ELK 8.15.3 版本Logstash和Kibana与KS设置SSL实现https安全连接 ...

在客户端部署上线的日记服务器由于等保扫瞄到ES（Elasticsearch） 7.17.8版本有安全漏洞，所以要做一个升级，升级到最新的 8.15.3。
由于ES 8.X 版本是默认启动了安全设置，也就是设置文件 elasticsearch.yml 中的 xpack.security.enabled 设置默认是设为 true 的，所以当启动 ES的时候访问9200端口会要求输入账户和暗码。
接下来，我将一步步分享如何手动设置 elastic 超等用户的暗码以及如何让 logstash 和 kibana 以 https的方式对 es 举行数据的写入（logstash output）和读取（kibana必要读es数据将不同index内的数据举行可视化等操作）。
ELK部署方式

OS: Ubuntu 22.04 LTS
部署运行方式：docker-compose （也就是说logstash, es和kibana都是以容器的方式运行的，而且属于一个网络）
docker 镜像拉取

1. # 拉取 es
2. docker pull docker.elastic.co/elasticsearch/elasticsearch:8.15.3
3. # 拉取 logstash
4. docker pull docker.elastic.co/logstash/logstash:8.15.3
5. # 拉取 kibana
6. docker pull docker.elastic.co/elasticsearch/elasticsearch:8.15.3

复制代码

拉取完成后，可以通过 docker images 下令检察镜像：

更换镜像

将所有正在运行的7.X版本镜像的容器都停下来

1. docker-compose down

复制代码

编辑 docker-compose.yaml 文件，修改镜像的tag为8.15.3。
下一步修改宿主机上映射到 es 容器内的设置文件 elasticsearch.yml 内容，我们首先设置 elastic 超等用户的暗码，后面再把 https 连接必要的证书搞定，所以先把 xpack.security.transport.ssl.enabled 设置为 false（默认是 true）。
必要加上以下设置内容：

1. # 此配置项用于启用或禁用 Elasticsearch 的安全特性
2. xpack.security.enabled: true
3. # 此配置项用于启用或禁用通过 HTTPS（SSL/TLS）对 Elasticsearch 的 HTTP 接口进行加密。
4. xpack.security.transport.ssl.enabled: false

复制代码

然后启动 docker-compose

1. docker-compose up -d

复制代码

设置 elastic 超等用户的暗码

确保 elasticsearch（容器名）在正常运行后，可以尝试访问 http://ip:9200, 这个时候发现会有弹出框要求输出用户名和暗码（由于 xpack.security.enabled: true）。
现在进入 elasticsearch 容器内部：

1. docker exec -it elasticsearch bash
2. elasticsearch@elasticsearch:~$ pwd
3. # 容器内部当前目录
4. /usr/share/elasticsearch

复制代码

有以下两种设置暗码的方式，手动和随机自动：
手动设置暗码

1. ./bin/elasticsearch-reset-password -u elastic

复制代码

按照提示输入想要为 elastic 用户设置的新暗码即可。
自动生成随机暗码

-i：关闭交互模式，Elasticsearch 会自动生成一个随机暗码

1. ./bin/elasticsearch-reset-password -u elastic
2. -i

复制代码

如果设置的暗码是：p0s9Lb3uThEJfN5T0v6x
这个时候再去访问 http://ip:9200，输入 elastic/p0s9Lb3uThEJfN5T0v6x 就可以正常访问了。
Logstash通过elastic账号与es建立http连接

虽然我们终极达成的目标是让logstash和kibana以 https（http+ssl）的方式与es建立连接，但在设置相干证书之前我们可以尝试一下让logstash仅通过账号暗码的方式与es建立http连接（kibana无法尝试，在 xpack.security.enabled: true 设置的环境下必须通过https）。
1. 将elastic 超等用户暗码写入 docker-compose.yml

1. services:
2.   elasticsearch:
3.     restart: always
4.     image: docker.elastic.co/elasticsearch/elasticsearch:8.15.3
5.     container_name: elasticsearch
6.     hostname: elasticsearch
7.     privileged: true
8.     environment:
9.       - "ES_JAVA_OPTS=-Xms8192m -Xmx8192m"
10.       - "http.host=0.0.0.0"
11.       - "node.name=node-01"
12.       - "cluster.name=cluster-01"
13.       - "discovery.type=single-node"
14.       # 将密码作为环境变量写入
15.       - "ELASTIC_PASSWORD=p0s9Lb3uThEJfN5T0v6x"

复制代码

2. 修改宿主机上的 logstash.yml 和涉及到output给es的设置文件

logstash.yml设置新增内容如下

1. # 开启xpack监控
2. # ===================es版本升级，需要加入认证信息==============
3. xpack.monitoring.elasticsearch.username: "elastic"
4. xpack.monitoring.elasticsearch.password: "p0s9Lb3uThEJfN5T0v6x"                 

复制代码

对于将吸取到的日记处理完之后output给es的设置内容，必要加上账户暗码等信息。
以下是 ChatGPT 生成的一个示例，必要注意：

• hosts 要加上 http://；
  
• 若有逻辑分支则涉及到es的部门都必要添加 user/password 信息。
  

1. input {
2.   # 假设从stdin输入数据
3.   stdin {}
4. }
6. filter {
7.   # 使用 Ruby 进行自定义处理
8.   ruby {
9.     code => "
10.       event.set('new_field', event.get('message').upcase)  # 将'message'字段转为大写并保存到'new_field'
11.       event.set('timestamp', Time.now)                     # 添加当前时间戳到'timestamp'字段
12.     "
13.   }
14. }
16. output {
17.   # 输出到 Elasticsearch
18.   elasticsearch {
19.     # 注意需要加上http，安全验证未开启的情况下是不需要的
20.     hosts => ["http://elasticsearch:9200"]
21.     index => "logstash-ruby-example"
22.     # 增加用户名
23.     user => "elastic"
24.     # 增加用户名密码
25.     password => "p0s9Lb3uThEJfN5T0v6x"
26.     document_id => "%{[@metadata][fingerprint]}"  # 自定义document ID（可选）
27.   }
28. }

复制代码

3. 重启 elasticsearch 和 logstash docker 容器

重启下令如下：

1. docker-compose restart
2. elasticsearch
3. docker-compose restart
4. logstash

复制代码

重启之后检查 logstash 和 elasticsearch 容器日记是否有报错信息：

1. docker logs logstash
2. docker logs elasticsearch
3. # 如果只想看最新N条，添加 --tail 参数指定一下数量就可以
4. docker logs --tail N <logstash-container-name>

复制代码

如果没有可以进入到 logstash 容器内部，运行查验下令检查是否能正常连接上es:

1. # 进入 logstash 容器内部
2. docker exec -it logstash /bin/bash
3. logstash@d996504f0329:~$ pwd
4. /usr/share/logstash
5. # 运行如下检查命令，如连接成功会显示es相关信息
6. curl -u elastic:p0s9Lb3uThEJfN5T0v6x http://elasticsearch:9200

复制代码

成功连接到 Elasticsearch 的输出示例（由 ChatGPT 生成）：

1. {
2.   "name" : "your-node-name",
3.   "cluster_name" : "your-cluster-name",
4.   "cluster_uuid" : "uuid-string",
5.   "version" : {
6.     "number" : "8.15.3",
7.     "build_flavor" : "default",
8.     "build_type" : "docker",
9.     "build_hash" : "abc12345",
10.     "build_date" : "2024-01-01T00:00:00Z",
11.     "build_snapshot" : false,
12.     "lucene_version" : "9.7.0",
13.     "minimum_wire_compatibility_version" : "7.10.0",
14.     "minimum_index_compatibility_version" : "7.0.0"
15.   },
16.   "tagline" : "You Know, for Search"
17. }

复制代码

当然也可以实际让logstash吸取处理一些数据，然后检查es里面是否有数据的新增，以此确保logstash可以成功将处理完成的数据写入es。
ES生成CA和证书

为什么必要？（以下回答由 ChatGPT 生成）
   在 Elasticsearch 中，生成 CA（Certificate Authority，证书颁发机构） 和 证书 的过程是为了启用 安全通信，即通过 SSL/TLS 加密来保护 Elasticsearch 节点之间的通信 以及 客户端和服务器之间的通信。
  详细步骤如下（copy from 参考文章 [1]）：

