文章目录
一、启用xpack安全验证
- 目的:为了访问安全,防止外部ip直接通过ip加端口号访问elasticsearch和kibana
- 要为kibana添加更丰富的功能需要xpack安全验证的支持,比如设置metricbeat监测
1. 生成证书
[root@server1 ~]# cd /usr/share/elasticsearch/
[root@server1 elasticsearch]# bin/elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]: 回车
Enter password for elastic-stack-ca.p12 : westos
[root@server1 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : westos
Please enter the desired output file [elastic-certificates.p12]: 回车
Enter password for elastic-certificates.p12 : 回车
[root@server1 elasticsearch]# cp elastic-certificates.p12 /etc/elasticsearch
[root@server1 elasticsearch]# chown elasticsearch /etc/elasticsearch/elastic-certificates.p12
[root@server1 elasticsearch]# cd /etc/elasticsearch/
[root@server1 elasticsearch]# ll elastic-certificates.p12
-rw------- 1 elasticsearch elasticsearch 3443 May 28 21:18 elastic-certificates.p12
[root@server1 elasticsearch]# scp elastic-certificates.p12 server2:/etc/elasticsearch/
[root@server1 elasticsearch]# scp elastic-certificates.p12 server3:/etc/elasticsearch/
server2 3
[root@server3 ~]# cd /etc/elasticsearch/
[root@server3 elasticsearch]# chown elasticsearch elastic-certificates.p12
[root@server3 elasticsearch]# ll elastic-certificates.p12
-rw------- 1 elasticsearch elasticsearch 3443 May 28 21:24 elastic-certificates.p12
2.配置所有的elasticsearch集群节点
server 1 2 3 上的操作
[root@server1 elasticsearch]# vim elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
[root@server1 elasticsearch]# systemctl restart elasticsearch.service
3.ES集群重启正常后,设置用户密码
- 防止忘记我们可以设置为同一个密码
- elasticsearch和kibana等都可以用elastic用户登录
[root@server1 bin]# pwd
/usr/share/elasticsearch/bin
[root@server1 bin]# ls
[root@server1 bin]# ./elasticsearch-setup-passwords interactive
Enter password for [elastic]: 密码一致
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
4.设置kibana连接ES的用户密码
[root@server3 elasticsearch]# vim /etc/kibana/kibana.yml
[root@server3 elasticsearch]# systemctl restart kibana.service
5.设置Logstash连接ES用户密码
[root@server1 bin]# cd /etc/logstash/conf.d/
[root@server1 conf.d]# ls
apache.conf demo.conf es.conf test.conf
[root@server1 conf.d]# vim apache.conf
user => "elastic"
password => "westos"
[root@server1 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache.conf
6.head访问
[root@server1 conf.d]# vim /etc/elasticsearch/elasticsearch.yml
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
[root@server1 conf.d]# systemctl restart elasticsearch.service
7.访问测试
[root@server2 elasticsearch]# ab -c1 -n100 http://192.168.0.1/index.html
访问 http://192.168.0.1:9100/?auth_user=elastic&auth_password=westos
二、cerebro可视化界面部署
- 它是不同于elasticsearch-head的另一款elasticsearch可视化插件,使用docker容器的方式部署,更加简单便捷,并且具有更优雅的可视化界面展示
- Podman(Pod Manager)是一个功能齐全的容器引擎,它是一个简单的无守护工具。 Podman提供了一个类似Docker-CLI的命令行,可以简化从其他容器引擎的转换,并允许管理pod,容器和图像。
在宿主机上部署:
[root@foundation ~]# yum install -y podman
[root@foundation ~]# podman pull docker.io/lmenezes/cerebro
[root@foundation ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/lmenezes/cerebro latest 045d7f40bf06 16 hours ago 289 MB
[root@foundation ~]# podman run -d --name cerebro -p 9000:9000 docker.io/lmenezes/cerebro
2d5d4672bc5a70564a1a17c7053c59c98021a408affb09f869e283ae19912cd9
[root@foundation ~]# netstat -antulp | grep :9000
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN 14304/conmon