kibana

一、部署

1.下载软件包

[[email protected] ~]# ll
-rw-r--r--  1 root root 268453142 Apr  4 18:03 kibana-7.17.5-x86_64.rpm

2.安装kibana

[[email protected] ~]# rpm -ivh kibana-7.17.5-x86_64.rpm

3.修改kibana配置文件

vim /etc/kibana/kibana.yml 
...
# 指定kibana监听的主机地址，默认是localhost。
server.host: "0.0.0.0"
# 指定kibana连接ES集群地址
elasticsearch.hosts: ["http://10.0.0.101:9200","http://10.0.0.102:9200","http://10.0.0.103:9200"]
# 指定kibana的界面为中文简体，默认是英文。
i18n.locale: "zh-CN"

4.启动kibana

[[email protected] ~]# systemctl enable --now kibana

5.访问kibana界面

http://10.0.0.103:5601/

二、基于nginx的反向代理控制访问kibana

(1)部署nginx服务
略，参考之前的笔记即可。

	(2)编写nginx的配置文件
cat > /etc/nginx/conf.d/kibana.conf <<'EOF'
server {
  listen 80;

  server_name kibana.com;

  location / {
     proxy_pass http://10.0.0.103:5601$request_uri;
     auth_basic "kibana web!";
     auth_basic_user_file conf/htpasswd;
  }
}
EOF

	(3)创建账号文件
mkdir -pv /etc/nginx/conf
yum -y install httpd-tools
htpasswd -c -b /etc/nginx/conf/htpasswd admin admin

	(4)启动nginx服务
nginx -t
systemctl reload nginx

	(5)访问nginx验证kibana访问
需要输入用户名和密码才能进入

三、配置ES集群TSL认证

1. elk101节点生成证书文件

[[email protected] ~]# cd /es/softwares/es7/elasticsearch-7.17.5/
[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# ./bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""  --days 3650
[[email protected] /es/softwares/es7/elasticsearch-7.17.5/config]# ll
-rw------- 1 root root  3443 Apr 10 19:52 elastic-certificates.p12

2. elk101节点为证书文件修改属主和属组

[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# chown es:es config/elastic-certificates.p12
[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# ll config/
-rw------- 1 es es  3443 Apr 10 19:52 elastic-certificates.p12

3. elk101节点同步证书文件到其他节点

[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# data_rsync.sh `pwd`/config/elastic-certificates.p12 
===== rsyncing elk102.com: elastic-certificates.p12 =====
命令执行成功!
===== rsyncing elk103.com: elastic-certificates.p12 =====
命令执行成功!

4. elk101节点修改ES集群的配置文件

注：如果master角色和data角色分离，则会有问题

[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# cat /es/softwares/es7/elasticsearch-7.17.5/config/elasticsearch.yml
node.data: true
#修改所有节点为主节点
node.master: true  

#添加下边的配置开启tsl
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

5. elk101节点同步ES配置文件到其他节点

[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# data_rsync.sh `pwd`/config/elasticsearch.yml 
===== rsyncing elk102.com: elasticsearch.yml =====
命令执行成功!
===== rsyncing elk103.com: elasticsearch.yml =====
命令执行成功!

6. 所有节点重启ES集群

systemctl restart es7

7. 任意主机生成随机密码

#生成密码
[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# ./bin/elasticsearch-setup-passwords auto
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Future versions of Elasticsearch will require Java 11; your Java version from [/es/softwares/jdk1.8.0_291/jre] does not meet this requirement. Consider switching to a distribution of Elasticsearch with a bundled JDK. If you are already using a distribution with a bundled JDK, ensure the JAVA_HOME environment variable is not set.
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = ijqdMffW2ZkrwZYRQaCY

Changed password for user kibana_system
PASSWORD kibana_system = lNs85X26g0eC9A6VqwRB

Changed password for user kibana
PASSWORD kibana = lNs85X26g0eC9A6VqwRB

Changed password for user logstash_system
PASSWORD logstash_system = 1TyRJW0zHiFri0dXNcEb

Changed password for user beats_system
PASSWORD beats_system = B7S5O7GPQaz6VpUXCpmV