1. # 进入docker容器的es实例
2. docker exec -it elasticsearch bash
3. # 生成ca证书 遇到提示回车，共两次
4. bin/elasticsearch-certutil  ca
5. # 生成节点证书 遇到提示回车，共三次
6. bin/elasticsearch-certutil  cert --ca elastic-stack-ca.p12
7.    
8. # 切换到config目录
9. cd config
10. # 创建certs文件夹
11. mkdir certs
12. # 回到原目录
13. cd ..
14. # 将ca证书移动到certs中
15. mv elastic-certificates.p12 elastic-stack-ca.p12 config/certs                  

复制代码

把生成的两个证书文件放在容器 /usr/share/elasticsearch/config/certs 下后，就可以执行 exit 先退出了。
现在编辑宿主机上的 elasticsearch.yml 文件，新增内容如下：

1. # 将 xpack.security.transport.ssl.enabled 设置为 false的配置注释掉
2. # xpack.security.transport.ssl.enabled: false
3. # 新增以下内容
4. xpack.security.enrollment.enabled: true
5. # 是否开启ssl
6. xpack.security.http.ssl:
7.   enabled: true
8.   keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
9.   truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
10. # 是否开启访问安全认证
11. xpack.security.transport.ssl:
12.   enabled: true
13.   verification_mode: certificate
14.   keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
15.   truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12

复制代码

Http 证书生成

为什么必要？（以下回答由 ChatGPT 生成）
   Elasticsearch 生成 HTTP 证书 是为了通过 HTTPS（SSL/TLS 加密） 来保护 HTTP 层 的通信。重要原因是为了确保在客户端（如浏览器、Kibana、Logstash）与 Elasticsearch 之间通过 REST API 举行通信时，数据是加密的，而且可以实现 身份验证 和 数据完备性。
  以下操作步骤参考 [2]
再次进入 elasticsearch 容器内部，生成 http 证书。

1. # 进入docker容器的es实例
2. docker exec -it elasticsearch bash
3. # 生成 Http 的证书
4. ./bin/elasticsearch-certutil http

