Searchguard 管理 ELK (Elasticsearch Logstash Kibana)
祁俊喆
##########遇到的问题###############
@ logstash 到 elasticsearch HTTPs 连接报错
[2019-11-14T01:01:47,315][WARN ][logstash.outputs.elasticsearch]
Attempted to resurrect connection to dead ES instance, but got an error.
{:url=>"https://logstash:xxxxxx@localhost:9200/",
:error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError,
:error=>"Elasticsearch Unreachable: [https://logstash:xxxxxx@localhost:9200
/][Manticore::ClientProtocolException] PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target"}* 由于我用的是新的7.3.2版本,对其他版本的设定不适用。
logstash.conf 去设定ssl 》》》无法解决
output {
elasticsearch {
hosts => ["https://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => logstash
password => logstash
ssl => true
ssl_certificate_verification => true
truststore => "/etc/logstash/conf.d/truststore.jks"
truststore_password => logstash
}
}bin/logstash -f logstash.conf
结果不会读取elastiflow模块配置,对应的服务端口也没打开
Starting UDP listener {:address=>"0.0.0.0:4739"} IPFix
Starting UDP listener {:address=>"0.0.0.0:2055"} Netflow
Starting UDP listener {:address=>"0.0.0.0:6343"} SFlowlogstash.yml 设定》》》无法解决
modules:
- name: netflow
var.elasticsearch.hosts: ["https://127.0.0.1:9200"]
var.elasticsearch.username: logstash
var.elasticsearch.password: logstash
var.elasticsearch.ssl: true
var.elasticsearch.ssl_certificate_verification: false
var.elasticsearch.truststore: [“/etc/logstash/conf.d/truststore.jks”]
var.elasticsearch.truststore_password: logstashbin/logstash "--path.settings" "/etc/logstash"
结果还是报错 SSL 证书不可用
最后发现elastiflow模块的设定里面是有默认配置的,更改后就正常了!
output {
elasticsearch {
id => "output_elasticsearch_single"
hosts => [ "${ELASTIFLOW_ES_HOST:127.0.0.1:9200}" ]
ssl => "${ELASTIFLOW_ES_SSL_ENABLE:true}"
ssl_certificate_verification => "${ELASTIFLOW_ES_SSL_VERIFY:true}"
# If ssl_certificate_verification is true, uncomment cacert and set the path to the certificate.
#cacert => "/PATH/TO/CERT"
cacert => "/etc/logstash/conf.d/logstash.crt"
user => "${ELASTIFLOW_ES_USER:admin}"
password => "${ELASTIFLOW_ES_PASSWD:admin}"
index => "elastiflow-3.5.1-%{+YYYY.MM.dd}"
template => "${ELASTIFLOW_TEMPLATE_PATH:/etc/logstash/elastiflow/templates}/elastiflow.template.json"
template_name => "elastiflow-3.5.1"
template_overwrite => "true"
}
}1.Logstash Systemdctl 的开机启动项使用 /logstash/bin/system-install 这个自带的shell脚本。这个脚本是把配置路径放到了/etc/logstash
| logstash.yml | |
| pipelines.yml | |
| elastiflow/ | elastiflow 模块配置文件 |
logstash 启动会读取 logstash.yml 和 pipelines.yml
pipelines.yml有添加配置指向elastiflow模块配置
- pipeline.id: elastiflow
path.config: "/etc/logstash/elastiflow/conf.d/*.conf"/etc/logstash/elastiflow/conf.d/ 下为netflow信息的 输入/输出/过滤(input/output/filter)的配置文件,logstash会按这些规则去收集->过滤->发送 到 elasticsearch 的 web API (https://127.0.0.0:9200)
##################################
类似资料: