3.5.2 HTTPS认证
elasticsearch配置
如果你在之前配置了http认证,需要将原来http认证配置删除,并且将原来的用户数据清除,不然不可以重置密码,如果不用重置密码,请忽略这个。
使用开发者工具进行删除安全配置数据索引。
接下来配置HTTPS通信,创建文件/usr/share/elasticsearch/instances.yml,输入对应的资产信息。我这里是ES和Kibana在一起的,所以IP是一样的。
[root@EK ~]# cat /usr/share/elasticsearch/instances.yml
instances:
- name: "wazuh-manager"
ip:
- "192.168.1.200"
- name: "elasticsearch"
ip:
- "192.168.1.201"
- name: "kibana"
ip:
- "192.168.1.201"使用elasticsearch-certutil工具创建ELK通信所需要的HTTPS证书。证书压缩包设置在/opt目录中。
[root@EK ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --pem --silent --in /usr/share/elasticsearch/instances.yml --out /opt/cert.zip
[root@EK ~]# ls /opt/cert.zip
/opt/cert.zip
解压证书压缩包,其中ca目录ca.crt是私钥文件为所有实例共享。其他目录分别对应自身公钥和私钥。
[root@EK opt]# unzip cert.zip
Archive: cert.zip
creating: ca/
inflating: ca/ca.crt
creating: wazuh-manager/
inflating: wazuh-manager/wazuh-manager.crt
inflating: wazuh-manager/wazuh-manager.key
creating: elasticsearch/
inflating: elasticsearch/elasticsearch.crt
inflating: elasticsearch/elasticsearch.key
creating: kibana/
inflating: kibana/kibana.crt
inflating: kibana/kibana.key
[root@EK opt]# ls
ca cert.zip elasticsearch kibana wazuh-manager
创建目录/etc/elasticsearch/certs,然后复制如下文件。
[root@EK opt]# mkdir -p /etc/elasticsearch/certs/ca
[root@EK opt]# cp /opt/ca/ca.crt /etc/elasticsearch/certs/ca/ca.crt
[root@EK opt]# cp /opt/elasticsearch/elasticsearch.crt /etc/elasticsearch/certs/
[root@EK opt]# cp /opt/elasticsearch/elasticsearch.key /etc/elasticsearch/certs/在/etc/elasticsearch/elasticsearch.yml文件最下面添加以下内容。
xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.license.self_generated.type: basic
# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]
# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]
配置完成之后,重新启动服务:systemctl restart elasticsearch。
elasticsearch再重新设置密码,这次就不自动生成,我们直接设置密码。
[root@EK opt]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]kibana配置
创建kibana证书目录:/etc/kibana/certs/ca。将证书文件复制进去。
[root@EK opt]# mkdir -p /etc/kibana/certs/ca
[root@EK opt]# cp /opt/ca/ca.crt /etc/kibana/certs/ca/
[root@EK opt]# cp /opt/kibana/kibana.key /etc/kibana/certs/
[root@EK opt]# cp /opt/kibana/kibana.crt /etc/kibana/certs/其中kibana配置文件如下:
[root@EK opt]# cat /etc/kibana/kibana.yml
server.host: "0.0.0.0"
elasticsearch.hosts: ["https://192.168.1.201:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "123456"
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca/ca.crt"]
elasticsearch.ssl.certificate: "/etc/kibana/certs/kibana.crt"
elasticsearch.ssl.key: "/etc/kibana/certs/kibana.key"
server.ssl.enabled: true
server.ssl.certificate: "/etc/kibana/certs/kibana.crt"
server.ssl.key: "/etc/kibana/certs/kibana.key"
kibana配置文件的server.host参数内容不能设置127.0.0.1,设置0.0.0.0。
重启kibana服务
打开浏览器输入https://192.168.1.201:5601/地址就可以看到配置完成。
filebeat配置
新建filebeat证书目录:/etc/filebeat/certs/ca。
[root@wazuh-manager ~]# mkdir -p /etc/filebeat/certs/ca上传证书到/etc/filebeat/certs/目录下面。
[root@wazuh-manager certs]# tree /etc/filebeat/certs/
/etc/filebeat/certs/
├── ca
│ └── ca.crt
├── wazuh-manager.crt
└── wazuh-manager.key
1 directory, 3 files
修改/etc/filebeat/filebeat.yml,添加如下内容
output.elasticsearch.hosts: ['https://192.168.1.201:9200']
output.elasticsearch.username: "beats_system"
output.elasticsearch.password: "123456"
output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: "/etc/filebeat/certs/wazuh-manager.crt"
output.elasticsearch.ssl.key: "/etc/filebeat/certs/wazuh-manager.key"
output.elasticsearch.ssl.certificate_authorities: ["/etc/filebeat/certs/ca/ca.crt"]重启filebeat服务,测试连接ES情况。
[root@wazuh-manager ~]# filebeat test output
elasticsearch: https://192.168.1.201:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.1.201
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.11.2
logstash配置
最后更新于
这有帮助吗?