复制代码

会有很多提问，详情可参考 官方文档

完备输入如下供各人参考

1. elasticsearch@elasticsearch:~$ ./bin/elasticsearch-certutil http
3. ## Elasticsearch HTTP Certificate Utility
5. The 'http' command guides you through the process of generating certificates
6. for use on the HTTP (Rest) interface for Elasticsearch.
8. This tool will ask you a number of questions in order to generate the right
9. set of files for your needs.
11. ## Do you wish to generate a Certificate Signing Request (CSR)?
13. A CSR is used when you want your certificate to be created by an existing
14. Certificate Authority (CA) that you do not control (that is, you don't have
15. access to the keys for that CA).
17. If you are in a corporate environment with a central security team, then you
18. may have an existing Corporate CA that can generate your certificate for you.
19. Infrastructure within your organisation may already be configured to trust this
20. CA, so it may be easier for clients to connect to Elasticsearch if you use a
21. CSR and send that request to the team that controls your CA.
23. If you choose not to generate a CSR, this tool will generate a new certificate
24. for you. That certificate will be signed by a CA under your control. This is a
25. quick and easy way to secure your cluster with TLS, but you will need to
26. configure all your clients to trust that custom CA.
28. Generate a CSR? [y/N]N
30. ## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
32. If you have an existing CA certificate and key, then you can use that CA to
33. sign your new http certificate. This allows you to use the same CA across
34. multiple Elasticsearch clusters which can make it easier to configure clients,
35. and may be easier for you to manage.
37. If you do not have an existing CA, one will be generated for you.
39. Use an existing CA? [y/N]y
41. ## What is the path to your CA?
43. Please enter the full pathname to the Certificate Authority that you wish to
44. use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
45. (.jks) or PEM (.crt, .key, .pem) format.
46. CA Path: /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12
47. Reading a PKCS12 keystore requires a password.
48. It is possible for the keystore's password to be blank,
49. in which case you can simply press <ENTER> at the prompt
50. Password for elastic-stack-ca.p12:
52. ## How long should your certificates be valid?
54. Every certificate has an expiry date. When the expiry date is reached clients
55. will stop trusting your certificate and TLS connections will fail.
57. Best practice suggests that you should either:
58. (a) set this to a short duration (90 - 120 days) and have automatic processes
59. to generate a new certificate before the old one expires, or
60. (b) set it to a longer duration (3 - 5 years) and then perform a manual update
61. a few months before it expires.
63. You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
65. For how long should your certificate be valid? [5y]
66. ## Do you wish to generate one certificate per node?
68. If you have multiple nodes in your cluster, then you may choose to generate a
69. separate certificate for each of these nodes. Each certificate will have its
70. own private key, and will be issued for a specific hostname or IP address.
72. Alternatively, you may wish to generate a single certificate that is valid
73. across all the hostnames or addresses in your cluster.
75. If all of your nodes will be accessed through a single domain
76. (e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
77. simpler to generate one certificate with a wildcard hostname (*.es.example.com)
78. and use that across all of your nodes.
80. However, if you do not have a common domain name, and you expect to add
81. additional nodes to your cluster in the future, then you should generate a
82. certificate per node so that you can more easily generate new certificates when
83. you provision new nodes.
85. Generate a certificate per node? [y/N]y
87. ## What is the name of node #1?
89. This name will be used as part of the certificate file name, and as a
90. descriptive name within the certificate.
92. You can use any descriptive name that you like, but we recommend using the name
93. of the Elasticsearch node.
95. node #1 name: node-01
97. ## Which hostnames will be used to connect to node-01?
99. These hostnames will be added as "DNS" names in the "Subject Alternative Name"
100. (SAN) field in your certificate.
102. You should list every hostname and variant that people will use to connect to
103. your cluster over http.
104. Do not list IP addresses here, you will be asked to enter them later.
106. If you wish to use a wildcard certificate (for example *.es.example.com) you
107. can enter that here.
109. Enter all the hostnames that you need, one per line.
110. When you are done, press <ENTER> once more to move on to the next step.
112. elasticsearch
114. You entered the following hostnames.
116. - elasticsearch
118. Is this correct [Y/n]y
120. ## Which IP addresses will be used to connect to node-01?
122. If your clients will ever connect to your nodes by numeric IP address, then you
123. can list these as valid IP "Subject Alternative Name" (SAN) fields in your
124. certificate.
126. If you do not have fixed IP addresses, or not wish to support direct IP access
127. to your cluster then you can just press <ENTER> to skip this step.
129. Enter all the IP addresses that you need, one per line.
130. When you are done, press <ENTER> once more to move on to the next step.
133. You did not enter any IP addresses.
135. Is this correct [Y/n]y
137. ## Other certificate options
139. The generated certificate will have the following additional configuration
140. values. These values have been selected based on a combination of the
141. information you have provided above and secure defaults. You should not need to
142. change these values unless you have specific requirements.
144. Key Name: node-01
145. Subject DN: CN=node-01
146. Key Size: 2048
148. Do you wish to change any of these options? [y/N]n
149. Generate additional certificates? [Y/n]n
151. ## What password do you want for your private key(s)?
153. Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
154. This type of keystore is always password protected, but it is possible to use a
155. blank password.
157. If you wish to use a blank password, simply press <enter> at the prompt below.
158. Provide a password for the "http.p12" file:  [<ENTER> for none]
160. ## Where should we save the generated files?
162. A number of files will be generated including your private key(s),
163. public certificate(s), and sample configuration options for Elastic Stack products.
165. These files will be included in a single zip archive.
167. What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]

复制代码

必要关注的几个提问：

• What is the name of node #1?
  输入的 node name 必要和 docker-compose.yml 里给 Elasticsearch 设置的 node.name 保持同等。
  

1. ## What is the name of node #1?
3. This name will be used as part of the certificate file name, and as a
4. descriptive name within the certificate.
6. You can use any descriptive name that you like, but we recommend using the name
7. of the Elasticsearch node.
9. node #1 name: node-01

复制代码

• Which hostnames will be used to connect to node-01?
  由于 ES 是以 docker 的方式运行，而且ELK都在同一个 docker network 中，所以 logstash 和 kibana 其实直接通过 es的容器名，即 elasticsearch 访问即可，而且 es 没有被外网访问的必要，所以这里的 hostname 设置为容器名 elasticsearch 就可以。
  

