Test version: 7.15
1. Generate HTTP cert with the same CA for transport SSL cd /usr/share/elasticsearch ./bin/elasticsearch-certutil http Generate a CSR? [y/N]n Use an existing CA? [y/N]y CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12 For how long should your certificate be valid? [5y] Generate a certificate per node? [y/N]y node #1 name: appserver01 hostnames: appserver01 IPs: 192.168.0.111 2. unzip elasticsearch-ssl-http.zip -d ssl cp ssl/elasticsearch/appserver01/http.p12 /etc/elasticsearch/ chmod 644 /etc/elasticsearch/http.p12 3. vi /etc/elasticsearch/elasticsearch.yml xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: http.p12 4. Store the password in the Elasticsearch keystore ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password 5. systemctl restart elasticsearch.service 6. Encrypt traffic between Kibana and Elasticsearch cp ssl/kibana/elasticsearch-ca.pem /etc/kibana/ vi /etc/kibana/kibana.yml elasticsearch.hosts: ["https://appserver01:9200"] elasticsearch.ssl.certificateAuthorities: /etc/kibana/elasticsearch-ca.pem systemctl restart kibana 7. Beats to Elasticsearche.g. Heartbeat
cp ssl/kibana/elasticsearch-ca.pem /etc/heartbeat/ vi /etc/heartbeat/heartbeat.yml output.elasticsearch: # Array of hosts to connect to. hosts: ["https://appserver01:9200"] ssl.certificate_authorities: ["/etc/heartbeat/elasticsearch-ca.pem"] systemctl restart heartbeat-elastic.service 8. Logstash to Elasticsearch cp ssl/kibana/elasticsearch-ca.pem /etc/logstash/ chmod 644 /etc/logstash/elasticsearch-ca.pem vi /etc/logstash/conf.d/app01.conf output { elasticsearch { hosts => ["https://appserver01:9200"] ssl => true ssl_certificate_verification => true cacert => ["/etc/logstash/elasticsearch-ca.pem"] index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" user => "elastic" password => "${ES_PWD}" } }
 1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,会注明原创字样,如未注明都非原创,如有侵权请联系删除!;3.作者投稿可能会经我们编辑修改或补充;4.本站不提供任何储存功能只提供收集或者投稿人的网盘链接。 |
