ELK 在 8.x 版之後,都預設會以開啟安全性安裝的方式進行,所以比起 7.x
版,會多了一些設定,所以如果是從 7.x
版升級上來的,可能需要多注意憑證相關的安全性設置,像是 Logstash、ES
Client、Beats 等等。
下載最新版本 ELK 8.3.3 安裝包
下載 rpm 檔,並透過 rpm 檔進行安裝:
### Elasticsearch 下載 $ sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.3.3-amd64.deb
### Logstash 下載 $ sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-8.3.3-amd64.deb
### Kibana 下載 $ sudo wget https://artifacts.elastic.co/downloads/kibana/kibana-8.3.3-amd64.deb
$ dpkg -i elasticsearch-8.3.3-amd64.deb
$ dpkg -i logstash-8.3.3-amd64.deb
$ dpkg -i kibana-8.3.3-amd64.deb
Elasticsearch 設定
8.x 版的 ES 在安裝後,會出現以下的訊息,建議直接使用 ES
幫忙產生的亂數密碼,或是透過訊息上的指令,另行更改之。
--------------------------- Security autoconfiguration information ------------------------------ Authentication and authorization are enabled. TLS for the transport and HTTP layers is enabled and configured. The generated password for the elastic built-in superuser is : PeGGS9D*JOt8S3=Tt57* If this node should join an existing cluster, you can reconfigure this with '/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>' after creating an enrollment token on your existing cluster. You can complete the following actions at any time: Reset the password of the elastic built-in superuser with '/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'. Generate an enrollment token for Kibana instances with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'. Generate an enrollment token for Elasticsearch nodes with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'. -------------------------------------------------------------------------------------------------
修改 Elasticsearch 的 YML
$ vi /etc/elasticsearch/elasticsearch.yml ### 不同的集群使用不同的 cluster.name cluster.name: bimap ### 默認是主機名 node.name: ${HOSTNAME} ### 根據路徑修改 可以多個 ### 如在data下需新建 path.data: ["/data/es"] bootstrap.memory_lock: true network.host: ${IP} ### 根據主機,可以連接多台,此處以單機模式做演示: discovery.type: single-node
啟動 Elasticsearch
$ systemctl start elasticsearch $ systemctl enable elasticsearch $ systemctl status elasticsearch
驗證是否成功啟動
curl -k -u elastic:${你的密碼} "https://localhost:9200" { "name" : "cluster-test1", "cluster_name" : "ELK8-cluster", "cluster_uuid" : "mJ6d920ORiytWGZxnYHhlA", "version" : { "number" : "8.3.3", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "801fed82df74dbe537f89b71b098ccaff88d2c56", "build_date" : "2022-07-23T19:30:09.227964828Z", "build_snapshot" : false, "lucene_version" : "9.2.0", "minimum_wire_compatibility_version" : "7.17.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "You Know, for Search" }
Kibana 設定
修改 kibana 權限
chown -R kibana. /etc/kibana
設定 Kibana yml 檔
$ vi /etc/kibana/kibana.yml server.port: 5601 server.host: "0.0.0.0" server.publicBaseUrl: "http://0.0.0.0:5601"
啟動 Kibana
$ systemctl start kibana $ systemctl enable kibana $ systemctl status kibana
取得 Elasticsearch Token
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
開啟 Kibana 介面
開啟瀏覽器,網址列輸入:localhost:5601.。
理論上會直接跳出以下畫面,貼上 Elasticsearch Token 即可。
此時會需要回到 Server 產生驗證碼,並回填到 UI 上,例如:
/usr/share/kibana/bin/kibana-verification-code ## #Your verification code is: 139 477
kibana 開啟 https 設定
###產生https憑證 /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem ###複製憑證至正確位置 cp /usr/share/elasticsearch/elastic-stack-ca.zip /etc/kibana cd /etc/kibana unzip elastic-stack-ca.zip ###複製 ES https 以修改權限 cp /etc/elasticsearch/certs/http_ca.crt /etc/kibana/ca ### 修改權限 chown -R kibana. /etc/kibana/ca
編輯 kibana.yml
server.publicBaseUrl: "https://0.0.0.0:5601" ### 開啟 SSL server.ssl.enabled: true ### SSL 文件位置 server.ssl.certificate: /etc/kibana/ca/ca.crt ### SSL 文件位置 server.ssl.key: /etc/kibana/ca/ca.key
Logstash 設定
調整 logstash 的 jvm.options,最大 4G
$ vi /etc/logstash/jvm.options -Xms4g -Xmx4g
編輯 logstash.service
$ vi /lib/systemd/system/logstash.service User=root Group=root
重新載入 Services
systemctl daemon-reload
啟動 Logstash
$ systemctl start logstash ### 可以手動啟 (資料太大recover) ### curl -XGET "http://localhost:9200/_cat/recovery?v" $ systemctl enable logstash $ systemctl status logstash
有任何問題,或是想看新主題?
聯絡我們