1. ## Which hostnames will be used to connect to node-01?
3. These hostnames will be added as "DNS" names in the "Subject Alternative Name"
4. (SAN) field in your certificate.
6. You should list every hostname and variant that people will use to connect to
7. your cluster over http.
8. Do not list IP addresses here, you will be asked to enter them later.
10. If you wish to use a wildcard certificate (for example *.es.example.com) you
11. can enter that here.
13. Enter all the hostnames that you need, one per line.
14. When you are done, press <ENTER> once more to move on to the next step.
16. elasticsearch
18. You entered the following hostnames.
20. - elasticsearch
22. Is this correct [Y/n]y

复制代码

可以看到生成的 elasticsearch-ssl-http.zip 文件

1. elasticsearch@elasticsearch:~$ ls
2. LICENSE.txt  NOTICE.txt  README.asciidoc  bin  config  data  elasticsearch-ssl-http.zip  jdk  lib  logs  modules  plugins
3. # 解压 elasticsearch-ssl-http.zip
4. elasticsearch@elasticsearch:~$ unzip elasticsearch-ssl-http.zip
5. Archive:  elasticsearch-ssl-http.zip
6.    creating: elasticsearch/
7.   inflating: elasticsearch/README.txt  
8.   inflating: elasticsearch/http.p12  
9.   inflating: elasticsearch/sample-elasticsearch.yml  
10.    creating: kibana/
11.   inflating: kibana/README.txt      
12.   inflating: kibana/elasticsearch-ca.pem
13.   
14.   inflating: kibana/sample-kibana.yml

复制代码

将 elasticsearch-ssl-http.zip 文件解压缩之后，会有两个文件夹，即 elasticsearch/ 和 kibana/。

1. # /kibana 目录下的三个文件
2. elasticsearch@elasticsearch:~/kibana$ ls
3. README.txt  elasticsearch-ca.pem
4.   sample-kibana.yml
5. # /elasticsearch 目录下的三个文件
6. elasticsearch@elasticsearch:~/elasticsearch$ ls
7. README.txt  http.p12  sample-elasticsearch.yml

复制代码

现在将 /usr/share/elasticsearch/elasticsearch/http.p12 移动到 /usr/share/elasticsearch/config/certs 下

1. mv elasticsearch/http.p12 /usr/share/elasticsearch/config/certs

复制代码

所以 certs/ 下有三个文件了

1. elasticsearch@elasticsearch:~/config/certs$ ls
2. elastic-certificates.p12  elastic-stack-ca.p12  http.p12

复制代码

elasticsearch 生成 kibana 的安全认证文件

1. # 生成kibana证书（-dns后接的是kibana容器名）
2. ./bin/elasticsearch-certutil csr -name kibana -dns kibana
3. # 解压文件
4. elasticsearch@elasticsearch:~$ unzip csr-bundle.zip
5. Archive:  csr-bundle.zip
6.   inflating: kibana/kibana.csr      
7.   inflating: kibana/kibana.key     

复制代码

将生成的安全认证文件从es容器内部复制到宿主机kibana的config目次

1. # 退出容器
2. exit
3. # 进入宿主机kibana的config目录
4. cd /usr/local/config/kibana/config/
5. # 创建certs文件夹
6. mkdir certs
7. # 将elasticsearch生成在容器中的证书复制到certs中
8. docker cp elasticsearch:/usr/share/elasticsearch/kibana/kibana.csr /usr/local/config/kibana/config/certs
9. docker cp elasticsearch:/usr/share/elasticsearch/kibana/kibana.key /usr/local/config/kibana/config/certs
10. # 还要将上一步生成elasticsearch-ca.pem
11. 文件一块复制到kibana
12. docker cp elasticsearch:/usr/share/elasticsearch/kibana/elasticsearch-ca.pem
13. /usr/local/config/kibana/config/certs
14. # 进入certs文件夹
15. cd certs
16. # 生成crt文件
17. openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt
18. # 查看 /certs 目录下的四个文件
19. elasticsearch-ca.pem
20.   
21. kibana.crt
22. kibana.csr
23. kibana.key

复制代码

将 elasticsearch-ca.pem
复制到宿主机logstash的config目次

为什么必要？
   当在 Logstash 中设置到 Elasticsearch 的HTTPS 连接时，必要在设置文件中指定 elasticsearch-ca.pem
作为信托证书。

