参考:https://www.cnblogs.com/marility/p/9392645.html
1,安装环境及软件版本
| 程序 | 版本 | 安装方式 |
| elasticsearch | 6.3.1 | rpm |
| kibana | 6.3.1 | rpm |
| java | 1.8.0 | tar |
2,search guard安装
2.1在elasticsearch安装
cd /usr/share/elasticsearch/bin/ ./elasticsearch-plugin install com.floragunn:search-guard-6:6.3.1-24.0
安装的版本查看
查看
进行demo模式安装
cd /usr/share/elasticsearch/plugins/search-guard-6/tools bash install_demo_configuration.sh
安说明输入3个y确认
重启elasticsearch
systemctl restart elasticsearch
web访问测试安装是否成功
https://172.16.20.12:9200/_searchguard/authinfo
注意是https而不是http
输入默认用户名和密码admin
打印admin的json格式则代表安装成功
此时打开kibana出现输入用户名密码提示但是无法输入
2.2在kibana安装
首先停止kibana
systemctl stop kibana
PS:如果不停止kibana直接安装,启动会报错 报错日志 /var/log/meaasge
如果启动报错了,可以删除kibana插件重新安装
./kibana-plugin remove searchguard
cd /usr/share/kibana/bin/ ./kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.3.1-14-beta-1/search-guard-kibana-plugin-6.3.1-14-beta-1.zip
需要安装版本查看
修改kibana配置文件 /etc/kibana/kibana.yml
server.port: 5601 server.host: "172.16.20.12" #server.host: "0.0.0.0" server.name: "test-es-kibana" elasticsearch.url: "https://172.16.20.12:9200" kibana.index: ".kibana" elasticsearch.username: "kibanaserver" elasticsearch.password: "kibanaserver" elasticsearch.ssl.verificationMode: none elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ] xpack.monitoring.enabled: false xpack.graph.enabled: false xpack.ml.enabled: false xpack.watcher.enabled: false xpack.security.enabled: false
PS:elasticsearch配置为https
启动kibana通过5601端口访问,输入用户名和密码均为admin
左侧菜单栏出现search guard代表安装成功
PS:版本6.5.4配置kibana后启动报错
Browserslist: caniuse-lite is outdated. Please run next command `npm update caniuse-lite browserslis
原因为node版本低4版本,升级为8版本重启kibana即可
添加只读用户guest
使用用户guest登录只能读无法编辑
配置logstash输入至elasticsearch
/etc/logstash/conf.d/logstash.conf
input {
stdin{}
}
output {
elasticsearch {
hosts => [ "172.16.20.12:9200" ]
ssl => true
ssl_certificate_verification => false
user => admin
password => admin
index => "logstash_%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
PS:测试标准输出至elasticsearch并输出至屏幕
需要增加这两个配置 否则启动报错
ssl => true
ssl_certificate_verification => false
启动
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
以上为自动生成证书,下面使用在线生成证书安装search guard
在线生成证书,https://search-guard.com/tls-certificate-generator/
登录刚刚输入的邮箱下载证书,上传至服务器的文件夹/tmp解压缩并把解压后的所有文件放置在文件夹/etc/elsaticsearch/key
cd /tmp rz tar -xf search-guard-certificates-8d1c8141-5f8b-4932-b7e2-a7109c400330.tar.gz.tar cd /tmp/search-guard-certificates mv * /etc/elasticsearch/key/
证书文件目录结构如下
[root@prd-elk-logstash-02 key]# tree . ├── chain-ca.pem ├── client-certificates │ ├── CN=demouser.all.pem │ ├── CN=demouser.crtfull.pem │ ├── CN=demouser.crt.pem │ ├── CN=demouser.csr │ ├── CN=demouser.key.pem │ ├── CN=demouser.key.pkcs12 │ ├── CN=demouser-keystore.jks │ ├── CN=demouser-keystore.p12 │ ├── CN=demouser-signed.pem │ ├── CN=sgadmin.all.pem │ ├── CN=sgadmin.crtfull.pem │ ├── CN=sgadmin.crt.pem │ ├── CN=sgadmin.csr │ ├── CN=sgadmin.key.pem │ ├── CN=sgadmin.key.pkcs12 │ ├── CN=sgadmin-keystore.jks │ ├── CN=sgadmin-keystore.p12 │ └── CN=sgadmin-signed.pem ├── node-certificates │ ├── CN=IP-172.16.90.24.crtfull.pem │ ├── CN=IP-172.16.90.24.csr │ ├── CN=IP-172.16.90.24.key.pem │ ├── CN=IP-172.16.90.24.key.pkcs12 │ ├── CN=IP-172.16.90.24-keystore.jks │ ├── CN=IP-172.16.90.24-keystore.p12 │ └── CN=IP-172.16.90.24-signed.pem ├── README.txt ├── root-ca │ ├── root-ca.crt │ ├── root-ca.key │ └── root-ca.pem ├── root-ca.pem ├── signing-ca │ ├── signing-ca.crt │ ├── signing-ca.key │ └── signing-ca.pem ├── truststore.jks └── truststore.p12 4 directories, 36 files
安装elsticsearch 插件
cd /usr/share/elasticsearch/bin/ ./elasticsearch-plugin install com.floragunn:search-guard-6:6.5.4-24.2
以上为在线下载安装,也可以下载好文件使用以下命令安装
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///nas/nas/softs/elk/6.6.2/search-guard-6-6.6.2-24.2.zip
安装版本查看
配置elasticsearch支持search gurad
配置文件/etc/elasticsearch/elasticsearch.yml
