配置SSL、TLS以及HTTPS来确保es、kibana、beats、logstash的安全

最新推荐文章于 2024-08-30 21:30:00 发布
最新推荐文章于 2024-08-30 21:30:00 发布
阅读量798 收藏
点赞数
分类专栏: elk 文章标签: elasticsearch ssl https
原文链接:http://t.zoukankan.com/fat-girl-spring-p-12714845.html
版权

  • 配置SSL、TLS以及HTTPS来确保es、kibana、beats、logstash的安全

    ssl分步骤

    1、准备工作

    为每台机器配置hosts

    192.168.1.234 node01
192.168.1.233 node02
192.168.1.240 node03
192.168.1.241 logstash01
192.168.1.242 logstash02
192.168.1.243 filebeat 

    metricbeat与filebeat服务在同一台机器上,共用一套证书

    instances.yml文件内容

    instances:
  - name: "node01"
    dns: ['node01']
  - name: "node02"
    dns: ['node02']
  - name: "node03"
    dns: ['node03']    
  - name: 'kibana'
    dns: ['node01']
  - name: 'logstash01'
    dns: ['logstash01']
  - name: 'logstash02'
    dns: ['logstash02']
  - name: 'filebeat'
    dns: ['filebeat']

    存储路径

    /home/elastic/elasticsearch-7.5.1

    生成证书

    cd /home/elastic/elasticsearch-7.5.1
bin/elasticsearch-certutil cert ca --pem --in instance.yml --out /root/certs.zip
#解压后目录结构
Archive:  certs.zip
   creating: ca/
  inflating: ca/ca.crt               
   creating: node01/
  inflating: node01/node01.crt       
  inflating: node01/node01.key       
   creating: node02/
  inflating: node02/node02.crt       
  inflating: node02/node02.key       
   creating: node03/
  inflating: node03/node03.crt       
  inflating: node03/node03.key       
   creating: kibana/
  inflating: kibana/kibana.crt       
  inflating: kibana/kibana.key

    2**、访问es集群设置**

    es1

cluster.name: es-itcast-cluster
node.name: node01
node.master: true
node.data: true
network.host: 192.168.1.234
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
#配置集群密码
xpack.security.enabled: true
#用HTTPS方式访问es
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
#集群内部通信
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]

es2

cluster.name: es-itcast-cluster 
node.name: node02 
node.master: true 
node.data: true 
network.host: 192.168.1.233 
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"] 
cluster.initial_master_nodes: ["node01","node02","node03"] 
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]

es3

cluster.name: es-itcast-cluster 
node.name: node03 
node.master: true 
node.data: true 
network.host: 192.168.1.240
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"] 
cluster.initial_master_nodes: ["node01","node02","node03"] 
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"

    3、kibana访问es集群设置

    server.port: 5601
server.host: "192.168.1.234"#kibana访问es集群
elasticsearch.hosts: ["https://192.168.1.234:9200","https://192.168.1.233:9200","https://192.168.1.240:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "4CG0LMkw4Gjkh8c5SPsS"
i18n.locale: "zh-CN"
#用HTTPS方式访问kibana
server.ssl.enabled: true
server.ssl.certificate: /home/kibana/kibana-7.5.1/config/certs/kibana.crt
server.ssl.key: /home/kibana/kibana-7.5.1/config/certs/kibana.key
#kibana访问es集群
elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: ["/home/kibana/kibana-7.5.1/config/certs/ca.crt"]

    4、启动kibana并测试kibana的登录信息

    img

    4、logstash访问es设置

    在es上创建logstash使用的用户

    # 注意索引名
POST /_security/role/logstash_write_role
{
    "cluster": [
      "monitor",
      "manage_index_templates"
    ],
    "indices": [
      {
        "names": [
          "logstash*"
        ],
        "privileges": ["write","create","delete","create_index","manage","manage_ilm"],
        "field_security": {
          "grant": [
            "*"
          ]
        }
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
}

# 设置该用户密码
POST /_security/user/logstash_writer
{
  "username": "logstash_writer",
  "roles": [
    "logstash_write_role"
  ],
  "full_name": null,
  "email": null,
  "password": "1234567890",
  "enabled": true
}

    针对 Beats 输入插件,将 logstash.key 转换为 PKCS#8 格式

    openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pkcs8.key

    ***logstash配置*
    **

    logstash配置文件

logstash01

node.name: logstash01
path.data: /home/logstash/data
http.host: "192.168.1.241"
http.port: 9700
path.logs: /home/logstash/logs
path.config: /home/logstash/logstash-7.5.1/config/conf/*.conf

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: TBQOrC23OjbivKfqonMg
xpack.monitoring.elasticsearch.hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/logstash-7.5.1/config/certs/ca.crt"


logstash02

node.name: logstash02
path.data: /home/logstash/data/
http.host: "192.168.1.242"
http.port: 9700
log.level: info
path.logs: /home/logstash/logs
path.config: /home/logstash/logstash-7.5.1/config/conf/*.conf
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: TBQOrC23OjbivKfqonMg
xpack.monitoring.elasticsearch.hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/logstash-7.5.1/config/certs/ca.crt"

