ELK7日志分析系统安装准备:
ELK6:默认安装它是开放访问的,需要xpack之类的才能启用认证
ELK7默认开启安全认证功能
环境
系统Centos7
关闭防火墙、selinux
Centos7阿里yum源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
Java环境安装:Jdk1.8
yum install lrzsz vim -y
yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel -y
java -version
一 ES的单机搭建:
yum -y localinstall elasticsearch-7.6.2-x86_64.rpm
JVM的内存限制更改/etc/elasticsearch/jvm.options,根据服务器内存情况来改
-Xms200M
-Xmx200M
ES单实例配置/etc/elasticsearch/elasticsearch.yml,single-node代表单机运行
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: true
discovery.type: single-node
启动ES
systemctl enable elasticsearch
systemctl restart elasticsearch
ES启动后第一步需要设置密码sjgpwd,采用自己设置密码
ES自己设置密码/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
ES设置随机密码/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
验证启动是否成功:
curl -u elastic:Y2Et4njRAQRAQDr5ef9v http://192.168.0.11:9200
查看节点信息:
http://192.168.0.11:9200/_cat/nodes?v
查看索引信息:
http://192.168.0.11:9200/_cat/indices?v
写入数据:
curl -u elastic:Y2Et4njRAQRAQDr5ef9v -X POST http://192.168.0.11:9200/sjg/_doc -H 'Content-Type: application/json' -d '{"name": "sjg", "age": 30}'
查询索引中所有数据:
http://192.168.0.11:9200/sjg/_search?q=*
二 ES加密集群的搭建:
集群交互使用证书加密交互
用户访问使用用户名密码
ES集群交互证书创建
/usr/share/elasticsearch/bin/elasticsearch-certutil ca 空格生成
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /usr/share/elasticsearch/elastic-stack-ca.p12 空格生成
cp /usr/share/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/elastic-certificates.p12
交互证书注意
需要拷贝到每台ES服务器上
需要更改权限chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12
ES集群配置/etc/elasticsearch/elasticsearch.yml
cluster.name: sjg
node.name: node1
node.master: true
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["192.168.237.50", "192.168.237.51"]
cluster.initial_master_nodes: ["192.168.237.50", "192.168.237.51"]
xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
启动ES
systemctl enable elasticsearch
systemctl restart elasticsearch
ES集群启动后第一步需要设置密码sjgpwd (单机搭建的时候如果设置生成了密码,切换为集群的时候,不需要再次生成密码,直接用单机生成的密码就可以)
ES自己设置密码/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
ES设置随机密码/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
验证集群是否成功,标记为*的为master节点
http://xxx:9200
http://xxx:9200/_cat/nodes?v
http://xxx:9200/_cat/indices?v
三 ES集群安全交互抓包验证
安装抓包命令
yum install ngrep tcpdump -y
分别抓包查看
ngrep -d ens33 port 9200明文交互的(需用户名密码)
ngrep -d ens33 port 9300安全交互的
四 ES数据库的基础操作
ES概念,不用显式去创建
索引:类似数据库。索引在写入数据时会自动创建,可按天
文档:类似表数据。存储在ES里的数据
ES基础数据操作
curl操作:会比较麻烦,先使用这种方式
Kibana操作ES: 提供简化的工具
写入数据
curl -u elastic:sjgpwd -X PUT http://xxx:9200/sjg/_doc/1 -H 'Content-Type: application/json' -d '{"name": "sjg", "age": 30}'
curl -u elastic:sjgpwd http://xxx:9200/sjg/_doc/1 | python -m json.tool
curl -u elastic:sjgpwd http://xxx:9200/sjg/_search?q=* | python -m json.tool
写入数据随机ID
curl -u elastic:sjgpwd -X POST http://xxx:9200/sjg/_doc -H 'Content-Type: application/json' -d '{"name": "sjgram", "age": 29}'
更新数据
curl -u elastic:sjgpwd -X POST http://xxx:9200/sjg/_update/1 -H 'Content-Type: application/json' -d '{"doc": {"age": 28}}'
删除数据
curl -u elastic:sjgpwd -X DELETE http://xxx:9200/sjg/_doc/1
curl -u elastic:sjgpwd -X DELETE http://xxx:9200/sjg
与任何一个节点的通信是等价的
curl -u elastic:sjgpwd -X POST http://xxx:9200/sjg/_doc -H 'Content-Type: application/json' -d '{"name": "sjgram", "age": 29}'
http://xxx1:9200/sjg/_search?q=*
http://xxx2:9200/sjg/_search?q=*
浙公网安备 33010602011771号