1. # 进入宿主机kibana的config目录
2. cd /usr/local/config/logstash/config/
3. # 创建certs文件夹
4. mkdir certs
5. docker cp elasticsearch:/usr/share/elasticsearch/kibana/elasticsearch-ca.pem
6. /usr/local/config/logstash/config/certs

复制代码

将 elasticsearch 容器内 certs 下的文件持久化到宿主机

1. # 切换到elasticsearch的config目录
2. cd /usr/local/config/elasticsearch/config
3. # 复制docker中的certs到linux
4. docker cp elasticsearch:/usr/share/elasticsearch/config/certs /usr/local/config/elasticsearch/config

复制代码

部署 kibana 认证文件

现在将宿主机 /usr/local/config/kibana/config/certs 下的认证文件都同步到容器内。

1. # 将服务器上kibana的certs上传到docker容器中
2. docker cp /usr/local/config/kibana/config/certs kibana:/usr/share/kibana/config
3. # 使用root进入kibana容器
4. docker exec -it -u root kibana bash
5. # 进入config文件夹
6. cd config
7. # 修改certs权限
8. chown -R kibana certs

复制代码

检察容器内认证文件权限环境

1. root@286e3f490b30:/usr/share/kibana/config/certs# ll -l
2. total 24
3. drwxr-xr-x 2 kibana root 4096 Oct 28 12:42 ./
4. drwxrwxrwx 3 root   root 4096 Oct 28 13:18 ../
5. -rw-r--r-- 1 kibana root 1200 Oct 28 08:18 elasticsearch-ca.pem
7. -rw-r--r-- 1 kibana root  985 Oct 28 12:42 kibana.crt
8. -rw-r--r-- 1 kibana root  936 Oct 28 12:36 kibana.csr
9. -rw-r--r-- 1 kibana root 1675 Oct 28 12:36 kibana.key

复制代码

部署 logstash 认证文件

和部署 kibana 类似的操作
将宿主机 /usr/local/config/logstash/config/certs 下的认证文件都同步到容器内。

1. # 将服务器上kibana的certs上传到docker容器中
2. docker cp /usr/local/config/logstash/config/certs logstash:/usr/share/logstash/config
3. # 使用root进入logstash容器
4. docker exec -it -u root logstash bash
5. # 进入config文件夹
6. cd config
7. # 修改certs权限
8. chown -R logstash certs

复制代码

检察容器内认证文件 elasticsearch-ca.pem
权限环境

1. root@d996504f0329:/usr/share/logstash/config/certs# ll -l
2. total 24
3. drwxr-xr-x 2 logstash root 4096 Oct 29 03:11 ./
4. drwxrwxrwx 3 root     root 4096 Oct 30 03:26 ../
5. -rw-r--r-- 1 logstash root 1200 Oct 28 15:11 elasticsearch-ca.pem

复制代码

设置文件内容调解

1. logstash.yml http -> https

1. xpack.monitoring.elasticsearch.username: "elastic"
2. xpack.monitoring.elasticsearch.password: "p0s9Lb3uThEJfN5T0v6x"
3. xpack.monitoring.enabled: true
4. # 由之前的 http 改为 https
5. xpack.monitoring.elasticsearch.hosts: ["https://elasticsearch:9200"]
6. xpack.monitoring.collection.interval: 10s
7. log.level: debug

复制代码

• logstash output es 设置文件开启ssl并指定cacert
  

1. input {
2.   # 假设从stdin输入数据
3.   stdin {}
4. }
6. filter {
7.   # 使用 Ruby 进行自定义处理
8.   ruby {
9.     code => "
10.       event.set('new_field', event.get('message').upcase)  # 将'message'字段转为大写并保存到'new_field'
11.       event.set('timestamp', Time.now)                     # 添加当前时间戳到'timestamp'字段
12.     "
13.   }
14. }
16. output {
17.   # 输出到 Elasticsearch
18.   elasticsearch {
19.     # http调整为https
20.     hosts => ["http://elasticsearch:9200"]
21.     # 启用 ssl
22.     ssl => true
23.     # 指定认证文件
24.     cacert => "/usr/share/logstash/config/certs/elasticsearch-ca.pem
25. "
26.     index => "logstash-ruby-example"
27.     # 增加用户名
28.     user => "elastic"
29.     # 增加用户名密码
30.     password => "p0s9Lb3uThEJfN5T0v6x"
31.     document_id => "%{[@metadata][fingerprint]}"  # 自定义document ID（可选）
32.   }
33. }

