6.2.3破解:https://www.jianshu.com/p/6acfeabb44f8
主要方法:更改LicenseVerifier.class和 XPackBuild.class(6.0版本不需要)
- 修改java证书代码 ---- 在Windows本地上操作
Windows需要工具:luyten-0.5.0(java代码编辑器)
/opt/apps/elk/elasticsearch/plugins/x-pack/x-pack-core/x-pack-core-6.2.3.jar
将x-pack-core-6.2.3.jar包下载到Windows本地,用luyten打开,导出LicenseVerifier.class和 XPackBuild.class分别更改代码
- LicenseVerifier.class
org.elasticresearch.license----》LicenseVerifier.class : 将此文件另外到桌面(另外后文件名自动为LicenseVerifier.java)
用notepad 编辑LicenseVerifier.java,内容如下:
package org.elasticsearch.license;
import java.nio.*;
import java.util.*;
import java.security.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.common.io.*;
import java.io.*;
public class LicenseVerifier
{
public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
return true;
}
public static boolean verifyLicense(final License license) {
return true;
}
}
- org.elasticsearch.xpack.core----》XPackBuild.class: 将此文件另外到桌面(另外后文件名自动为XPackBuild.java)
用notepad 编辑XPackBuild.java,内容如下:
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild
{
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(reason = "looks up path of xpack.jar directly")
static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try {
return PathUtils.get(url.toURI());
}
catch (URISyntaxException bogus) {
throw new RuntimeException(bogus);
}
}
XPackBuild(final String shortHash, final String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date() {
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0157: {
shortHash = "Unknown";
date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
- 更新java证书代码 ----- 在elk服务器上操作
将刚才在Windows本地修改的LicenseVerifier.java和XPackBuild.java上传到服务器/opt/src/bianyi,然后进行编译,并重新打包jar包
- 编译LicenseVerifier.java和XPackBuild.java
[swadmin@localhost ~]$ cd /opt/src/bianyi/ && ls
LicenseVerifier.java XPackBuild.java
[swadmin@localhost bianyi]$ javac -cp "/opt/apps/elk/elasticsearch/lib/elasticsearch-6.2.3.jar:/opt/apps/elk/elasticsearch/lib/lucene-core-7.2.1.jar:/opt/apps/elk/elasticsearch/plugins/x-pack/x-pack-core/x-pack-core-6.2.3.jar" LicenseVerifier.java
[swadmin@localhost bianyi]$ javac -cp "/opt/apps/elk/elasticsearch/lib/elasticsearch-core-6.2.3.jar:/opt/apps/elk/elasticsearch/lib/lucene-core-7.2.1.jar:/opt/apps/elk/elasticsearch/plugins/x-pack/x-pack-core/x-pack-core-6.2.3.jar" XPackBuild.jav
- 重新打包jar包
[swadmin@localhost bianyi]$ mkdir /opt/src/test/ && cd /opt/src/test/
[swadmin@localhost test]$ cp /opt/apps/elk/elasticsearch/plugins/x-pack/x-pack-core/x-pack-core-6.2.3.jar /opt/src/test/
[swadmin@localhost test]$ jar -xvf x-pack-core-6.2.3.jar && rm x-pack-core-6.2.3.jar
[swadmin@localhost test]$ cp /opt/src/bianyi/LicenseVerifier.class org/elasticsearch/license/
[swadmin@localhost test]$ cp /opt/src/bianyi/XPackBuild.class org/elasticsearch/xpack/core/
[swadmin@localhost test]$ jar -cvf x-pack-core-6.2.3.jar ./*
- 将重新打包的jar包替换之前的旧x-pack-core-6.2.3.jar包
[swadmin@localhost test]$ cp x-pack-core-6.2.3.jar /opt/apps/elk/elasticsearch/plugins/x-pack/x-pack-core/
- 重新认证
- 申请一个免费license
下载链接:https://license.elastic.co/registration/download/96d3e8ef-49e7-4e6b-930a-47f695440def
将下载好的文件max-mac-e8e90718-9333-49b6-817a-9098c35c0920-v5.json传至elk服务器/opt/src/bianyi
- 修改license文件
[swadmin@localhost bianyi]$ cd /opt/src/bianyi/ && vim max-mac-e8e90718-9333-49b6-817a-9098c35c0920-v5.json
"type":"platinum"
"expiry_date_in_millis":2524579200999
"max_nodes":1000
- 禁用x-pack 配置license有效期
