前提

在几篇中搭建的 ELK+Filebeat 集群中,版本都是7.16.1,其中ElasticSearch 有两个节点。默认都是无密码登录,所有人都可以登录操作,安全考虑可以设置密码认证。6.2或更早版本需要安装X-PACK,新版本已包含在发行版中,所以可以直接在 ELK 上进行配置。

1. ElasticSearch配置

1.1 生成证书

注意:这里的证书步骤,都需要进入到容器里进行操作

cd /usr/share/elasticsearch/bin
./elasticsearch-certutil ca
./elasticsearch-certutil cert --ca /usr/share/elasticsearch/elastic-stack-ca.p12

默认两个证书都在 /usr/share/elasticsearch 目录下:

ls -l /usr/share/elasticsearch/elastic-*                
-rw------- 1 root root 3596 May 27 05:58 /usr/share/elasticsearch/elastic-certificates.p12
-rw------- 1 root root 2672 May 27 05:53 /usr/share/elasticsearch/elastic-stack-ca.p12

把这两个正式移动到 /usr/share/elasticsearch/config/certs 目录里,因为 /usr/share/elasticsearch/config/ 这个目录是已经挂载到容器外面的,容器的删除后也能保留。

mkdir /usr/share/elasticsearch/config/certs
mv /usr/share/elasticsearch/elastic-* /usr/share/elasticsearch/config/certs

另外,需要注意修改证书的权限,即容器内 id=1000 的用户。否则无法启动,会报AccessDeniedException[/usr/share/elasticsearch/config/certs/elastic-certificates.p12];

chown 1000 /usr/share/elasticsearch/config/certs/elastic-certificates.p12

1.2 拷贝elastic-certificates.p12文件

生成的elastic-certificates.p12文件拷贝到每个容器节点的/usr/share/elasticsearch/config/certs目录下

1.3 elasticsearch集群启用SSL

编辑所有elasticsearch节点容器外 elasticsearch/config/elasticsearch.yml 配置文件(就是容器里的 /usr/share/elasticsearch/config/elasticsearch.yml 文件),新增以下内容:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

1.4 重启Elasticsearch

配置完后

docker-compose restart elasticsearch

重启完后,正常无意外的话,用URL访问 Elasticsearch 会弹出输入用户密码界面。

1.5 配置密码

在其中一台 Elasticsearch 中设置就可以,比如master节点,设置后其他节点也会生效。
进入master节点容器里,配置密码。

cd /usr/share/elasticsearch/bin
./elasticsearch-setup-passwords interactive

这里选择interactive,由用户输入密码。还可以选择auto参数,使用随机生成的密码

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana_system]: 
Reenter password for [kibana_system]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
用户名 作用
elastic 超级用户
apm_system APM服务器在Elasticsearch中存储监视信息时使用
kibana_system 用于负责Kibana连接Elasticsearch
kibana 已弃用
logstash_system Logstash将监控信息存储在Elasticsearch中使用
beats_system Beats在Elasticsearch中存储监视信息时使用
remote_monitoring_user Metricbeat用户在Elasticsearch中收集和存储监视信息时使用

2. Kibana配置

2.1 在kibana.yml中添加配置用户名和密码

elasticsearch.username: "kibana"
elasticsearch.password: "*****"

2.2 重启Kibana

docker-compose restart kibana

重启后,输入http://ip:5601打开登录页面,使用elastic账号登录。登录进入系统后进入管理按钮(Management),就可以看到多了一块东西,就是用户与角色权限配置,在角色和用户管理中添加用户指定 索引用于访问ES。

3. Logstash配置

3.1 在logstash.yml中配置用户名和密码

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: *****
xpack.monitoring.elasticsearch.hosts: ["http://ip:9200"]

3.2 在logstash指定的conf文件中加上用户名密码

在本案例中获取nginx的日志,文件是 logstash/conf.d/nginx.conf。在这个文件的output 方法下增加userpassword

output {
    elasticsearch {
        hosts => ["192.168.1.240:9200"]
        index => "nginx-access-log-%{+YYYY.MM.dd}"
        user => "elastic"
        password => "******"
    }
    stdout { codec => rubydebug }
}

3.3 重启Logstash

docker-compose restart logstash

重启完后查看 Logstash 日志,看是否能正常往 Elasticsearch 中推送日志,能正常推送就表示正常。如果出现Encountered a retryable error (will retry with exponential backoff)等信息,则需要检查 Logstash 配置的用户名密码是否正确。