
│   └── kibana.key
├── logstash
│   ├── logstash.crt
│   └── logstash.key
├── node2
    ├── node2.crt
    └── node2.key
# 把生成的相应证书复制到相应节点目录下

• es配置

cluster.name: my-application
node.name: node2
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: node2.elastic.test.com
http.port: 9200
transport.port: 9300
discovery.seed_hosts: ["node2.elastic.test.com"]
cluster.initial_master_nodes: ["node2"]

http.cors.enabled: true
http.cors.allow-origin: "*"

xpack.security.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/new_certs/node2.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/new_certs/node2.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/new_certs/ca.crt

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/new_certs/node2.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/new_certs/node2.crt
xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/new_certs/ca.crt"]

设置系统内置用户密码

# 自动生成，记录下来
bin/elasticsearch-setup-passwords auto -u "https://node2.elastic.test.com:9200"
# 通过 HTTPS 访问 _cat/nodes API，需要输入elastic用户的密码
curl --cacert /etc/elasticsearch/new_certs/ca.crt -u elastic 'https://node2.elastic.test.com:9200/_cat/nodes?v'

• kibana配置文件

server.host: "kibana.local"
server.name: "kibana"

elasticsearch.hosts: ["https://node2.elastic.test.com:9200"]

elasticsearch.username: "kibana"
elasticsearch.password: "xafpbULaycAArnLc9O6H"

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.crt"]

• 在es上创建logstash使用的用户

# 注意索引名
POST /_security/role/logstash_write_role
{
    "cluster": [
      "monitor",
      "manage_index_templates"
    ],
    "indices": [
      {
        "names": [
          "logstash*"
        ],
        "privileges": ["write","create","delete","create_index","manage","manage_ilm"],
        "field_security": {
          "grant": [
            "*"
          ]
        }
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
}

# 设置该用户密码
POST /_security/user/logstash_writer
{
  "username": "logstash_writer",
  "roles": [
    "logstash_write_role"
  ],
  "full_name": null,
  "email": null,
  "password": "1234567890",
  "enabled": true
}

• 针对 Beats 输入插件，将 logstash.key 转换为 PKCS#8 格式

openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pkcs8.key

• logstash配置

# grep -v '^#' /etc/logstash/logstash.yml
node.name: logstash.local
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d/*.conf


path.logs: /var/log/logstash
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: TBQOrC23OjbivKfqonMg
xpack.monitoring.elasticsearch.hosts: ["https://node2.elastic.test.com:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/etc/logstash/new_certs/ca.crt"

# 注意输出的索引名
# grep -v '^#' /etc/logstash/conf.d/nginx.conf 

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/new_certs/ca.crt"]
    ssl_certificate => "/etc/logstash/new_certs/logstash.crt"
    ssl_key => "/etc/logstash/new_certs/logstash.pkcs8.key"
    ssl_verify_mode => "force_peer"
  }
}

output {
  stdout {
    codec => json
  }
  elasticsearch {
     hosts => ["https://node2.elastic.test.com:9200"]
     ssl => true
     cacert => "/etc/logstash/new_certs/ca.crt"
     index => "logstash-%{+YYYY.MM.dd}"
     user => "logstash_writer"
     password => "1234567890"
  }
}

• filebeat配置

output.logstash:
  hosts: ["logstash.local:5044"]
  ssl.certificate_authorities: ["/etc/filebeat/new_certs/ca.crt"]
  ssl.certificate: "/etc/filebeat/new_certs/filebeat.crt"
  ssl.key: "/etc/filebeat/new_certs/filebeat.key"