ES集群加密

未加密前

1
2
3
4
5
root@elk91 ~]# curl 10.0.0.211:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
10.0.0.92           78          66   0    0.01    0.02     0.03 cdfhilmrstw -      elk01
10.0.0.93           44          47   1    0.02    0.02     0.01 cdfhilmrstw -      elk02
10.0.0.91           54          68   1    0.22    0.17     0.12 cdfhilmrstw *      elk03

1. 生成证书文件

1
2
3
4
5
6
7
8
9
10
11
[root@elk91 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --days 3650 -out /etc/elasticsearch/elastic-certificates.p12 -pass ""


#修改证书权限(否则es没有权限读取证书)
[root@elk91 ~]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12

`注释:`
[root@elk01:1 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert -h 查看帮助
--days   指定证书有效期多久
--out    指定证书存放路径
--pass   指定证书密码(为空即可)

2. 同步证书文件到其他节点

1
2
3
4
[root@elk01:1 ~]# scp /etc/elasticsearch/elastic-certificates.p12 10.0.0.212:/etc/elasticsearch/
[root@elk01:1 ~]# scp /etc/elasticsearch/elastic-certificates.p12 10.0.0.213:/etc/elasticsearch/

#注:注意检查其它节点的证书权限是否是elasticsearch,若不是则修改(见上一步)

4. 修改ES配置文件

1
2
3
4
5
[root@elk01:1 ~]# vim /etc/elasticsearch/elasticsearch.yml 

#同步配置文件到其它节点
[root@elk01:1 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.212:/etc/elasticsearch/
[root@elk01:1 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.213:/etc/elasticsearch/

5. 所有节点重启elasticsearch

1
2
3
[root@elk01:1 ~]#  systemctl restart elasticsearch

#注意:生产环境最好滚动重启,当前重启完毕后再重启其它节点(防止所有集群宕机)

6. 测试访问

1
2
3
4
[root@elk01:1 ~]# curl 10.0.0.211:9200/_cat/nodes
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

#没有权限访问即为成功

生成密码

注意保存密码

auto 非交互式,自动生成随机密码

interactive 交互式,自己输入密码(有7项)

注意保存密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@elk01:1 ~]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = ZY6QTWFDqGv64uVzB2PR

Changed password for user kibana_system
PASSWORD kibana_system = BtaZLprbzzF1tYXSaCld

Changed password for user kibana
PASSWORD kibana = BtaZLprbzzF1tYXSaCld

Changed password for user logstash_system
PASSWORD logstash_system = ykztlETUjj9bu7zDF9Fw

Changed password for user beats_system
PASSWORD beats_system = Fe075On7ZgmleYNkS9in

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = J7bkmxKsrhUKhLJyksMD

Changed password for user elastic
PASSWORD elastic = pNcoJpSv0j1Qp9ZZ4N5G

测试连接

1
2
3
4
5
#加上用户和密码测试
[root@elk01:1 ~]# curl -u elastic:pNcoJpSv0j1Qp9ZZ4N5G 10.0.0.211:9200/_cat/nodes
10.0.0.212 19 97 3 0.23 0.50 0.71 cdfhilmrstw * elk02
10.0.0.211 12 91 3 0.31 0.46 0.53 cdfhilmrstw - elk01
10.0.0.213 43 90 3 0.27 0.61 0.89 cdfhilmrstw - elk03

kibana集成ES加密集群

1. 修改配置文件

1
2
3
4
5
6
[root@elk01:2 ~]# vim /etc/kibana/kibana.yml 
···
elasticsearch.username: "kibana_system"
elasticsearch.password: "BtaZLprbzzF1tYXSaCld"

#密码见上面生成的

**2. 重启kibana服务 **

1
[root@elk01:2 ~]#  systemctl restart kibana

3. 访问kibana的webUI登录

1
2
3
10.0.0.211:5601

使用elastic用户登录

image-20241027222304410

image-20241027222417898

1
2
# 登录后如果没有出现右上角e标志,尝试清除缓存,或者使用无痕模式登录
这里修改密码为   123456

filebeat写入ES加密集群

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[root@elk01:2 ~]# cat /etc/filebeat/19-tcp_es_secret.yaml 
# 数据从监听的指定tcp端口来
filebeat.inputs:
- type: tcp
  host: "0.0.0.0:9000"
  
#数据到终点
output:
  elasticsearch:
    hosts:
    - "http://10.0.0.211:9200"
    - "http://10.0.0.212:9200"
    - "http://10.0.0.213:9200"
    index: "linux-tcp-secret-%{+yyyy.MM.dd}"
    username: elastic
    password: "123456"

setup.ilm.enabled: false
setup.template.name: "linux-tcp-secret"
setup.template.pattern: "linux-tcp-secret*"
setup.template.overwrite: false
setup.template.settings:
  index.number_of_shards: 5
  index.number_of_replicas: 0
  
#启动实例
[root@elk01:2 ~]# filebeat -e -c /etc/filebeat/19-tcp_es_secret.yaml 

#测试实例
[root@elk01:2 ~]#  echo 7890 |nc 10.0.0.211 9000

image-20241027224350997

使用开发工具简单查看数据

image-20241027224929276

logstash写入ES加密集群

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@elk01:1 ~]# cat /etc/logstash/conf.d/16-tcp-es-secret.conf
input {
  tcp {
    port => 8888
  }
}

output {
   elasticsearch{
      hosts => ["10.0.0.211:9200","10.0.0.212:9200","10.0.0.213:9200"]
      index => "logstach-tcp-secret-%{+yyyy.MM.dd}"
      user => "elastic"
      password => "123456"
    }
}

#启动实例
[root@elk01:0 ~]# logstash -rf /etc/logstash/conf.d/16-tcp-es-secret.conf 

#写入数据测试
[root@elk02:0 ~]# echo 666666 |nc 10.0.0.211 8888

image-20241027225729785

角色访问

创建角色,给开发或者运维不同权限

image-20241027231430903

image-20241027232332394

image-20241027232500498

创建运维角色

image-20241027232645991

还有kibana的权限选择all完事 图略

创建用户

image-20241027232837646

登录李星星用户 权限确实少

image-20241027233121133