Kibana

1.kibana概述

使用 Kibana 针对大规模数据快速运行数据分析,以实现可观测性、安全和搜索。
对来自任何来源的任何数据进行全面透彻的分析,从威胁情报到搜索分析,从日志到应用程序监测,不一而足。简单来讲,kibana就是从ES查询数据并展示数据。

2.kibana安装部署

2.1 下载安装kibana包

[root@elk71 ~]# dpkg -i kibana-7.17.23-amd64.deb

2.2 修改配置文件

[root@elk71 ~]# vim /etc/kibana/kibana.yml 
[root@elk71 ~]# 
[root@elk71 ~]# egrep -v "^#|^$"/etc/kibana/kibana.yml 
server.port: 5601
server.host: "0.0.0.0"
server.name: "nolen-linux-kibana"
elasticsearch.hosts: ["http://10.0.0.71:9200","http://10.0.0.72:9200","http://10.0.0.73:9200"]
i18n.locale: "zh-CN"

2.3 启动kibana

[root@elk71 ~]# systemctl enable --now kibana

检查端口
[root@elk71 ~]# ss -ntl | grep 5601
LISTEN 0      511          0.0.0.0:5601      0.0.0.0:*

访问WebUI 10.0.0.71:5601

3.kibana的RBAC

3.1 配置ES集群加密

1)生成证书文件

[root@elk71 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --days 3650 -out /etc/elasticsearch/elastic-certificates.p12 -pass ""

2)同步证书文件到其他节点

[root@elk71 ~]# scp /etc/elasticsearch/elastic-certificates.p12 10.0.0.72:/etc/elasticsearch/
[root@elk71 ~]#
[root@elk71 ~]# scp /etc/elasticsearch/elastic-certificates.p12 10.0.0.73:/etc/elasticsearch/

3)修改ES集群的配置文件

[root@elk71 ~]# vim /etc/elasticsearch/elasticsearch.yml 
...
# 在最后一行添加以下内容
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

4)同步ES配置文件到其他节点

[root@elk71 ~]# scp  /etc/elasticsearch/elasticsearch.yml  10.0.0.72:/etc/elasticsearch/
[root@elk71 ~]# scp  /etc/elasticsearch/elasticsearch.yml  10.0.0.73:/etc/elasticsearch/

5)修改权限

[root@elk71 ~]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12
[root@elk72 ~]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12
[root@elk73 ~]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12

6)所有节点"滚动"重启ES集群

systemctl restart elasticsearch

7)测试访问无法访问ES集群

[root@elk71 ~]# curl 10.0.0.71:9200/_cat/nodes?v
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

8)生成随机密码【注意,这个密码很重要,后面要用到】

[root@elk71 ~]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = QVjzAiZRCAado3BEfhc1

Changed password for user kibana_system
PASSWORD kibana_system = 5cq0WljlfNOa1z3i6nX2

Changed password for user kibana
PASSWORD kibana = 5cq0WljlfNOa1z3i6nX2

Changed password for user logstash_system
PASSWORD logstash_system = RHOdqMb3wh1kp5hTxLGI

Changed password for user beats_system
PASSWORD beats_system = 0lhYkDkqLUsqG34ybqCG

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = hMu2lY0EJmdkB3b3ESTC

Changed password for user elastic
PASSWORD elastic = iveISH5OFCXdUngDh2Vf



[root@elk71 ~]#

9)验证集群是否正常【使用上一步生成的PASSWORD elastic】

[root@elk71 ~]# curl  -u elastic:iveISH5OFCXdUngDh2Vf   10.0.0.71:7200/_cat/nodes?v
ip           heap.percent ram.percent cpu load_1m load_5m load_15m node.role      master name
10.0.0.71           75          67     1    0.29    0.48     0.30 cdfhilmrstw -      elk71
10.0.0.72           69          65     1    0.17    0.27     0.14 cdfhilmrstw -      elk72
10.0.0.73           60          48     2    0.20    0.34     0.17 cdfhilmrstw *      elk73
[root@elk71 ~]#

3.2 kibana集成ES加密集群

1)修改配置文件,【参考第8步生成的PASSWORD kibana】

[root@elk71 ~]# vim /etc/kibana/kibana.yml 
...	
elasticsearch.username: "kibana_system"
elasticsearch.password: "5cq0WljlfNOa1z3i6nX2"

2)重启kibana服务

[root@elk71 ~]# systemctl restart kibana

3)访问kibana的WebUI登录

以elastic用户登录
image

4.output到加密的es集群

4.1 filbeat写入到es集群

output:
  elasticsearch:
    hosts: 
    - "http://10.0.0.71:9200"
    - "http://10.0.0.72:9200"
    - "http://10.0.0.73:9200"
    index: "nolen-tcp-%{+yyyy.MM.dd}"
    username: elastic #添加es用户名
    password: "123456" #添加es集群密码

4.2 logstash写入到es集群

output {
   elasticsearch{
      hosts => ["10.0.0.71:9200","10.0.0.72:9200","10.0.0.73:9200"]
      index => "nolen-tcp-%{+yyyy.MM.dd}"
      user => "elastic"  #添加es用户名
      password => "123456"   #添加es集群密码
    }
}
posted @ 2024-10-24 21:20  Nolen_H  阅读(70)  评论(0)    收藏  举报