zifuy 的个人笔记

环境准备

10.10.1.10 es.node1.com  
10.10.1.11 es.node2.com  
10.10.1.12 es.node2.com  
10.10.1.13 es.kibana.com 
10.10.1.14 es.logstash.com 

将上面IP和域名映射关系加到 /etc/hosts 文件中

Elasticsearch部署

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.15.2-x86_64.rpm

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.15.2-x86_64.rpm.sha512

shasum -a 512 -c elasticsearch-7.15.2-x86_64.rpm.sha512 

rpm --install elasticsearch-7.15.2-x86_64.rpm

ES 配置文件

elasticsearch.yml

cluster.name: host-security-log-es
node.name: node1
path.data: /data/es
path.logs: /var/log/elasticsearch
network.host: es.node1.com
http.port: 9200
thread_pool.get.queue_size: 10000
thread_pool.write.queue_size: 10000

discovery.seed_hosts: ["es.node1.com"]
cluster.initial_master_nodes: ["es.node1.com","es.node2.com","es.node3.com"]

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/node1/node1.key
xpack.security.http.ssl.certificate: certs/node1/node1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt
xpack.security.transport.ssl.key: certs/node1/node1.key
xpack.security.transport.ssl.certificate: certs/node1/node1.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca/ca.crt

将配置文件拷贝到其他节点并修改相关参数

ES先安装完成

不需要启动ES

生成 CA 和服务器证书

instance.yml

  instances:
  - name: 'node1'
    dns: [ 'es.node1.com' ]
  - name: "node2"
    dns: [ 'es.node2.com' ]
  - name: "node3"
    dns: [ 'es.node3.com' ]
  - name: 'my-kibana'
    dns: [ 'es.kibana.com' ]
  - name: 'logstash'
    dns: [ 'es.logstash.com' ]

./bin/elasticsearch-certutil cert ca --pem --in /root/instance.yml --out /root/certs.zip

mkdir -p /etc/elasticsearch/certs/

mv /root/certs.zip /etc/elasticsearch/certs/

unzip /etc/elasticsearch/certs/certs.zip

将 certs.zip 拷贝到其他节点 解压到 /etc/elasticsearch/certs/

然后启动ES

设置密码

./bin/elasticsearch-setup-passwords auto -u "https://es.node1.com:9200"

密码自动生成后拷贝出并保留好，以免丢失遗忘。

接入Kibana

wget https://artifacts.elastic.co/downloads/kibana/kibana-7.15.2-x86_64.rpm

shasum -a 512 kibana-7.15.2-x86_64.rpm

rpm --install kibana-7.15.2-x86_64.rpm

kibana.yml

i18n.locale: "zh-CN"
server.host: "es.kibana.com"
server.name: "kibana"
elasticsearch.hosts: ["https://es.node1.com:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "password"
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/config/certs/ca.crt"]

接Logstash

logstash.yml

node.name: logstash.local
path.config: /etc/logstash/conf.d/*.conf
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: '<logstash_system_password>'
xpack.monitoring.elasticsearch.hosts: [ 'https://es.node1.com:9200' ]
xpack.monitoring.elasticsearch.ssl.certificate_authority: /etc/logstash/config/certs/ca.crt

logstash output

output {
  elasticsearch {
    hosts => ["https://es.node1.com:9200"]
    cacert => '/etc/logstash/config/certs/ca.crt'
    user => 'logstash_writer'
    password => <logstash_writer_password>
  }
}