elastic stack 结合 search guard 配置日志服务器全过程

2019独角兽企业重金招聘Python工程师标准>>>

一、架构规划

   1. 操作系统：CentOS 6.8

   2. elastic stack套件 5.0.1 

   3. Search Guard 5.0.1

   4. 主机地址：192.168.5.251(node1) 192.168.5.252(node2) 192.168.5.253(node3)

二、软件下载地址：

   Elastic Stack：https://www.elastic.co/downloads

   Search Guard：https://github.com/floragunncom/search-guard/tree/es-5.0.1

   Search Guard SSL：https://github.com/floragunncom/search-guard-ssl/tree/5.1.1

三、搭建elasticsearch集群

一、同步时间 三个结点都需要执行
[root@localhost ~]# ntpdate time.windows.com
 8 Jan 10:43:19 ntpdate[1458]: step time server 52.169.179.91 offset -28798.105134 sec

二、安装软件包 三个结点都需要执行
[root@localhost elk]# ls
elasticsearch-5.0.1.rpm  filebeat-5.0.1-x86_64.rpm  jdk-8u101-linux-x64.rpm  kibana-5.0.1-x86_64.rpm  logstash-5.0.1.rpm

[root@localhost elk]# rpm -ivh *.rpm
warning: elasticsearch-5.0.1.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                ########################################### [100%]
   1:logstash               ########################################### [ 20%]
Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME.
warning: %post(logstash-1:5.0.1-1.noarch) scriptlet failed, exit status 1
   2:kibana                 ########################################### [ 40%]
   3:jdk1.8.0_101           ########################################### [ 60%]
Unpacking JAR files...
	tools.jar...
	plugin.jar...
	javaws.jar...
	deploy.jar...
	rt.jar...
	jsse.jar...
	charsets.jar...
	localedata.jar...
   4:filebeat               ########################################### [ 80%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
   5:elasticsearch          ########################################### [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using chkconfig
 sudo chkconfig --add elasticsearch
### You can start elasticsearch service by executing
 sudo service elasticsearch start

三、修改 90-nproc.conf nproc 值为 2048以上 三个结点都需要执行
[root@localhost elk]# vim /etc/security/limits.d/90-nproc.conf 
*          soft    nproc     2048

四、修改elasticsearch参数，搭建集群 三个结点都需要执行 

[root@localhost elk]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:ba:3a:b9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.253/24 brd 192.168.5.255 scope global eth1
    inet6 fe80::20c:29ff:feba:3ab9/64 scope link 
       valid_lft forever preferred_lft forever

[root@localhost elk]# vim /etc/elasticsearch/elasticsearch.yml 
cluster.name: elastic-cluster
node.name: node-3
network.host: 192.168.5.253
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.5.251", "192.168.5.252", "192.168.5.253"]
discovery.zen.minimum_master_nodes: 2
gateway.recover_after_nodes: 3



五、将当前主机修改好的elasticsearch参数 复制到另外的两台结点     

[root@localhost elk]# scp /etc/elasticsearch/elasticsearch.yml 192.168.5.251:/etc/elasticsearch/

[root@localhost elk]# scp /etc/elasticsearch/elasticsearch.yml 192.168.5.252:/etc/elasticsearch/


六、修改 192.168.5.251 192.168.5.252 node.name  network.host 值需要和当前主机一致

[root@localhost elk]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:07:50:12 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.251/24 brd 192.168.5.255 scope global eth1
    inet6 fe80::20c:29ff:fe07:5012/64 scope link 
       valid_lft forever preferred_lft forever

[root@localhost elk]# vim /etc/elasticsearch/elasticsearch.yml 
node.name: node-1
network.host: 192.168.5.251

[root@localhost elk]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:94:a0:d9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.252/24 brd 192.168.5.255 scope global eth1
    inet6 fe80::20c:29ff:fe94:a0d9/64 scope link 
       valid_lft forever preferred_lft forever

[root@localhost elk]# vim /etc/elasticsearch/elasticsearch.yml 
node.name: node-2
network.host: 192.168.5.252

七、验证集群是否搭建成功，如下图所示，表示成功

浏览器打开：http://192.168.5.253:9200/_cat/nodes

192.168.5.252 4 94 3 0.43 0.29 0.18 mdi * node-2
192.168.5.251 3 93 2 0.74 0.53 0.32 mdi - node-1
192.168.5.253 3 93 4 0.54 0.44 0.29 mdi - node-3