更新License文件,因为elasticsearch 6.0.0,现在更新license文件时,要么配置SSL\TLS,要么就禁用security。
更新之前先配置elasticsearch.yml,加入:
[swadmin@localhost ~]$ vim /opt/apps/elk/elasticsearch/config/elasticsearch.yml
xpack.security.enabled: false
- 启动elasticsearch,更新认证
即更新前面编辑的max-mac-e8e90718-9333-49b6-817a-9098c35c0920-v5.json认证文件)
[swadmin@localhost ~]$ elasticsearch -d
[swadmin@localhost test]$ cd /opt/src/bianyi/ && ll
max-mac-e8e90718-9333-49b6-817a-9098c35c0920-v5.json
[swadmin@localhost bianyi]$ curl -XPUT -u elastic 'http://127.0.0.1:9200/_xpack/license?acknowledge=true' -H "Content-Type: application/json" -d @max-mac-e8e90718-9333-49b6-817a-9098c35c0920-v5.json
出现acknowledge字符就代表成功
- 重启elasticsearch,检查更新
[swadmin@MyCloudServer ~]$ curl -XGET -u elastic "http://127.0.0.1:9200/_license"
{
"license" : {
"status" : "active",
"uid" : "e8e90718-9333-49b6-817a-9098c35c0920",
"type" : "platinum",
"issue_date" : "2018-02-24T00:00:00.000Z",
"issue_date_in_millis" : 1519430400000,
"expiry_date" : "2049-12-31T16:00:00.999Z",
"expiry_date_in_millis" : 2524579200999,
"max_nodes" : 1000,
"issued_to" : "max mac (SOLAIRE)",
"issuer" : "Web Form",
"start_date_in_millis" : 1519430400000
}
}
再次开启x-pack
vim /usr/local/elk/elasticsearch/config/elasticsearch.yml
把xpack.security.enabled 改成true
重启elasticsearch
不出意外的话你们会得到这个
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled for setups with production licenses. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
意思就是说:你要me把ssl什么的打开,要么就把x-pack关了才行(我去,我费这么大劲你给我说这个)
需要配置SSL
[elk@node1 config]$ /usr/local/elk/elasticsearch/bin/x-pack/certgen
Let's get started...
Please enter the desired output file [certificate-bundle.zip]: cert.zip (压缩包名称)
Enter instance name: my-application(实例名)
Enter name for directories and files [p4mES]: elasticsearch(文件夹名)
Enter IP Addresses for instance (comma-separated if more than one) []: 172.16.3.93,172.16.3.88,172.16.3.91(实例ip,多个ip用逗号隔开)
Enter DNS names for instance (comma-separated if more than one) []: node1,node2,node3(节点名,多个节点用逗号隔开)
Would you like to specify another instance? Press 'y' to continue entering instance information:
Certificates written to /usr/local/elasticsearch/bin/cert.zip(这个是生成的文件存放地址,不用填写)
This file should be properly secured as it contains the private keys for all
instances and the certificate authority.
After unzipping the file, there will be a directory for each instance containing
the certificate and private key. Copy the certificate, key, and CA certificate
to the configuration directory of the Elastic product that they will be used for
and follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
接下来就是把.zip压缩包解压然后把ca文件夹和elasticsearch文件夹的东西都放到/usr/local//elk/elasticsearch/config目录下
修改配置文件重启elasticsearch
vim /usr/local/elk/elasticsearch/config/elasticsearch.yml
-
xpack.security.transport.ssl.enabled: true
-
xpack.ssl.key: elasticsearch.key
-
xpack.ssl.certificate: elasticsearch.crt
-
xpack.ssl.certificate_authorities: ca.crt
再重新启动elasticsearch会出现exception caught on transport layer [NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:45812, remoteAddress=/0:0:0:0:0:0:0:1:9300}], closing connection
出现这种情况我的选择是禁用ipv6
-
vim /etc/sysctl.conf
-
#添加如下变量
-
net.ipv6.conf.all.disable_ipv6 = 1
-
net.ipv6.conf.default.disable_ipv6 = 1
-
#使修改生效
-
sysctl -p
再次启动便没有任何问题了
然后看我们的license也应该是到2050年过期了
把crt跟key文件也都发放到从节点,配置一样。
- Elk优化
优化指南:
删除时间范围的数据:https://juejin.im/post/58e5de06ac502e006c254145
ELK平台性能优化 http://www.th7.cn/db/nosql/201708/250381.shtml