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = TtbxPHsVjIkfLUvpZNFL

Changed password for user elastic
PASSWORD elastic = NviM8RNB6FnqgpsbS6Rz	

8.postman访问

GET 10.0.0.101:9200/_cat/indices

四、配置kibana连接ES集群

1. 修改kibana的配置文件

[[email protected] ~]# egrep -vn '^#|^$' /etc/kibana/kibana.yml
5:server.host: "0.0.0.0"
7:elasticsearch.hosts: ["http://10.0.0.101:9200","http://10.0.0.102:9200","http://10.0.0.103:9200"]
9:i18n.locale: "zh-CN"
#取消注释
51:elasticsearch.username: "kibana_system"
#写入生成的随机密码
52:elasticsearch.password: "lNs85X26g0eC9A6VqwRB"

2. 重启kibana

[[email protected] ~]# systemctl restart kibana

3. 使用elastic用户登录并修改密码

http://10.0.0.103:5601/

五、配置filebeat连接ES集群

[[email protected] /es/softwares/filebeat-7.17.5-linux-x86_64/config]# cat log-to-es_tls.yaml
filebeat.inputs:
- type: log
  paths:
    - /tmp/test-filebeat/test.log 

output.elasticsearch:
  hosts: ["http://10.0.0.101:9200","http://10.0.0.102:9200","http://10.0.0.103:9200"] 
  #添加用户名和密码
  username: "elastic"
  password: "123456"
  index: "linux-es-test"

setup.ilm.enabled: false
setup.template.name: "linux-es"
setup.template.pattern: "linux-es-*"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0
[[email protected] ~]# cat /tmp/test-filebeat/test.log
111
222
333

#启动filebeat
[[email protected] /es/softwares/filebeat-7.17.5-linux-x86_64]# filebeat -e -c config/log-to-es_tls.yaml

#进入kibana查看

六、配置logstash连接ES集群

[[email protected] ~/config]# cat file-to-es_tsl.conf
input { 
  file {
     # 指定本地文件的路径
     path => "/tmp/linux-es-file"
     # 指定读取文件的起始位置，但前提是该文件之前未读取过或者未在".sincedb"文件中记录。
     start_position => "beginning"
  }
} 


output { 
  # stdout {} 
  
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "linux-es-logstash-file"
    user => "elastic"
    password => "123456"
  }
}

[[email protected] ~/config]# echo 'aaa' > /tmp/linux-es-file

#启动logstash
[[email protected] ~]# logstash -rf config/file-to-es_tsl.conf

##进入kibana查看

补充：

查看logstash采集文件的偏移量路径。
ls -la /es/softwares/logstash-7.17.5/data/plugins/inputs/file/

如果没有传过去，就把这个目录下边的内容删掉，重新传

七、自定义角色使用logstash组件写入数据到ES集群

1. 新建角色

2. 新建用户

3. 配置测试

[[email protected] ~/config]# cat file-to-es_tsl.conf
input { 
  file {
     # 指定本地文件的路径
     path => "/tmp/linux-es-file"
     # 指定读取文件的起始位置，但前提是该文件之前未读取过或者未在".sincedb"文件中记录。
     start_position => "beginning"
  }
} 


output { 
  # stdout {} 
  
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "linux-es-logstash-file"
    user => "logstash"
    password => "123456"
  }
}

[[email protected] ~]# logstash -rf config/file-to-es_tsl.conf 

[[email protected] /es/softwares/es7/elasticsearch-7.17.5]# echo 'ccc' >> /tmp/linux-es-file

补充

要遵循权限最小化原则，能不给就不给

八、基于RBAC配置权限

1.配置角色

2.创建用户

3.测试登录

九、配置curl连接ES集群

[[email protected] ~]# curl -u elastic:${密码} 10.0.0.101:9200/_cat/nodes
10.0.0.102 70 46 11 0.07 0.26 0.29 cdfhilmrstw * elk102.com
10.0.0.103 70 62  5 0.53 0.70 0.60 cdfhilmrstw - elk103.com
10.0.0.101 67 49  1 0.10 0.41 0.49 cdfhilmrstw - elk101.com