#注意输出的索引名

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/home/logstash/logstash-7.5.1/config/certs/ca.crt"]
    ssl_certificate => "/home/logstash/logstash-7.5.1/config/certs/logstash02.crt"
    ssl_key => "/home/logstash/logstash-7.5.1/config/certs/logstash02.pkcs8.key"
    ssl_verify_mode => "force_peer"
  }
}

output {
  stdout {
    codec => json
  }
  elasticsearch {
    hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
    ssl => true
    cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt"
    index => "logstash-data-%{+YYYY.MM.dd}"
    user => "logstash_writer"
    password => "logstash"
  }
}

    5、filebeat访问logstash设置

    output.logstash: 
  hosts: ["logstash01:5044","logstash02:5044"] 
  loadlance: true  #logstash负载均衡配置 
  ssl.certificate_authorities: ["/home/beats/filebeat-7.5.1/certs/ca.crt"] 
  ssl.certificate: "/home/beats/filebeat-7.5.1/certs/filebeat.crt" 
  ssl.key: "/home/beats/filebeat-7.5.1/certs/filebeat.key

    6、metricbeat访问elasticsearch设置

    #创建用户beats_user,授予权限#修改配置文件metricbeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s
setup.ilm.enabled: false
setup.template.name: "metricbeat"
setup.template.pattern: "metricbeat-*"
setup.template.settings:
  index.number_of_shards: 1
  index.codec: best_compression
output.elasticsearch:
  hosts: ["https://node01:9200","https://node02:9200","https://node03:9200"]
  index: "metricbeat-%{+yyyy.MM.dd}"
  protocol: "https"
  username: "beats_user"
  password: "123456"
  ssl.certificate_authorities: ["/home/beats/filebeat-7.5.1/certs/ca.crt"]
  ssl.certificate: "/home/beats/filebeat-7.5.1/certs/filebeat.crt"
  ssl.key: "/home/beats/filebeat-7.5.1/certs/filebeat.key"  
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
Dustin.Hoffman
关注
专栏目录
elasticsearch 6.2.4 jar
12-25
12. **安全性和权限控制**:从Elasticsearch 6.x开始,内置的安全功能如用户认证、角色管理和SSL/TLS加密成为标准配置,增强了集群的安全性。 总结来说,这个压缩包提供了运行Elasticsearch 6.2.4所需的基础Java库...
logstash配置elasticsearchhttps访问--配置修改
oLingTing的博客
07-07 2191
logstash配置https的带密码访问的es修改
ElasticSearch7.14配置SSL,使用https访问
fen_fen的专栏
03-03 9679
ElasticSearch7.14配置SSL,使用https访问 1、生成证书 备注:一定要在es用户中生成证书。 #1.生成elastic-stack-ca.p12文件 $./bin/elasticsearch-certutil ca #2.生成elastic-certificates.p12文件,供elasticsearch使用 $./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 #3.生成newfile.crt.pe
Elasticsearch(一):单节点安装并开启ssl
最新发布
欧阳方超的专栏
08-30 733
已经成功在单节点的 Elasticsearch 环境中启用了 SSL配置了证书
Logstash如何连接开启了SSLElasticsearch集群?
02-04 4371
Elasticsearch从7开始开放了大量X-Pack的基础安全功能,默认情况下启动的时候就会配置开启安全功能,启用SSL,连接Elasticsearch需要采用HTTPS。这种情况下Logstash应该如何连接上Elasticsearch呢?本文从头开始演示从logstash搭建到配置连接Elasticsearch配置SSL
一文秒懂!腾讯云ES HTTPS 集群访问通信最佳实践
cloudbigdata的博客
08-05 1667
作者:吴容,腾讯云Elasticsearch高级开发工程师Elasticsearch提供了多种数据访问安全的方式,如用户名密码校验、api_key等。但是依然无法保障数据传输过程中的安全性问题。而HTTPS协议,则是一种以安全为目的的HTTP通道,在HTTP的基础上通过传输加密和身份认证等机制来保障数据传输过程中的安全性。本文将基于腾讯云ES集群环境,演示Beats、Lo...
Elasticsearch Kibana SSL认证
还是小朋友的博客
10-20 1534
