ELK 節點機器安裝

# ELK 節點機器安裝 ## Elasticsearch 安裝流程 ### 安裝 JAVA ``` # yum install java-1.8.0-openjdk ``` * 查看安裝版本 ``` # java -version openjdk version "1.8.0_352" OpenJDK Runtime Environment (build 1.8.0_352-b08) OpenJDK 64-Bit Server VM (build 25.352-b08, mixed mode) ``` ### 導入 Elasticsearch PGP 密鑰 ``` # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch ``` ### 添加 Elasticsearch RPM 存儲庫 ``` # vim /etc/yum.repos.d/elasticsearch.repo [elasticstack] name=Elastic repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md ``` ### 安裝 Elasticsearch ``` # yum install elasticsearch ``` ### 配置 Elasticsearch ``` # vim /etc/elasticsearch/elasticsearch.yml network.host: localhost http.port: 9200 ``` ### 啟動 Elasticsearch ``` # systemctl start elasticsearch # systemctl enable elasticsearch ``` ### 測試 Elasticsearch ``` # curl -X GET "localhost:9200" { "name" : "ip-192-169-0-126.ap-northeast-1.compute.internal", "cluster_name" : "elasticsearch", "cluster_uuid" : "9dLRKd_tTYyDoFJ7luWMkw", "version" : { "number" : "7.17.8", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "120eabe1c8a0cb2ae87cffc109a5b65d213e9df1", "build_date" : "2022-12-02T17:33:09.727072865Z", "build_snapshot" : false, "lucene_version" : "8.11.1", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" } ``` ## Kibana 安裝流程 ### 安裝 Kibana ``` # yum install kibana ``` ### 配置 Kibana ``` # vim /etc/kibana/kibana.yml server.port: 5601 server.host: "0.0.0.0" elasticsearch.hosts: ["http://localhost:9200"] ``` ### 啟動 Kibana ``` # systemctl start kibana # systemctl enable kibana ``` ### 連線至 Web 介面 * http://<`IP`>:5601 ## Logstash 安裝流程 ### 安裝 Logstash * 所有自定義配置文件存儲在 `/etc/logstash/conf.d/` 目錄中 ``` # yum install logstash ``` ### 啟動 Logstash ``` # systemctl start logstash # systemctl enable logstash ``` ## Filebeat 安裝流程 ### 安裝 Filebeat * 確認 Kibana 服務已啟動 ``` # yum install filebeat ``` ### 添加系統模塊 * 用來檢查本地系統日誌 ``` # filebeat modules enable system Enabled system ``` ### 運行安裝程序 ``` # filebeat setup Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling. Index setup finished. Loading dashboards (Kibana must be running and reachable) Loaded dashboards Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead. See more: https://www.elastic.co/guide/en/machine-learning/current/index.html It is not possble to load ML jobs into an Elasticsearch 8.0.0 or newer using the Beat. Loaded machine learning job configurations Loaded Ingest pipelines ``` ### 啟動服務 ``` # systemctl start filebeat # systemctl enable filebeat ``` ### 查看 Log 數據 * 默認 Filebeat : 將文件直接記錄到 Elasticsearch 中 * 自定義 Filebeat: 要編輯 `/etc/filebeat/filebeat.yml` 配置文件 ``` filebeat.inputs: - type: log enabled: true paths: - /var/log/nginx/web_access.log json.keys_under_root: true json.overwrite_keys: true setup.kibana: host: "http://192.169.0.101:5601" output.elasticsearch: hosts: ["http://192.169.0.101:5601"] index: "EVA-TEST-%{+yyyy-MM-dd}" username: "elastic" password: "XXXXXXXXXXXX" setup.template.name: "EVA-TEST" setup.template.pattern: "EVA-TEST-*" setup.template.enabled: false setup.template.overwrite: true setup.ilm.enabled: false timeout: 2s ``` ## Elasticsearch 的登入驗證 ### 關閉服務 ``` # systemctl stop elasticsearch # systemctl stop kibana ``` ### 修改 Elasticsearch 配置檔 ``` # vim /etc/elasticsearch/elasticsearch.yml xpack.security.enabled: true xpack.security.transport.ssl.enabled: true ``` ### 產 CA 憑證 * Certificate : 只要是用同張 CA 憑證就可以加入 * 要修改 `elastic-certificates.p12` 檔案權限，不然重啟服務會失敗 ``` # cd /usr/share/elasticsearch/ # ./bin/elasticsearch-certutil ca Please enter the desired output file [elastic-stack-ca.p12]: <Enter> Enter password for elastic-stack-ca.p12 : <Enter> # ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 #產生私鑰 Enter password