一.xpack安全验证的开启

server1 2 3作为es集群

集群模式需要先创建证书
# cd /usr/share/elasticsearch/
# bin/elasticsearch-certutil ca
# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# cp elastic-certificates.p12 elastic-stack-ca.p12 /etc/elasticsearch
# cd /etc/elasticsearch
# chown elasticsearch elastic-certificates.p12 elastic-stack-ca.p12
scp elastic-certificates.p12 elastic-stack-ca.p12 server2:/etc/elasticsearch/  #证书拷贝到2 3

配置所有的elasticsearch集群节点
# vim /etc/elasticsearch/elasticsearch.yml
node.ingest: true  #开启xpack安全认证时，集群内需要一个ingest,保证ingest专门对索引的文档做预处理角色开启，否则会导致安全认证失败

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

ES集群重启正常后，设置用户密码
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

1.head访问
vim /etc/elasticsearch/elasticsearch.yml
 65 http.cors.allow-headers: "Authorization,X-Requested-With,Content-Length,Content-Type"

cd /root/elasticsearch-head-master
cnpm run start &

http://172.25.2.1:9100/?auth_user=elastic&auth_password=westos

监控集群和生产数据集群最好分开
server5 logstash kibana

2.设置Logstash连接ES用户密码
input {
        beats {
        port => 5044
        }
}
filter {
  grok {
    match => { "message" => "%{HTTPD_COMBINEDLOG}" }
  }
}
output {
        stdout { }
        elasticsearch {
        hosts => ["172.25.2.1:9200"]
        index => "apache-%{+yyyy.MM.dd}"
        user => "elastic"
        password => "westos"
        }
}

3.vim /etc/kibana/kibana.yml  #设置kibana连接ES的用户密码
elasticsearch.username: "kibana"
elasticsearch.password: "westos"

二.elk监控

(一)直接使用自带的监控


(二)使用 Metricbeat 监测

1.在安装 Elasticsearch 的同一台服务器上安装 Metricbeat
sever1 2 3
get metricbeat-7.6.1-x86_64.rpm
rpm -ivh metricbeat-7.6.1-x86_64.rpm
2.在 Metricbeat 中启用并配置 Elasticsearch x-pack 模块
metricbeat modules enable elasticsearch-xpack
metricbeat modules list

3.配置 Metricbeat 以发送至监测集群
vim /etc/metricbeat/metricbeat.yml

vim /etc/metricbeat/modules.d/elasticsearch-xpack.yml

4.启动 Metricbeat
systemctl restart metricbeat.service

5.集群已经全部开启 Metricbeat

三.filebeat日志采集

server1 2 3
和上面的 Metricbeat类似
rpm -ivh filebeat-7.6.1-x86_64.rpm  #安装
filebeat modules enable elasticsearch  #启用模块
vim f/etc/filebeat/ilebeat.yml  #配置
151 output.elasticsearch:
153   hosts: ["172.25.2.1:9200"]
160   username: "elastic"
161   password: "westos"

vim /etc/filebeat/modules.d/elasticsearch.yml
https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-module-elasticsearch.html

systemctl restart filebeat.service

更多日志，以及流式传输

四.创建可视化

利用 Metricbeat,filebeat生成可视化模板

vim /etc/metricbeat/metricbeat.yml
 61 setup.kibana:
 67   host: "172.25.2.5:5601"
 metricbeat setup --dashboards

vim /etc/filebeat/filebeat.yml
117 setup.kibana:
123   host: "172.25.2.5:5601"

filebeat setup --dashboards