安装环境:centos7.6 IP:10.0.16.5 公网IP:110.142.192.21
本次部署的版本:elasticsearch8.6.2、logstash8.6.2和kibana8.6.2
ElasticSearch 8.6.2,默认开启安全防护。logstash需要ssl访问及kibana访问时需要token访问。
一、安装Elasticsearch
首次启动Elasticsearch时,默认情况下会启用并配置安全功能。以下安全配置将自动进行:
启用身份验证和授权,并为弹性内置超级用户生成密码。
为传输层和HTTP层生成TLS的证书和密钥,并使用这些密钥和证书启用和配置TLS。
为Kibana生成一个注册令牌,有效期为30分钟。
1.elasticsearch下载
[root@elk syslog]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.6.2-linux-x86_64.tar.gz
[root@elk syslog]# wget https://artifacts.elastic.co/downloads/kibana/kibana-8.6.2-linux-x86_64.tar.gz
[root@elk syslog]# wget https://artifacts.elastic.co/downloads/logstash/logstash-8.6.2-linux-x86_64.tar.gz
2.创建ES用户
[root@elk ~]# groupadd es
[root@elk ~]# useradd -g es es
[root@elk ~]# passwd es
Changing password for user es.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
3.将下载好的es解压到es的home目录,并改变所属用户和组为es
#解压缩
[root@elk syslog]# tar -zxvf elasticsearch-8.6.2-linux-x86_64.tar.gz
#移动到/home/es下
[root@elk syslog]# mv elasticsearch-8.6.2 /home/es/elasticsearch-8.6.2
#授权给es用户组和es用户
[root@elk syslog]# chown -R es:es /home/es/elasticsearch-8.6.2/
4.启动ES
4.1、切换到es用户
$su es
4.2、jvm.options配置
默认情况下,Elasticsearch告诉JVM使用堆的最小值和最大值的2GB。切换到生产时,保证Elasticsearch有足够的可用堆是非常重要的。
Elasticsearch将通过jvm.options中的Xms(堆的最小值)与Xmx(堆的最大值)设置来分配堆的大小。
[es@elk elasticsearch-8.6.2]$ cd config/
修改jvm.options配置 将注释删除
-Xms1g
-Xmx1g
备注:由于云主机内存2g,所以适当降低jvm内存指定
4.3、启动es
#进入es/bin目录
[es@elk bin]$ cd /home/es/elasticsearch-8.6.2/bin
#启动es
[es@elk bin]$ ./elasticsearch
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
*f=yfesmQ_gZkeOUzHlq
ℹ️ HTTP CA certificate SHA-256 fingerprint:
db54d889a526271a40d29dd9c70bd6b45f5ee04e17d64fc42c2c7bbaf38e9011
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjYuMiIsImFkciI6WyIxMC4wLjE2LjU6OTIwMCJdLCJmZ3IiOiJkYjU0ZDg4OWE1MjYyNzFhNDBkMjlkZDljNzBiZDZiNDVmNWVlMDRlMTdkNjRmYzQyYzJjN2JiYWYzOGU5MDExIiwia2V5IjoiQlhyYWVZY0JaSkFvZXg1NFkycVI6MmtQTFh6VVRSZnVCMWU3Ul8wTGFRdyJ9
ℹ️ Configure other nodes to join this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
^C[2023-04-13T17:03:01,288][INFO ][o.e.x.m.p.NativeController] [elk] Native controller process has stopped - no new native processes can be started
[2023-04-13T17:03:01,293][INFO ][o.e.n.Node ] [elk] stopping ...