复制代码

• 调解 kibana.yml 内容
  涉及到 elasticsearch.hosts 的连接协议是 https
  elasticsearch.password 暗码可以随便填写一个，后面再进入 es 容器内部修改。
  

1. i18n.locale: zh-CN
2. server.host: "0.0.0.0"
3. server.shutdownTimeout: "5s"
4. elasticsearch.hosts: [ "https://elasticsearch:9200" ]
6. elasticsearch.username: "kibana_system"
7. elasticsearch.password: "12345678"
8. # ===============================ssl配置如下======================================
9. server.ssl.enabled: true
10. server.ssl.certificate: /usr/share/kibana/config/certs/kibana.crt
11. server.ssl.key: /usr/share/kibana/config/certs/kibana.key
12. elasticsearch.ssl.verificationMode: none
13. elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/certs/elasticsearch-ca.pem
14. " ]
15. # ===============================ssl配置如上======================================
16. monitoring.ui.container.elasticsearch.enabled: true
17. xpack.monitoring.enabled: true
18. xpack.monitoring.elasticsearch.hosts: ["https://elasticsearch:9200"]
19. xpack.monitoring.kibana.collection.enabled: true
20. xpack.monitoring.kibana.collection.interval: 10000

复制代码

进入 elasticsearch容器重置 kibana_system 账户暗码

1. # 进入 elasticsearch 容器内部
2. docker exec -it elasticsearch /bin/bash
3. # 重置 kibana_system 账户密码
4. elasticsearch@elasticsearch:~$ ./bin/elasticsearch-reset-password -u kibana_system -i --url https://elasticsearch:9200
5. WARNING: Owner of file [/usr/share/elasticsearch/config/users] used to be [root], but now is [elasticsearch]
6. WARNING: Owner of file [/usr/share/elasticsearch/config/users_roles] used to be [root], but now is [elasticsearch]
7. This tool will reset the password of the [kibana_system] user.
8. You will be prompted to enter the password.
9. Please confirm that you would like to continue [y/N]

复制代码

然后把重置的暗码在 kibana.yml 文件中举行更新

1. elasticsearch.username: "kibana_system"
2. elasticsearch.password: "password_reset"

复制代码

最后修改 docker-compose.yml 文件里的目次映射

这一步操作是为了确保宿主机ELK config/certs 目次下的文件与容器内是同步的，检查ELK volumes 设置下看是否有必要调解的地方。
针对于我的环境，elasticsearch 必要新增映射。

1. services:
2.   elasticsearch:
3.     restart: always
4.     image: docker.elastic.co/elasticsearch/elasticsearch:8.15.3
5.     container_name: elasticsearch
6.     hostname: elasticsearch
7.     privileged: true
8.     volumes:
9.       # 新增目录映射
10.       -"usr/local/config/es/config/certs:/usr/share/elasticsearch/config/certs"

复制代码

设置文件内容调解完成后，就可以重启所有容器了。

1. docker-compose restart

复制代码

必要注意 kibana 访问输入的账户暗码并非设置文件中的 kibana_system/password_reset，而是必要elastic超等用户和对应暗码，即 elastic/p0s9Lb3uThEJfN5T0v6x 举行登陆访问。
认证文件所在目次概览

宿主机 /usr/local/config/elasticsearch/config/certs 下的文件

1. .
2. ├── elastic-certificates.p12
3. ├── elastic-stack-ca.p12
4. └── http.p12
6. 0 directories, 3 files

复制代码

宿主机 /usr/local/config/logstash/config/certs 下的文件

1. elasticsearch-ca.pem

复制代码

宿主机 /usr/local/config/kibana/config/certs 下的文件

1. .├── elasticsearch-ca.pem
2. ├── kibana.crt├── kibana.csr└── kibana.key0 directories, 4 files

复制代码

最后，非常感谢以下博客内容，帮助很多！也希望这篇博客可以帮助到有必要的朋友！
[1] docker开启es集群安全认证
[2] Elasticsearch8.X+ Kibana 8.X安全设置

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。