http://blog.csdn.net/jiao_fuyou/article/details/49783861
Logstash优化 http://blog.csdn.net/ypc123ypc/article/details/78033142 https://yq.aliyun.com/articles/413002
elasticsearch优化 https://www.jianshu.com/p/29ffce0850af
安装pv (pipe views) http://blog.csdn.net/u011478909/article/details/52584935
优化: https://zhuanlan.zhihu.com/p/30888923 有具体参考方法
- elasticsearch优化
- 索引的curl管理
- 查看所有indices
[swadmin@MyCloudServer ~]$ curl -XGET http://127.0.0.1:9200/_cat/indices -u elastic
- 删除指定indices
[swadmin@MyCloudServer ~]$ curl -XDELETE "http://127.0.0.1:9200/hbet_tomcat_9002" -u elastic
备注:
获取7天前的日期:[swadmin@MyCloudServer ~]$ date +%Y.%m.%d --date="-7 day"
Curator ---删除indices https://zhuanlan.zhihu.com/p/30888923
删除索引脚本
#!/bin/bash
valite_date=$(date +%Y.%m.%d --date="-1 day")
elastic_ip=192.168.175.241
elastic_port=9200
elastic_user=elastic
elastic_pass=Passw0rd\!\*\*yibo
function delete_index(){
expect << EOF
set timeout 2
spawn curl -XDELETE http://$elastic_ip:$elastic_port/$1 -u $elastic_user ;
expect {
"elastic\'\:" { send "$elastic_pass\r" }
}
expect eof
EOF
}
##### 删除指定索引
delete_index gameplat-$valite_date
delete_index tomcat-$valite_date
delete_index logstash-nginx-$valite_date
- 查看threadpool
curl -XGET 'http://localhost:9200/_nodes/stats?pretty' -u elastic
- 查看集群信息
curl 'http://127.0.0.1:9200/_cluster/health?pretty' -u elastic
- 定期删除索引数据
参考: https://juejin.im/post/58e5de06ac502e006c254145
- elasticsearch集群搭建
参考资料:
https://www.felayman.com/articles/2017/12/12/1513085668561.html
http://cwiki.apachecn.org/pages/viewpage.action?pageId=4882617
https://www.zybuluo.com/tinadu/note/516453
节点1 --- master
[swadmin@MyCloudServer ~]$ cd /opt/apps/elk/elasticsearch/
[swadmin@MyCloudServer ~]$ cp config/elasticsearch.yml config/elasticsearch.yml.bak
[swadmin@MyCloudServer elasticsearch]$ grep -v \# config/elasticsearch.yml
cluster.name: my-application
node.name: node-1
path.data: /opt/apps/elk/elasticsearch/data/
path.logs: /opt/apps/elk/elasticsearch/logs/
network.host: 103.68.110.227
http.port: 9200
transport.tcp.port: 9600
node.master: true
discovery.zen.ping.unicast.hosts: ["103.68.110.227:9600", "103.68.110.242:9601"]
discovery.zen.minimum_master_nodes: 1
生成x-pack证书
103.68.110.223,103.68.110.225,103.68.110.227,103.68.110.242
参考资料:https://segmentfault.com/a/1190000012789290
[swadmin@MyCloudServer es_crt]$ cd /opt/apps/elk/elasticsearch/config/
[swadmin@MyCloudServer elk]$ /opt/apps/elk/elasticsearch/bin/x-pack/certgen
依次输入:my_cluster.zip ---> my_cluster ---> my_cluster ---> 103.68.110.242 ---> enter ---> enter
[swadmin@MyCloudServer config]$ unzip my_cluster.zip
[swadmin@MyCloudServer ~]$ vim /opt/apps/elk/elasticsearch/config/elasticsearch.yml ##末行追加
################x-pack相关配置
######停用x-pack
##xpack.security.enabled: false
######所有节点进行如下配置,证书秘钥路径一定要正确
xpack.ssl.key: my_cluster/my_cluster.key
xpack.ssl.certificate: my_cluster/my_cluster.crt
xpack.ssl.certificate_authorities: ca/ca.crt
xpack.security.transport.ssl.enabled: true
[swadmin@es_01 config]$ ../bin/x-pack/setup-passwords interactive ###重新配置x-pack密码
节点2
[swadmin@MyCloudServer ~]$ cd /opt/apps/elk/elasticsearch/
[swadmin@MyCloudServer ~]$ cp config/elasticsearch.yml config/elasticsearch.yml.bak
[swadmin@MyCloudServer elasticsearch]$ grep -v \# config/elasticsearch.yml
cluster.name: my-application
node.name: node-2
path.data: /opt/apps/elk/elasticsearch/data/
path.logs: /opt/apps/elk/elasticsearch/logs/
network.host: 103.68.110.242
http.port: 9201
transport.tcp.port: 9601