[2023-04-13T17:03:01,296][INFO ][o.e.r.s.FileSettingsService] [elk] shutting down watcher thread
[2023-04-13T17:03:01,298][INFO ][o.e.r.s.FileSettingsService] [elk] watcher service stopped
[2023-04-13T17:03:01,308][INFO ][o.e.x.w.WatcherService ] [elk] stopping watch service, reason [shutdown initiated]
[2023-04-13T17:03:01,310][INFO ][o.e.x.w.WatcherLifeCycleService] [elk] watcher has stopped and shutdown
^C[2023-04-13T17:03:01,756][INFO ][o.e.n.Node ] [elk] stopped
[2023-04-13T17:03:01,756][INFO ][o.e.n.Node ] [elk] closing ...
[2023-04-13T17:03:01,768][INFO ][o.e.i.g.DatabaseReaderLazyLoader] [elk] evicted [0] entries from cache after reloading database [/tmp/elasticsearch-10154441330329694995/geoip-databases/oN0iXEtUTzmqIKtMcx0C1A/GeoLite2-Country.mmdb]
[2023-04-13T17:03:01,768][INFO ][o.e.i.g.DatabaseReaderLazyLoader] [elk] evicted [0] entries from cache after reloading database [/tmp/elasticsearch-10154441330329694995/geoip-databases/oN0iXEtUTzmqIKtMcx0C1A/GeoLite2-ASN.mmdb]
[2023-04-13T17:03:01,768][INFO ][o.e.i.g.DatabaseReaderLazyLoader] [elk] evicted [0] entries from cache after reloading database [/tmp/elasticsearch-10154441330329694995/geoip-databases/oN0iXEtUTzmqIKtMcx0C1A/GeoLite2-City.mmdb]
[2023-04-13T17:03:01,770][INFO ][o.e.n.Node ] [elk] closed
ERROR: Elasticsearch exited unexpectedly
备注:启动elasticsearch8.2.0时有以下提示
5、远程浏览器访问es
https://10.1.1.197:9200
使用账号:elastic 默认密码C8-gMLnwhW7RPgJtVoEt登录:
备注:因配置文件是默认的,所以”name”:”localhost”
需要改的话,修改config/elasticsearch.yml的以下项
cluster.initial_master_nodes: ["loaclhost"]
参考:
https://blog.csdn.net/fen_fen/article/details/123358483
Centos7安装Kibanna8.2.0
1.kibana下载
$wget https://artifacts.elastic.co/downloads/kibana/kibana-8.2.0-linux-x86_64.tar.gz
2.创建kibana用户
#创建用户组
$groupadd kibana
#在kibana组创建用户
$useradd -m -g kibana kibana
#给用户设置密码
$passwd kibana
[root@elk syslog]# groupadd kibana
[root@elk syslog]# useradd -m -g kibana kibana
[root@elk syslog]# passwd kibana
Changing password for user kibana.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
3、将下载好的kibana解压,并移动到kibana的home目录,并改变所属用户和组为kibana
#解压缩
[root@elk syslog]# tar -zxvf kibana-8.6.2-linux-x86_64.tar.gz
#移动到/home/kibana下
[root@elk syslog]# mv kibana-8.6.2 /home/kibana/kibana-8.6.2
#授权给es用户组和kibana用户
[root@elk syslog]# chown -R kibana:kibana /home/kibana/kibana-8.6.2/
4、启动kibana
4.1、切换到kibana用户
$su kibana
4.2、修改config目录的配置文件
server.port: 5601
server.host: "0.0.0.0"
server.name: "kibana"
4.3、启动kibana
[kibana@elk bin]$ cd /home/kibana/kibana-8.6.2/bin
[kibana@elk bin]$ ./kibana
5、访问kibana
vim /home/kibana/kibana-8.6.2/config/kibana.yml
修改
# Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".