for CA (elastic-stack-ca.p12) : <Enter> Please enter the desired output file [elastic-certificates.p12]: <Enter> Enter password for elastic-certificates.p12 : <Enter> # cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch # chmod 644 /etc/elasticsearch/elastic-certificates.p12 ``` ### 產生系統使用的帳號與密碼 * 重要 : 密碼要好好保存 * interactive : 手動設定 * auto : 自動設定 ``` # systemctl start elasticsearch # ./bin/elasticsearch-setup-passwords interactive / auto Please confirm that you would like to continue [y/N] y Changed password for user apm_system PASSWORD apm_system = XXXXXXXXXXXX Changed password for user kibana_system PASSWORD kibana_system = XXXXXXXXXXXX Changed password for user kibana PASSWORD kibana = XXXXXXXXXXXX Changed password for user logstash_system PASSWORD logstash_system = XXXXXXXXXXXX Changed password for user beats_system PASSWORD beats_system = XXXXXXXXXXXX Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = XXXXXXXXXXXX Changed password for user elastic PASSWORD elastic = XXXXXXXXXXXX ``` ### 修改 Elasticsearch 配置檔 ``` # vim /etc/elasticsearch/elasticsearch.yml # 啟動 Elasticsearch 安全功能 xpack.security.enabled: true # 加密配置 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 ``` * 如果之前節點證書設置了密碼，將密碼添加到 keystore ``` # ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password # ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password ``` ### 修改 Kibana 配置檔 ``` # vim /etc/kibana/kibana.yml xpack.security.enabled: true elasticsearch.username: "elastic" elasticsearch.password: "XXXXXXXXXXXX" ``` ### 重新啟動服務 ``` # systemctl restart elasticsearch # systemctl restart kibana ``` ## 在 Elasticsearch 和 Kibana 中使用 HTTPS ### 生成加密 HTTPS 的證書 ``` # cd /usr/share/elasticsearch # ./bin/elasticsearch-certutil http Generate a CSR? [y/N] n Use an existing CA? [y/N] y CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12 Password for elastic-stack-ca.p12: <ENTER> For how long should your certificate be valid? [5y] <ENTER> Generate a certificate per node? [y/N] n ## When you are done, press <ENTER> once more to move on to the next step. Is this correct [Y/n] y ## When you are done, press <ENTER> once more to move on to the next step. Is this correct [Y/n]y Key Name: elasticsearch Subject DN: CN=elasticsearch Key Size: 2048 Do you wish to change any of these options? [y/N] n ## What password do you want for your private key(s)? Provide a password for the "http.p12" file: [<ENTER> for none] <ENTER> ## Where should we save the generated files? What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip] /usr/share/elasticsearch/elasticsearch-ssl-http.zip Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip ``` ### 解壓縮 `elasticsearch-ssl-http.zip` 文件 ``` # unzip elasticsearch-ssl-http.zip Archive: elasticsearch-ssl-http.zip creating: elasticsearch/ inflating: elasticsearch/README.txt inflating: elasticsearch/http.p12 inflating: elasticsearch/sample-elasticsearch.yml creating: kibana/ inflating: kibana/README.txt inflating: kibana/elasticsearch-ca.pem inflating: kibana/sample-kibana.yml # cp /usr/share/elasticsearch/elasticsearch/http.p12 /etc/elasticsearch/ # cp /usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/kibana/ ``` ### 修改 Elasticsearch 配置檔 ``` # vim /etc/elasticsearch/elasticsearch.yml # 啟動Elasticsearch安全功能 xpack.security.enabled: true # 節點加密配置 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 # HTTP加密配置 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: http.p12 ``` ### 修改 Kibana 配置檔 ``` # vim /etc/kibana/kibana.yml elasticsearch.ssl.certificateAuthorities: /etc/kibana/elasticsearch-ca.pem ``` ### 重新啟動服務 ``` # systemctl restart kibana ``` ### 連線至 Web 介面 * https://<`IP`>:5601 ![](https://i.imgur.com/lAvjSsV.png)