三、配置 elasticsearch plugin search-guard 

一、安装 search-guard 三个结点都需要执行
[root@localhost elk]# cd /usr/share/elasticsearch/
[root@localhost elasticsearch]# bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.0.1-9

二、下载 search-guard-ssl 任意一台结点配置，本次以node-3结点
[root@localhost ~]# git clone https://github.com/floragunncom/search-guard-ssl.git
Initialized empty Git repository in /root/search-guard-ssl/.git/
^[[A^[[Aremote: Counting objects: 4870, done.
Receiving objects: 100% (4870/4870), 998.69 KiB | 63 KiB/s, done.
remote: Total 4870 (delta 0), reused 0 (delta 0), pack-reused 4870
Resolving deltas: 100% (2306/2306), done.

[root@localhost ~]# cd search-guard-ssl/example-pki-scripts/

/root/search-guard-ssl/example-pki-scripts
[root@localhost example-pki-scripts]# ls
clean.sh  etc  example.sh  gen_client_node_cert.sh  gen_node_cert.sh  gen_root_ca.sh

三、修改第三行的 0 为 3 生成 node-1 node-2 node-3 三张证书  任意一台结点配置，本次以node-3结点
[root@localhost example-pki-scripts]# cat example.sh 
#!/bin/bash
set -e
./clean.sh
./gen_root_ca.sh capass changeit
./gen_node_cert.sh 3 changeit capass && ./gen_node_cert.sh 1 changeit capass &&  ./gen_node_cert.sh 2 changeit capass
./gen_client_node_cert.sh spock changeit capass
./gen_client_node_cert.sh kirk changeit capass

[root@localhost example-pki-scripts]# ./example.sh 

[root@localhost example-pki-scripts]# ls
ca        etc                      gen_root_ca.sh    kirk.csr           kirk-signed.pem      node-1-signed.pem    node-2-signed.pem    node-3-signed.pem  spock.csr           spock-signed.pem
certs     example.sh               kirk.all.pem      kirk.key.pem       node-1.csr           node-2.csr           node-3.csr           spock.all.pem      spock.key.pem       truststore.jks
clean.sh  gen_client_node_cert.sh  kirk.crtfull.pem  kirk-keystore.jks  node-1-keystore.jks  node-2-keystore.jks  node-3-keystore.jks  spock.crtfull.pem  spock-keystore.jks
crl       gen_node_cert.sh         kirk.crt.pem      kirk-keystore.p12  node-1-keystore.p12  node-2-keystore.p12  node-3-keystore.p12  spock.crt.pem      spock-keystore.p12


四、复制 truststore.jks node-x-keystore.jks 证书到各结点，注意，node-x-keystore.jks x 表示对应主机的结点名
[root@localhost example-pki-scripts]# cp node-3-keystore.jks  truststore.jks /etc/elasticsearch/
[root@localhost example-pki-scripts]# scp node-2-keystore.jks  truststore.jks 192.168.5.252:/etc/elasticsearch/
[root@localhost example-pki-scripts]# scp node-1-keystore.jks  truststore.jks 192.168.5.251:/etc/elasticsearch/

五、配置elasticsearch 各结点基于tls加密通讯，并重启 注意 node-x-keystore.jks x 表示对应主机的结点名 三台都需要配置

[root@localhost example-pki-scripts]# vim /etc/elasticsearch/elasticsearch.yml 
searchguard.ssl.transport.keystore_filepath: node-3-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false
  
重启后，elasticsearch 之间的连接已经是加密的了，但是有如下报错，此问题是没有初始化 Search Guard 索引。

[root@localhost example-pki-scripts]# tail -f /var/log/elasticsearch/elastic-cluster.log 
[2017-01-08T12:21:29,918][ERROR][c.f.s.a.BackendRegistry  ] Not yet initialized (you may need to run sgadmin)



六、初始化  Search Guard 索引，配置帐号。 任意结点，本次配置以node-3结点。

复制kirk-keystore.jks证书
[root@localhost example-pki-scripts]# pwd
/root/search-guard-ssl/example-pki-scripts

[root@localhost example-pki-scripts]# cp kirk-keystore.jks /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/

新增以下配置参数
[root@localhost example-pki-scripts]# vim /etc/elasticsearch/elasticsearch.yml 
searchguard.authcz.admin_dn:
  - "CN=kirk, OU=client, O=client, L=Test, C=DE"