i18n.locale: "zh-CN"
Kibana访问需要token,这个跟8.0之前版本有区别,8.0版本之后都需要这个。
1、输入token 2、输入kibana的验证值 3、输入ES的账号密码
5.1、访问http://10.1.1.197:5601
输入第一次启动ES时自动生成的token
如果token过期,需要到ES中为kibana重新生成token:
[es@loaclhost bin]$ ./elasticsearch-create-enrollment-token -s kibana
[es@loaclhost bin]$ ./elasticsearch-create-enrollment-token -s kibana
warning: ignoring JAVA_HOME=/home/java_all/java64/jdk1.8.0_221; using bundled JDK
eyJ2ZXIiOiI4LjIuMCIsImFkciI6WyIxMC4xLjEuMTk3OjkyMDAiXSwiZmdyIjoiZDJkOWMzNDgyN2U4ZmJhYTg1ODI4MjA0MmI5YjNlZGZkNWEwYjU3ZTUxMGE5MmMyNTA0NmMzZTQ5Y2JiMTJjMSIsImtleSI6IldmV2ZrNEFCSkNMa0FKY0xzUk4tOjA1MzlkVmxUUnNLaGEzY2xqT010MXcifQ==
5.2、输入kibana验证值
在kibana/bin目录中生成步骤:
./kibana-verification-code
5.3、Kibana访问页面,输入账号密码:
elastic/C8-gMLnwhW7RPgJtVoEt 登录成功。
ES8.2.0和kibana8.2.0访问ES8.2.0遇到以下问题
1、无法远程访问ES8.2.0
原因:防火墙原因
解决方法:停止防火墙 或开放9200端口
2、kibana8.2.0无法访问ES8.2.0
原因:防火墙原因
解决方法:停止防火墙 或开放5601端口
#查询防火墙状态,是否开启着
systemctl status firewalld
#停止防火墙
$service firewalld stop
#检查防火墙状态
3、Kibana8.2.0连接ElasticSearch8.2.0的enrollment token过期
使用E lasticSearch 自带的工具: /bin/elasticsearch-create-enrollment-token ,重新手动生成 Kibana 连接 ElasticSearch 的 enrollment token 。
生成如下:
[es@loaclhost bin]$ ./elasticsearch-create-enrollment-token -s kibana
[es@loaclhost bin]$ ./elasticsearch-create-enrollment-token -s kibana
warning: ignoring JAVA_HOME=/home/java_all/java64/jdk1.8.0_221; using bundled JDK
eyJ2ZXIiOiI4LjIuMCIsImFkciI6WyIxMC4xLjEuMTk3OjkyMDAiXSwiZmdyIjoiZDJkOWMzNDgyN2U4ZmJhYTg1ODI4MjA0MmI5YjNlZGZkNWEwYjU3ZTUxMGE5MmMyNTA0NmMzZTQ5Y2JiMTJjMSIsImtleSI6IldmV2ZrNEFCSkNMa0FKY0xzUk4tOjA1MzlkVmxUUnNLaGEzY2xqT010MXcifQ==
4、生成kibana的pip码
进入kibana/bin目录下
$./kibana-verification-code
安装 logstash
下载地址
解压
[root@elk syslog]# tar -zxvf logstash-8.6.2-linux-x86_64.tar.gz
ssl加密访问证书
cp /home/es/elasticsearch-8.6.2/config/certs/http_ca.crt /syslog/logstash-8.6.2/config/
进入配置文件目录
[root@elk syslog]# cd logstash-8.6.2/config/
从模板复制配置文件
[root@elk config]# cp logstash-sample.conf logstash.conf
input {
syslog {
type => "firewall"
port => 514
}
}
output {
elasticsearch {
hosts => ["172.19.153.232:9200"]
user => "elastic"
password => "tJSCmKqd9MUny*_vpagc"
index => "firewall-%{+YYYY-MM-dd}"
document_type => "_doc"
ssl => true
cacert => "/syslog/logstash/config/http_ca.crt"
}
}
修改文件
[root@elk config]# vim /syslog/logstash-8.6.2/config/logstash.yml
将前面注释删除并将127.0.0.1 修改主为本机IP地址。
api.http.host: 10.0.16.5
启动logstash
[root@elk logstash-8.6.2]# ./bin/logstash -f config/logstash.conf --verbose --debug