docker环境下elk添加身份验证

构建好elasticsearch、logstash、kibana、filebeat的容器。
docker-compose文件如下

---

给elasticsearch添加身份验证

官方文档如下:https://www.elastic.co/guide/en/elasticsearch/reference/7.16/security-minimal-setup.html#security-create-builtin-users
修改elasticsearch.yml的配置文件，新增一行xpack.security.enabled: true

然后重启es，进入容器内部执行./bin/elasticsearch-setup-passwords interactive

root@f84dfad4fd98:/usr/share/elasticsearch/bin# ./elasticsearch-setup-passwords interactive

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]

选择y，这里都设置为123456
好，现在我们就已经生成了7个用户，为别是elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user

集群状态下给elasticsearch集群添加TLS验证

官方提示：
If your cluster has multiple nodes, then you must configure TLS between nodes. Production mode clusters will not start if you do not enable TLS.
官方文档：
https://www.elastic.co/guide/en/elasticsearch/reference/7.16/security-basic-setup.html

kibana设置连接elasticsearch的账号密码

官方文档如下：https://www.elastic.co/guide/en/elasticsearch/reference/7.16/security-minimal-setup.html#add-built-in-users

修改kibana.yml的配置文件，新增两行

...
elasticsearch.username: "kibana_system"
elasticsearch.password: "123456"

然后重启kibana，输入账号elastic,密码123456。

我们发现下面提示server.publicBaseUrl 缺失，在生产环境中运行时应配置。某些功能可能运行不正常。 请参阅文档。https://www.elastic.co/guide/en/kibana/7.16/settings.html#server-publicBaseUrl
server.publicBaseUrl: The publicly available URL that end-users access Kibana at. Must include the protocol, hostname, port (if different than the defaults for http and https, 80 and 443 respectively), and the server.basePath (if configured). This setting cannot end in a slash (/).
大致意思就是如果是http，那么kibana.yml中就是 server.publicBaseUrl:
如果是http，那么kibana.yml中就是 server.basePath：
并且属性要以http(s)开头，/结尾，
比如server.publicBaseUrl: "http://localhost:5601/"

kibana设置身份验证与连接elasticsearch

logstash设置连接elasticsearch的账号密码

vim logstash/pipeline/logstash-to-es.conf

output {
        if [flag] == "elk" {
                elasticsearch {
                        hosts => ["http://elasticsearch:9201"]
                        user => "logstash_system"
                        password => "123456"
                        manage_template => true
                        index => "webserver-log-%{+YYYY.MM.dd}"
                        document_type=> "_doc"
                        template => "/usr/share/logstash/templates/webserver-log.json"
                        template_overwrite => true
          }
        }
}

vim logstash/config/logstash.yml

http.host: "0.0.0.0"
# 修改身份验证
xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9201" ]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "123456"