重启服务
[root@localhost example-pki-scripts]# service elasticsearch restart
service elasticsearch restart elasticsearch restart
Stopping elasticsearch:                                    [  OK  ]
Starting elasticsearch:                                    [  OK  ]

初始化  Search Guard 索引

[root@localhost search-guard-5]# cd  /usr/share/elasticsearch/plugins/search-guard-5

[root@localhost search-guard-5]# tools/sgadmin.sh -ts /etc/elasticsearch/truststore.jks -tspass changeit -ks sgconfig/kirk-keystore.jks -kspass changeit -cd sgconfig/ -icl -nhnv -h 192.168.5.253
Search Guard Admin v5
Will connect to 192.168.5.253:9300 ... done
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elastic-cluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
searchguard index does not exists, attempt to create it ... done (auto expand replicas is on)
Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig
Will update 'config' with sgconfig/sg_config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'roles' with sgconfig/sg_roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with sgconfig/sg_roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with sgconfig/sg_internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update 'actiongroups' with sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

其中 sg_internal_users.yml 保存着默认的用户和密码
[root@localhost sgconfig]# head -n 5  sg_internal_users.yml 
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
admin:
  hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG
  #password is: admin
[root@localhost sgconfig]# pwd
/usr/share/elasticsearch/plugins/search-guard-5/sgconfig

使用浏览器访问：http://192.168.5.253:9200 提示输入密码，输入默认用户: admin admin ，可登陆表示正常。


七、配置REST-API 基于https连接
[root@localhost elk]# vim /etc/elasticsearch/elasticsearch.yml，注意 node-x-keystore.jks x 表示对应主机的结点名 三台都需要配置

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-3-keystore.jks
searchguard.ssl.http.keystore_password: changeit
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit

使用浏览器访问：https://192.168.5.253:9200 提示输入密码，输入默认用户: admin admin ，可登陆表示正常
http://192.168.5.253:9200  无加密拒绝访问。

四、配置kibana  任意结点，此处以node-3为例

一、修改 kibana.yml 参数
[root@localhost kibana]# vim /etc/kibana/kibana.yml 
server.port: 5601
server.host: "192.168.5.253"
elasticsearch.url: "https://192.168.5.253:9200"
elasticsearch.username: "kibanaserver" 
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.verify: false

二、修改kibana console插件参数，如果不修改，无法使用kibana console的功能。
[root@localhost kibana]# vim /usr/share/kibana/src/core_plugins/console/index.js 
         ssl: {
            verify: false 默认为:true
          }

三、重启kibana,提示要求输入密码 admin admin

五、开启 search-guard 行为审计功能

一、下载auidt依赖人jar文件,下载地址：https://github.com/floragunncom/search-guard-module-auditlog/wiki

二、将下载好的文件复制到各结点，并重启
cp /root/dlic-search-guard-module-auditlog-5.0-3-jar-with-dependencies.jar /usr/share/elasticsearch/plugins/search-guard-5/
[root@localhost search-guard-5]# scp dlic-search-guard-module-auditlog-5.0-3-jar-with-dependencies.jar 192.168.5.251:/usr/share/elasticsearch/plugins/search-guard-5/
[root@localhost search-guard-5]# scp dlic-search-guard-module-auditlog-5.0-3-jar-with-dependencies.jar 192.168.5.252:/usr/share/elasticsearch/plugins/search-guard-5/

三、在kibana 的console输入以下命令，出现auditlog表示正常：
GET _cat/indices
green open auditlog    R0ot_XMgRUW7ss_wMCZBfg 5 1 119 0 404.2kb 218.2kb

 

六、配置logstash 并结合 filebeat收集nginx日志 任意结点，此处以node-3为例

一、配置logstash

[root@localhost conf.d]# cat /etc/logstash/conf.d/logstash.conf 

input {
   beats {
       port => "5044"
   }
}

filter {
   if [type] == "nginx-access" {
      json {
         source => "message"
      }
      geoip { source => "remote_addr"
         target => "geoip"
      }
      mutate {
         convert => { "request_time" => "float" }
         convert => { "upstream_response_time" => "float" }
         convert => { "body_bytes_sent" => "integer" }
      }
   }
}

output {
   if [type] == "nginx-access" {
     elasticsearch {
       hosts => ["192.168.5.253:9200","192.168.5.252:9200","192.168.5.253:9200"]
       user => "logstash"
       password => "logstash"
       ssl => true
       ssl_certificate_verification => false
       truststore => "/etc/elasticsearch/truststore.jks"
       truststore_password => changeit
       index => "logstash-nginx-access-%{+YYYY-MM}"
    }
    stdout { codec => rubydebug }
  }
}

