3.5.1 HTTP认证

elasticsearch配置

来到EK服务器（192.168.1.201），在/etc/elasticsearch/elasticsearch.yml文件最下面添加如下内容：

xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true

重启elasticsearch服务，systemctl restart elasticsearch 。

使用/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto命令随机生成密码。

[root@EK ~]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y

Changed password for user apm_system
PASSWORD apm_system = K7W9XpwwZpd34nv1Y5tX

Changed password for user kibana_system
PASSWORD kibana_system = Y4wdQp7L4CUP2iA8eSYq

Changed password for user kibana
PASSWORD kibana = Y4wdQp7L4CUP2iA8eSYq

Changed password for user logstash_system
PASSWORD logstash_system = m1vbJ61QAinBRqnDzhCW

Changed password for user beats_system
PASSWORD beats_system = Pw18gPqAJ5mf2taTQv0A

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = tEzdeJZ9LbUGfZqrTE1Z

Changed password for user elastic
PASSWORD elastic = chtfAvPcIIjZyps2Qw70

使用curl命令测试elastic账号和密码是否可以能够与elasticsearch通信。

[root@EK ~]# curl -XGET -u 'elastic:chtfAvPcIIjZyps2Qw70' http://192.168.1.201:9200/_cat/indices
green open wazuh-monitoring-2021.06.27     bitPiPtSTW-9couFp4sGHg 2 0   7 0   112kb   112kb
green open .apm-agent-configuration        jCED9VyJS2Kfykyz2TyriA 1 0   0 0    208b    208b
green open wazuh-statistics-2021.25w       6oQFdndaTnmjfkWXowxK2w 2 0  36 0 293.5kb 293.5kb
green open .kibana_1                       hltoDU_CSqeVwO2iiMngLg 1 0  24 3   2.1mb   2.1mb
green open wazuh-statistics-2021.26w       enym1RXgQOSzxwVt-vUHTA 2 0  32 0 146.5kb 146.5kb
green open wazuh-monitoring-2021.06.28     u_F_TOICRUed7Eit_bvExQ 2 0   7 0 111.9kb 111.9kb
green open wazuh-monitoring-2021.06.29     _Hfo9h-7T1mAYsFV4TQwRw 2 0   2 0  32.3kb  32.3kb
green open .security-7                     27qy9zbnQleFLv9oxWnEFw 1 0   7 0  25.1kb  25.1kb
green open wazuh-alerts-4.x-2021.06.28     C49G9pwrTBq605-UFDxeug 3 0   4 0  62.3kb  62.3kb
green open .apm-custom-link                HLgskdjLQc6psTjFbkWEDg 1 0   0 0    208b    208b
green open .kibana_task_manager_1          uwyIFOW4TwK3uxeaRfOM7g 1 0   8 0  51.2kb  51.2kb
green open wazuh-alerts-4.x-2021.06.29     SAdYlycoQwe3F9A6hMTY5A 3 0  11 0  86.9kb  86.9kb
green open .kibana-event-log-7.11.2-000001 R2S4loSCT2u2rsC_Gcp8Eg 1 0  11 0  44.4kb  44.4kb
green open wazuh-alerts-4.x-2021.06.27     mDxZP3apSdW51dTvduj1bw 3 0 371 0 221.6kb 221.6kb
green open .async-search                   CZY7MHDeTBK6rmPayH-nDQ 1 0   0 0    228b    228b

filebeat配置

ES设置密码之后，filebeat也需要设置权限认证，在filebeat配置文件最下面添加以下内容：

output.elasticsearch.hosts: ['http://192.168.1.201:9200']
output.elasticsearch.username: "beats_system"
output.elasticsearch.password: "Pw18gPqAJ5mf2taTQv0A"

重启filebeat服务，service filebeat restart。测试Filebeat设置账号和密码之后，是否可以成功与ES通信。

[root@wazuh-manager ~]# filebeat test output
elasticsearch: http://192.168.1.201:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.1.201
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.11.2

logstash配置

如果使用logstash的话，filebeat则不需要做鉴权机制，所以filebeat的三行鉴权配置就可以注释，只需添加一行配置即可。修改完成之后，重启filebeat服务。

#output.elasticsearch.hosts: ['http://192.168.1.201:9200']
#output.elasticsearch.username: "beats_system"
#output.elasticsearch.password: "Pw18gPqAJ5mf2taTQv0A"
output.logstash.hosts: ["127.0.0.1:5000"]

logstash设置鉴权机制的话，只需要添加output.elasticsearch.username和output.elasticsearch.password参数。

配置完成之后，需重启logstash服务：systemctl restart logstash。

[root@wazuh-manager ~]# cat /etc/logstash/conf.d/01-wazuh.conf 
input {
  beats {
     port => 5000
     codec => "json_lines"
  }
  
}

output {
    elasticsearch {
       hosts => ["192.168.1.201:9200"]
       index => "wazuh-alerts-%{+YYYY.MM.DD}"
       user => "logstash_system"
       password => "m1vbJ61QAinBRqnDzhCW" 
     }

}

查看日志logstash连接ES成功，说明鉴权机制正常。

kibana配置

kibana鉴权机制配置比较容易，只需在/etc/kibana/kibana.yml配置文件添加两行记录。

elasticsearch.username: "kibana_system"
elasticsearch.password: "Y4wdQp7L4CUP2iA8eSYq"

配置完成之后，需重启kibana服务：systemctl restart kibana。

在浏览器打开http://192.168.1.201:5601，输入账号和密码elastic/chtfAvPcIIjZyps2Qw70登录进去。

点击Log in登录成功。