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -chain > client-ca.cer #签署公共证书的CA。openssl pkcs12 -in elastic-certificates.p12 -clcerts -nokeys > client.cer #公共证书。输入文件名 默认[elastic-stack-ca.p12]回车,输入密码回车。4、重启kibana
ElasticsearchKibana之间HTTPS连接
imonkeyi的博客
12-19 5489
参考:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-passwords.html 在生成环境中,如果你没有配置 HTTPS 连接,某些 Elasticsearch 功能(比如令牌和 API 密钥)将被禁用,该安全确保所有进出
最新版windows kibana-8.2.0-windows-x86_64.zip
05-06
4. **安全性和权限管理**:Kibana 8.2.0可能强化了与Elasticsearch安全集成,支持角色基础的访问控制(RBAC)和SSL/TLS加密,确保数据安全。 5. **性能优化**:新版本通常会带来性能提升,包括更快的加载速度、更...
最新版windows logstash-8.0.1-windows-x86_64.zip
03-02
这可能涉及设置适当的访问控制、使用SSL/TLS加密数据传输,以及配置审计日志来追踪活动。 - **扩展与集成**:Logstash可以与其他工具如Beats(如Filebeat、Winlogbeat)集成,以更高效地收集数据。此外,还可以通过...
Logstashlogstash-8.6.0-darwin-x86-64.tar.gz)
01-24
它以其强大的数据处理能力,灵活的配置语法以及与Elastic Stack(包括ElasticsearchKibanaBeats)的紧密集成而闻名。在提供的压缩包"Logstashlogstash-8.6.0-darwin-x86_64.tar.gz)"中,包含的是适用于macOS ...
elasticsearch 7.10
12-08
Elasticsearch 支持丰富的第三方插件,如 Kibana 用于数据可视化,Logstash 进行数据收集和预处理,Beats 用于轻量级数据发送等。7.10 版本可能对这些生态组件进行了升级,以更好地与 Elasticsearch 配合。 **10. ...
elasticsearch+kibana集群安装部署并配置ssl连接
professorman的博客
09-27 2058
elasticsearch+kibana集群安装部署并配置ssl连接
ES SSL证书配置
qq_41561707的博客
11-13 1294
这里需要注意的是,因为我们这一篇中每一台ES node使用的都是同一份elastic-stack-ca.p12证书文件,所以在xpack.security.transport.ssl.verification_mode这个配置中我们使用的是certificate模式。而如果有为每一台ES节点生成单独的证书文件的需求的话,或者说需要为为每个主机生成与DNS或IP地址匹配的不同证书的话,需要把这个模式设置为full,full模式的详情可以参考官方文档。此文件包含CA的公共证书和用于为每个节点签署证书的私钥。
Logstash:如何连接到带有 HTTPS 访问的集群
Elastic 中国社区官方博客
09-15 5003
前段时间,有一个开发者在评论区问了一个问题:如何运用 Logstash 采集数据,并写入到带有 HTTPSElasticsearch 集群中。我们知道,在 Elasticsearch 8.x 的安装中,SSL 的连接是最基本的配置。那么我们如何把采集的数据成功地写到 Elasticsearch 中去呢?在今天的展示中,我将使用最新的 Elastic Stack 8.4.1 来进行展示。
胎教级Elasticsearch集群+安全配置+ssl配置Kibana集群+安全配置+ssl配置
weixin_44742630的博客
09-28 6777
Elasticsearch部署及配置 1. 环境规划 IP地址 系统版本 角色 主机名 10.0.0.10 centos 8.4 es-node1 es00 10.0.0.11 centos 8.4 es-node2 es01 10.0.0.12 centos 8.4 es-node3 es02 10.0.0.15 centos 8.4 kibana-node1 kb01 10.0.0.16 centos 8.4 kibana-node2 kb02 2. 先决条件 1.
Logstash数据处理服务的输出插件Output配置参数详解
江晓龙的博客
07-13 2540
output配置字段是将收集的日志数据存输出到生存储中,一般都是elasticsearch集群。常用字段配置ES集群每个节点的地址信息。:指定存储到ES的哪个索引库。将从file日志文件中收集来的数据存储到ES索引库中。 当logstash收集到新的日志内容后会存储到ES索引库中。在kibana上关联es集群中的日志索引库,展示日志数据可视化。1)点击Stack Management—>索引模式—>创建索引模式2)输入关联es的索引名称,日志索引库每天都会生成新的,因此要采用通配符形式。3)增加一个时间戳
Elasticsearch 8.4.1 配置自签名证书和启用Https
热门推荐
企业实战系列集 ●●● https://ximenjianxue.blog.csdn.net
11-26 1万+
这个时候会提示你输入提取代码. for-iis.pem就是可读的文本,生成pfx的命令类似这样:openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -out certificate.pfx -certfile CACert.crt,其中CACert.crt是CA(权威证书颁发机构)的根证书,通过-certfile参数使用;KEY:通常用来存放一个公钥或者私钥,并非X.509证书,编码同样的,可能是PEM,也可能是DER。
es 7.5.1版本 集群配置安全证书和开启ssl加密通信
Angus
07-04 4273
前提是:已经搭建起来集群了,并且集群可以正常运行。所有的节点都是健康的状态。 另外我所有的操作都是直接使用启动es集群的用户做的,如果不是这个用户的话,对生成的证书还需要赋予可执行权限。 ##生成证书,给集群添加证书认证 生成证书不需关注集群是否启动。也就是不管集群有没有启动,都可以生成证书。 先进到 bin目录下: 然后执行(执行这个的时候,全部回车就可以,不再对证书设置密码,如果这里再设置其他的密码的话,需要在yml里边加其他的配置,我用没有加的方式) :./elas...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值