ELK基本使用入门
elk安装:
jdk环境安装:
1.获的包:wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u73-b02/jdk-8u73-linux-x64.rpm"
2.sudo yum -y localinstall jdk-8u73-linux-x64.rpm
elasicsearch安装:
1.导入GPG公钥:sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
2.建立elasticsearch库文件:sudo vim /etc/yum.repos.d/elasticsearch.repo
写入以下配置:
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
3.安装: sudo yum -y install elasticsearch
4.配置: sudo vi /etc/elasticsearch/elasticsearch.yml
配置该项:network.host: localhost
5.运行并自启动:sudo systemctl start elasticsearch && sudo systemctl enable elasticsearch
kibana安装:
1.建立kibana库文件:sudo vi /etc/yum.repos.d/kibana.repo
写入以下配置:
[kibana-4.4]
name=Kibana repository for 4.4.x packages
baseurl=http://packages.elastic.co/kibana/4.4/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
2.安装:sudo yum -y install kibana
3.配置:sudo vi /opt/kibana/config/kibana.yml
配置项:server.host: "localhost"
4.运行:sudo systemctl start kibana && sudo chkconfig kibana on
logstash安装:
1.建立库文件:sudo vi /etc/yum.repos.d/logstash.repo
写入配置:[logstash-2.2]
name=logstash repository for 2.2 packages
baseurl=http://packages.elasticsearch.org/logstash/2.2/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1
2.安装:sudo yum -y install logstash
3.生成ssl证书:sudo vi /etc/pki/tls/openssl.cnf
[ v3_ca]下添加:subjectAltName = IP: ELK_server_private_ip
cd /etc/pki/tls
sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
4.配置logstash:sudo vi /etc/logstash/conf.d 下,配置相对应的input,filiter, output.
shield实现版本控制:优点:容易配置,分配权限 缺点:收费
shield安装:
1.进入elasticsearch目录: cd /usr/share/elasticsearch
2.安装许可证:bin/plugin install elasticsearch/license/latest
3.安装shield:bin/plugin -i elasticsearch/shield/latest
4.将其配置链接至etc/elasticsearch/shield :ln -s /usr/share/elasticsearch/config/shield /etc/elasticsearch/shield
5.重启服务:service elasticsearch restart
6.创建elasticsearch账号:bin/shield/esusers useradd es_admin -r admin
7.创建logstash账号:/usr/share/elasticsearch/bin/shield/esusers useradd logstashserver -r logstash
8.logstash配置下添加logstash账户和密码:如:
output {
elasticsearch {
host => "192.168.0.1"
protocol => "http"
index => "logstash-%{type}-%{+YYYY.MM.dd}"
user => "logstashserver" #在这里加上Shield中role为Logstash的用户名
password => "woshimima" #别忘了密码
}
# stdout { codec => rubydebug }
}
9.创建kibana账户:/usr/share/elasticsearch/bin/shield/esusers useradd kibanaserver -r kibana4_server
10.kibana配置/opt/kibana/config/kibana.yml下添加账户和密码:
kibana_elasticsearch_username: kibanaserver #Kibana服务将用这个用户名访问ElasticSearch服务器。
kibana_elasticsearch_password: woshimima #密码
shield实现权限控制:
1.elasticsearch的 /etc/elasticsearch/shield/roles.yml下,配置某类型用户的权限配置:如:doctor可查看cases和patients,nurse只能查看cases
doctor:
indices:
'cases,patients':
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:admin/get
nurse:
indices:
'cases':
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:admin/get
2.创建doctor和nurse账户:/usr/share/elasticsearch/bin/shield/esusers useradd alice -r nurse
/usr/share/elasticsearch/bin/shield/esusers useradd bob -r doctor
3.给kibana权限:/usr/share/elasticsearch/bin/shield/esusers roles doctor -a kibana4_server
/usr/share/elasticsearch/bin/shield/esusers roles nurse -a kibana4_server
4.进入kibana,查看权限。
elasticsearch-http-basic登录控制:优点:支持登录认证,ip白名单 缺点:仅支持到elasticsearch1.7以下
1.安装:cd /usr/share/elasticsearch/plugins
mkdir http-basic
wget https://github.com/Asquera/elasticsearch-http-basic/releases/download/v1.3.0-security-fix/elasticsearch-http-basic-1.3.0.jar
2.配置:sudo vi /etc/elasticsearch/elasticsearch.yml
配置为:http.basic.enabled true 开关,开启会接管全部HTTP连接
http.basic.user “admin” 账号
http.basic.password “admin_pw” 密码
http.basic.ipwhitelist[“localhost”, “127.0.0.1”] 白名单内的ip访问不需要通过账号和密码,支持ip和主机名,不支持ip区间或正则
http.basic.trusted_proxy_chains [] 信任代理列表
http.basic.log false 把无授权的访问事件添加到ES的日志
http.basic.xforward “” 记载代理路径的header字段名
github地址:https://github.com/Asquera/elasticsearch-http-basic
kibana-authentication-proxy 实现认证:仅支持到kibana3
这是一款面向kibana认证的插件,但是因为库好久没有维护,仅支持到kibana3,所以没有继续调研
github地址:https://github.com/fangli/kibana-authentication-proxy
Search Guard实现权限控制:
1.安装:sudo bin/plugin install com.floragunn/search-guard-ssl/2.3.1.8.1
sudo bin/plugin install com.floragunn/search-guard-2/2.3.1.0-beta1
?安装后elasticsearch不能启动服务,正在查找原因。
github地址:https://github.com/floragunncom/search-guard