cluster.name: hopesz-es node.name: prd-elk-logstash-02 path.data: /data/es-data path.logs: /var/log/elasticsearch bootstrap.memory_lock: false network.host: 0.0.0.0 http.port: 9200 #集群个节点IP地址,也可以使用els、els.shuaiguoxia.com等名称,需要各节点能够解析 #discovery.zen.ping.unicast.hosts: ["172.16.90.24", "172.16.30.55"] #集群节点数 #discovery.zen.minimum_master_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" #search guard配置开始 #证书可以在key目录下找到 searchguard.ssl.transport.pemcert_filepath: key/node-certificates/CN=IP-172.16.90.24.crtfull.pem searchguard.ssl.transport.pemkey_filepath: key/node-certificates/CN=IP-172.16.90.24.key.pem #密码可以在key下README.txt找到 searchguard.ssl.transport.pemkey_password: 5ea2206b9b1e041bf052 searchguard.ssl.transport.pemtrustedcas_filepath: key/chain-ca.pem searchguard.ssl.transport.enforce_hostname_verification: false searchguard.ssl.http.enabled: true searchguard.ssl.http.pemcert_filepath: key/node-certificates/CN=IP-172.16.90.24.crtfull.pem searchguard.ssl.http.pemkey_filepath: key/node-certificates/CN=IP-172.16.90.24.key.pem searchguard.ssl.http.pemkey_password: 5ea2206b9b1e041bf052 searchguard.ssl.http.pemtrustedcas_filepath: key/chain-ca.pem searchguard.authcz.admin_dn: - CN=sgadmin searchguard.audit.type: internal_elasticsearch searchguard.enable_snapshot_restore_privilege: true searchguard.check_snapshot_restore_write_privileges: true searchguard.restapi.roles_enabled: ["sg_all_access"] cluster.routing.allocation.disk.threshold_enabled: false node.max_local_storage_nodes: 3 xpack.security.enabled: false #search guard配置结束
重启elasticsearch报错
首先检查文件是否存在,如存在则设置权限组为elasticsearch
chown -R elasticsearch.elasticsearch key/
启动报错
原因:有志气demo安装的证书需要删除 路径为/etc/elasticsearch
rm -rf kirk-key.pem rm -rf kirk.pem rm -rf esnode.pem rm -rf esnode-key.pem rm -rf root-ca.pem
验证是否安装成功,web页面访问输入用户名密码admin admin
https://172.16.90.24:9200/_searchguard/authinfo
设置权限因子
权限因子密码也可以在README.txt找到
cd /etc/elasticsearch/key/ cp root-ca.pem client-certificates/CN=sgadmin.key.pem client-certificates/CN=sgadmin.crtfull.pem /usr/share/elasticsearch/plugins/search-guard-6/tools/ cd /usr/share/elasticsearch/plugins/search-guard-6/tools/ ./sgadmin.sh -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -keypass a756a037271c299fe817 -nhnv -icl -cd ../sgconfig/ -nhnv -icl -cd ../sgconfig/
执行如果报错
修改elaticsearch.yml
network.host: 0.0.0.0
初始化搜索保护配置
cd /etc/elasticsearch/key/ cp truststore.jks /usr/share/elasticsearch/plugins/search-guard-6/tools/ cp client-certificates/CN=sgadmin-keystore.jks /usr/share/elasticsearch/plugins/search-guard-6/tools/ cd /usr/share/elasticsearch/plugins/search-guard-6/tools/ ./sgadmin.sh -ts truststore.jks -tspass e0c2b67ecfc6dad6bc42 -ks CN=sgadmin-keystore.jks -kspass 4abdecb00e4d4891761a -nhnv -icl -cd ../sgconfig/
安装kibana控件(需要先停止kibana)
cd /usr/share/kibana/bin/ ./kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.5.4-18/search-guard-kibana-plugin-6.5.4-18.zip
安装版本查看
修改kibana配置文件
server.port: 5601 server.host: "172.16.90.24" server.name: "prd-elk-logstash-02" #配置为https elasticsearch.url: "https://172.16.90.24:9200" kibana.index: ".kibana" elasticsearch.username: "kibanaserver" elasticsearch.password: "kibanaserver" elasticsearch.ssl.verificationMode: none elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ] xpack.monitoring.enabled: false xpack.graph.enabled: false xpack.ml.enabled: false xpack.watcher.enabled: false xpack.security.enabled: false
启动kibana web页面访问需要输入用户名密码admim即可
配置logstash访问,不同于demo安装的配置需要在logstash配置文件配置如下配置output
output{
if "nginx-prod-log" in [type] {
elasticsearch{
hosts => ["172.16.90.24:9200"]
index => "nginx-prod-log-%{+YYYY.MM}"
ssl => true
ssl_certificate_verification => true
truststore => "/etc/elasticsearch/key/truststore.jks"
truststore_password => "cad3511c129704894bfc"
user => "admin"
password => "admin"
}
#stdout{
# codec => rubydebug
#}
}
增加以下配置
PS:truststore密码同样在README.txt可以找到
truststore密码需要引号 用户名和密码也需要加引号 否则无法启动logstash
用户名和密码没有加引号报错信息为 ConfigurationError