discovery.zen.ping.unicast.hosts: ["103.68.110.227:9600", "103.68.110.242:9601"]
discovery.zen.minimum_master_nodes: 1
从节点1将my_cluster 和ca目录拉过来放到/opt/apps/elk/elasticsearch/config/下
- 其他优化
- 日志优化
[swadmin@MyCloudServer]$ vim log4j2.properties
logger.index_search_slowlog_rolling.level = info ##默认为trace
- 启动多个elasticsearch
https://my.oschina.net/u/3470972/blog/1586637
http://knktc.com/2016/06/10/elasticsearch-multiple-instances/
elasticsearch -Epath.conf=/opt/apps/elk/elasticsearch/config/my_cluster/ -Ecluster.name=my_cluster -Enode.name=node_2
- 开放elasticsearch给外网
[swadmin@MyCloudServer ~]$ vim /opt/apps/elk/elasticsearch/config/elasticsearch.yml
transport.host: localhost
network.host: 0.0.0.0
[swadmin@MyCloudServer]$ vim /opt/apps/elk/elasticsearch/config/jvm.options
-Xms5g
-Xmx5g
备注:内存分配物理内存1/2或1/4
[swadmin@MyCloudServer]$ vim /opt/apps/elk/elasticsearch/bin/elasticsearch
ES_JAVA_OPTS="-Xms6g -Xmx6g"
完整优化
https://www.cnblogs.com/ningskyer/articles/5788667.html
- 禁用x-pack功能 ---有必要的时候
[swadmin@vhost-elk ~]$ vim /opt/apps/elk/elasticsearch-01/config/elasticsearch.yml
xpack.security.enabled: false
- Logstash优化
- 利用Pipeline启动多个管道
参考:
http://blog.csdn.net/ypc123ypc/article/details/78033142
http://blog.csdn.net/ypc123ypc/article/details/69945031
http://blog.51niux.com/?id=205
[swadmin@MyCloudServer]$ vim /opt/apps/elk/logstash/config/pipelines.yml
- pipeline.id: tomcat_log
queue.type: persisted
path.config: "/opt/apps/elk/logstash/conf.d/elk_tomcat.conf"
pipeline.workers: 6
pipeline.batch.size: 1000
pipeline.batch.delay: 5
- pipeline.id: nginx_log
path.config: "/opt/apps/elk/logstash/conf.d/elk_nginx.conf"
pipeline.workers: 4
pipeline.batch.size: 800
pipeline.batch.delay: 5
- pipeline.id: gameplat _log
queue.type: persisted
path.config: "/opt/apps/elk/logstash/conf.d/elk_gameplat.conf"
pipeline.batch.size: 1000
pipeline.batch.delay: 5
- 内存和线程优化
[swadmin@MyCloudServer]$ vim /opt/apps/elk/logstash/config/jvm.options
-Xms6g
-Xmx6g
Logstash参数表
| 参数 | 类别 | 说明 |
1 | LS_HEAP_SIZE | LS | Logstash堆内存大小,默认1g |
2 | -w | LS启动 | logstash线程数,默认与cpu数相同 |
3 | -b | LS启动 | Batch数,即logstash取多少数据进行一次filter,默认125 |
4 | redis.threads | LS input | Redis线程数,默认1 |
5 | redis.batch_count | LS input | Redis每次pop的数量,默认1 |
6 | es.workers | LS output | Es提交线程,默认1 |
7 | es.flush_size | LS output | ESbulk提 |
8 | -l | LS启动 | 产生日志文件 |
备注:
带pv启动logstash
logstash -f logstash_dots_zzm1.conf -l ./logstash_zzm1.log -b 8000 | pv -abt >/dev/null
#####
再次优化索引
用一个
If ([fields][source] =~ "gameplat")
- x-pack常见参数优化
参考资料:https://www.felayman.com/articles/2017/12/12/1513085668561.html
- elk安全告警机制
参考:
https://xizhibei.github.io/2017/11/19/alerting-with-elastalert/
https://github.com/xuyaoqiang/elastalert-dingtalk-plugin 钉钉报警插件
钉钉添加群---》群设置----》群机器人----》添加机器人---》编辑
sudo pip install setuptools --upgrade
- GeoIP地图库
Logstash下载GeoData
[swadmin@MyCloudServer]$ cd /opt/apps/elk/logstash/ && mkdir geoData/
[swadmin@MyCloudServer logstash]$ cd geoData && wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
[swadmin@logstash logstash]$ vim /opt/apps/elk/logstash/conf.d/elk_nginx.conf
.....
geoip {
source => "clientip"
target => "geoip"
database => "/opt/apps/elk/logstash/geoData/GeoLite2-City_20180306/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
....
index => "logstash-nginx-%{+YYYY.MM.dd}"
...
备注:index必须以logstash开头
- 常见报错
- 删掉tags的_grokparsefailure
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
tag_on_failure => []
}