SearchGuard配置

elk安全插件searchguard安裝

在es下安裝 (es版本6.5.4)

• 下載插件
  <ES directory>/bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:<guard version>

• 進入到searchguard安裝目錄
  cd <ES directory>/plugins/search-guard-/tools

• 運行安裝
  <ES directory>/install_demo_configuration.sh
  生成的文件 <ES directory>/config/elasticsearch.yml

Install demo certificates? [y/N] y
Initialize Search Guard? [y/N] y
# 集羣配置選y
Enable cluster mode? [y/N] n

• 驗證安裝
  https://<es ip>:9200 輸入admin\admin賬號密碼訪問測試安裝
  https://<es ip>:9200/_searchguard/authinfo 通過訪問顯示有關當前登錄用戶的信息

• 修改默認賬號密碼
  生成hash新密碼
  sh hash.sh -p chenfh5
  修改<ES directory>/plugins/search-guard-6/sgconfig/sg_internal_users.yml

• 分發新配置到es集羣
  cd <ES directory>/plugins/search-guard-6/tools

./sgadmin.sh -cd ../sgconfig/ -icl -nhnv \
   -cacert ../../../config/root-ca.pem \
   -cert ../../../config/kirk.pem \
   -key ../../../config/kirk-key.pem

---

kibana 安裝SearchGuard (kibana版本6.5.4)

• 運行安裝
  <kibana directory>/bin/kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.5.4-17/search-guard-kibana-plugin-6.5.4-17.zip

• 修改kibana配置
  vim <kibana directory>/config/kibana.yml

# 關閉xpack安全認證
xpack.security.enabled: false
#xpack.monitoring.enabled: false
network.host: 0.0.0.0

• <kibana directory>/bin/kibana啓動報錯

Browserslist: caniuse-lite is outdated. Please run next command `npm update caniuse-lite browserslist`

原因是沒有node的browserslist沒更新，如果直接更新會報錯，只能手動下載包再蓋到原安裝目錄

# 安裝npm工具,如果有就不用安裝
yum install npm
# 新建目錄下載新文件
mkdir <npmdown>
cd <npmdown>
npm intall caniuse-lite browserslist
cd <kibana directory>/node_modules
# 新建目錄保存原副本
mv <kibana directory>/node_modules/browserslist <backlib>
mv <kibana directory>/node_modules/caniuse-lite <backlib>
mv <kibana directory>/node_modules/electron-to-chromium <backlib>
mv <kibana directory>/node_modules/node-releases <backlib>
mv <kibana directory>/node_modules/semver <backlib>

cd <npmdown>
mv <npmdown>/* <kibana directory>/kibana-6.5.4-linux-x86_64/node_modules

重新啓動/bin/kibana 等待node編譯完成

• [error][admin][elasticsearch] Request error, retrying 報錯
  編輯 kibana.yml

# 關閉xpack安全認證
xpack.security.enabled: false
#xpack.spaces.enabled: false
# 連接
elasticsearch.url: "https://xxx.xxx.xxx.xxx:9200"

• 瀏覽器打開 https://: 輸入admin帳號密碼打開管理頁面

logstash 配置searchguard

• xxx.conf 加入以下配置

output {
  elasticsearch {
    user => logstash
    password => logstash
    ssl => true
    ssl_certificate_verification => false
    cacert => "<elasticsearch home>/config/spock.pem"
	...
  }
}