6.4.6.1 X-Pack on Elasticsearch
由于本文使用的es的版本为6.*,所以X-Pack不需要单独安装, 由于没有es的正式license请先查看6.4.6.4 xpack破解, 并保证license为生效状态, 所有相关参数配置elasticsearch.yml中,配置完成后使用systemctl restart elasticsearch.service 重启服务
关键参数说明:
action.auto_create_index是否开启自动创建indexxpack.security.enabled是否开启安全认证, 默认为truexpack.security.transport.ssl.enabledelasticsearch节点之前是否使用ssl传输数据, 默认falsexpack.security.transport.ssl.verification_mode 包含三种方式
full(default)certificatenonefull检查证书是否由权威机构发布的, 还效验主机名是否和证书中的标识相同certificate检查证书是否由权威机构发布的, 但是不效验主机名none不执行任何效验
xpack.security.transport.ssl.keystore.path证书文件存储全路径xpack.security.transport.ssl.truststore.path信任证书存储的全路径
(可选)配置自动创建索引
X-Pack需要在elasticsearch自动的创建一些索引, 默认elasticsearch允许自动创建索引, 如果关闭了自动创建索引必须在elasticsearch.yml中配置action.auto_create_index允许X-Pack自动创建如下的索引:
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*也可以这样配置action.auto_create_index: *允许创建所有索引
配置传输层安全性(TLS/SSL)
如果您拥有License,并且希望使用X-Pack安全性,则必须为节点间通信配置TLS。
创建一个CA, 生成文件名称为
elastic-stack-ca.p12
bin/elasticsearch-certutil ca生成证书和私钥
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12将证书传输到各个节点的指定位置
mkdir /etc/elasticsearch/certs
mv bin/elastic-certificates.p12 /etc/elasticsearch/certs
mv bin/elastic-stack-ca.p12 /etc/elasticsearch/certs开启X-Pack security
编辑elasticsearch.yml , 输入如下内容
xpack.security.enabled: true开启集群中https传输
编辑elasticsearch.yml输入如下内容
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12设置内建用户的密码
需要保留创建的用户名和密码, logstash 和 kibana 连接es时需要使用该密码
手动方式设置所有内建用户的密码
# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]使用自动方式设置所有内建用户的密码
bin/elasticsearch-setup-passwords auto保存console的输出内容以便于后续使用时查看
以下内容摘自官方文档, 更多配置请参考官方文档
关键参数说明
xpack.security.audit.enabled是否开启自动创建indexxpack.security.audit.outputs指定审计日志的输出位置, [ index, logfile ]logfile(default)输出审计日志到每个节点的<cluster-name>_access.logindex输出审计日志到名字为.security_audit_log索引中
PS: 应当尽量索引方式和日志方式同时使用避免审计日志的丢失
xpack.security.audit.logfile.events.include指定审计日志输出的event, 默认值为:access_denied、access_granted、anonymous_access_denied、authentication_failed、connection_denied、tampered_request、run_as_denied、run_as_granted。xpack.security.audit.logfile.events.emit_request_body指定是否在某些事件类型(如authentication_failed)上包含来自REST请求的请求体。默认值为false。xpack.security.audit.logfile.events.ignore_filters
<policy_name>自定义策略的名称xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users匹配的users将不输出审计日志,例如:
["logstash_internal"]xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realmsA list of authentication realm names or wildcards. The specified policy will not print audit events for users in these realms.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles匹配的roles将不输出审计日志
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices匹配的索引将不输出审计日志
开启审计
编辑elasticsearch.yml , 输入如下内容
xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.emit_request_body: true设置审计日志输出的位置
xpack.security.audit.outputs: [ logfile ]定义filter不输出审计日志
忽略用户logstash_internal 不产生审计日志
xpack.security.audit.logfile.events.ignore_filters:
exclude_logstash_write:
users: ["logstash_internal"]可以在elasticsearch.yml中配置 xpack.notification 发送通知到email, HipChat, Slack, 或者 PagerDuty.
关键参数说明
xpack.watcher.enabled设置为true或false打开或者关闭Watcherxpack.http.proxy.host指定代理主机xpack.http.proxy.port指定代理主机连接的端口Email Notification Settings
xpack.notification.email.accountprofile;; The email profile to use to build the MIME messages that are sent from the account. Valid values:standard,gmailandoutlook. Defaults tostandard.email_defaults.*An optional set of email attributes to use as defaults for the emails sent from the account. See Email Action Attributes for the supported attributessmtp.auth设置为true或者false, true使用认证, false不实用认证smtp.host指定smtp的地址smtp.port指定smtp 连接的端口smtp.user指定smtp认证的用户名smtp.password指定smtp.user的密码smtp.starttls.enable指定是否需要使用tls协议连接
xpack.notification.email.default_account指定发送报警的账号
开启Watcher
编辑elasticsearch.yml , 输入如下内容
xpack.watcher.enabled: True配置smtp账号信息
xpack.notification.email.account:
exmail:
profile: standard
email_defaults:
from: [email protected]
smtp:
auth: true
starttls.enable: true
host: smtp.163.com
port: 465
user: [email protected]
password: 651201配置notification的默认账号
xpack.notification.email.default_account: exmailMonitoring默认是打开状态, 可以配置monitoring在elasticsearch.yml文件中
xpack.monitoring.enabled: True机器学习默认为开启状态, 因为没有具体使用将其关闭, 编辑elasticsearch.yml , 输入如下内容
xpack.ml.enabled: Falseelasticsearch配置整合
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
# Cluster / Node Basics
cluster.name: welog
# Node can have abritrary attributes we can use for routing
node.name: es-welog02cn-dw03-p014
node.max_local_storage_nodes: 1
node.master: False
node.data: True
node.ingest: True
node.attr.rack: warm
# networking Settings
network.host: 10.40.9.154,127.0.0.1
http.enabled: false
transport.tcp.port: 9300
# dirs
path.data:
- /data/elasticsearch/data-vdc
- /data/elasticsearch/data-vde
- /data/elasticsearch/data-vdd
path.logs: /data/elasticsearch/logs
# Minimum nodes alive to constitute an operational cluster
discovery.zen.minimum_master_nodes: 2
# Unicast Discovery (disable multicast)
discovery.zen.ping.unicast.hosts:
- es-welog02cn-p001.pek3.example.net
- es-welog02cn-p002.pek4.example.net
- es-welog02cn-p003.pek3.example.net
# X-Pack
xpack.security.enabled: True
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
xpack.security.audit.logfile.events.ignore_filters:
exclude_logstash_write:
users: ["logstash_internal"]
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.watcher.enabled: True
xpack.monitoring.enabled: True
xpack.ml.enabled: False
xpack.notification.email.account:
exmail:
profile: standard
email_defaults:
from: [email protected]
smtp:
auth: true
starttls.enable: true
host: smtp.exmail.qq.com
port: 587
user:
password:
# X-Pack watcher email notification
xpack.notification.email.default_account: exmail
xpack.notification.email.account.alerting.smtp.host: "smtp.exmail.qq.com"最后更新于
这有帮助吗?