二、配置filebeat
[root@localhost conf.d]# cat /etc/filebeat/filebeat.yml | grep -v -E ".*\#|^$" 

filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/access.log 
  document_type: nginx-access
output.logstash:
  hosts: ["192.168.5.253:5044"]

三、新增nginx 日志格式为json，删除默认的日志格式。

     log_format  main  '{"@timestamp":"$time_iso8601",'
                       '"@version":"1",'
                       '"remote_addr":"$remote_addr",'
                       '"remote_user":"$remote_user",'
                       '"http_host":"$http_host",'
                       '"request_method ":"$request_method",'
                       '"uri":"$uri",'
                       '"query_string":"$query_string",'
                       '"status":"$status",'
                       '"body_bytes_sent":"$body_bytes_sent",'
                       '"http_referer":"$http_referer",'
                       '"upstream_status":"$upstream_status",'
                       '"upstream_addr":"$upstream_addr",'
                       '"request_time":"$request_time",'
                       '"upstream_response_time":"$upstream_response_time",'
                       '"http_user_agent":"$http_user_agent",'
                       '"http_cdn_src_ip":"$http_cdn_src_ip",'
                       '"x_forword_for":"$http_x_forwarded_for"}';

四、重启nginx，并访问nignx，查看nginx产生的日志是否为以下格式

[root@localhost conf.d]# tail -n 1  /var/log/nginx/access.log 

{"@timestamp":"2017-01-08T16:23:55+08:00","@version":"1","remote_addr":"192.168.5.1","remote_user":"-","http_host":"192.168.5.253","request_method ":"GET","uri":"/poweredby.png","query_string":"-","status":"304","body_bytes_sent":"0","http_referer":"http://192.168.5.253/","upstream_status":"-","upstream_addr":"-","request_time":"0.000","upstream_response_time":"-","http_user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko","http_cdn_src_ip":"-","x_forword_for":"-"}

五、启动logstash，之后启动filebeat

[root@localhost conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf -r

[root@localhost conf.d]# service filebeat start

六、启动logstash，并访问nginx，发现有以下日志，表示logstash 以及 filebeat 配置正常。（不想显示在屏幕上，可以把    stdout { codec => rubydebug } 字段删除）

{
             "upstream_addr" => "-",
           "body_bytes_sent" => 0,
                    "source" => "/var/log/nginx/access.log",
                      "type" => "nginx-access",
                 "http_host" => "192.168.5.253",
           "http_user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
               "remote_user" => "-",
           "upstream_status" => "-",
              "request_time" => 0.0,
           "request_method " => "GET",
           "http_cdn_src_ip" => "-",
                  "@version" => "1",
                      "beat" => {
        "hostname" => "localhost.localdomain",
            "name" => "localhost.localdomain",
         "version" => "5.0.1"
    },
                      "host" => "localhost.localdomain",
               "remote_addr" => "192.168.5.1",
                     "geoip" => {},
                    "offset" => 7838,
                "input_type" => "log",
             "x_forword_for" => "-",
                   "message" => "{\"@timestamp\":\"2017-01-08T16:23:55+08:00\",\"@version\":\"1\",\"remote_addr\":\"192.168.5.1\",\"remote_user\":\"-\",\"http_host\":\"192.168.5.253\",\"request_method \":\"GET\",\"uri\":\"/nginx-logo.png\",\"query_string\":\"-\",\"status\":\"304\",\"body_bytes_sent\":\"0\",\"http_referer\":\"http://192.168.5.253/\",\"upstream_status\":\"-\",\"upstream_addr\":\"-\",\"request_time\":\"0.000\",\"upstream_response_time\":\"-\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_cdn_src_ip\":\"-\",\"x_forword_for\":\"-\"}",
                       "uri" => "/nginx-logo.png",
                      "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_geoip_lookup_failure"
    ],
                "@timestamp" => 2017-01-08T08:23:55.000Z,
              "http_referer" => "http://192.168.5.253/",
    "upstream_response_time" => 0.0,
              "query_string" => "-",
                    "status" => "304"
}

七、kibana添加 nginx 日志可视化

、

参考文章：

search-guard官方文档：https://github.com/floragunncom/search-guard-docs

elastic stack 官方文档 ：https://www.elastic.co/guide/index.html

转载于:https://my.oschina.net/huangweibin/blog/820858