相信参考上一篇文章 centos7 安装ELK(标准安装+安全配置):1. 标准安装 大家都已经完成了ELK的部署工作，但是这样的部署大家肯定发现了一个问题，就是这套系统没有权限管理，如果放到公网上谁都可以访问，对于我们实际应用到生产环境中去肯定是不行的。

这篇文章就是在上文的基础上，让大家了解对ELK进行安全配置，加固ELK，让ELK真正应用到生产环境中去。

1. 本文是参考官网实操的记录。
2. 因为安全管理系列功能是属于ELK商用组件x-pack的，所以使用本文配置的前提是你已经购买了官网的白金授权。

1. 停止所有的ELK节点

screen -r pid
ctrl+c ctrl+c

2. 修改所有elasticsearch节点的elasticsearch.yml

cd /usr/local/src/ELK/elasticsearch-6.7.0
vi conf/elasticsearch.yml
# 添加这一行
xpack.security.enabled: false

3. 启动master节点

su elk
screen ./bin/elasticsearch
# 导入license，假设你的license文件放在/usr/local/src/ELK/x-pack/目录下，文件名为license.json
curl -XPUT -u elastic 'http://localhost:9200/_xpack/license' -H "Content-Type: application/json" -d @/usr/local/src/ELK/x-pack/license.json
Enter host password for user 'elastic':
{"acknowledged":true,"license_status":"valid"}

导入时会询问elastic账号的密码，默认密码是空，直接“回车”就可

4. 关闭master节点，按照product模式配置

如果导入上述license后，直接启动ELK是起不来的，因为报错如下：

[1]: Transport SSL must be enabled for setups with production licenses. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

所以，需要关闭master节点，按照product模式配置后再启动

su elk
screen -r pid
ctrl+c ctrl+c

5. product模式配置

# 1 创建ca签名证书
cd /usr/local/src/ELK
mkdir ca
cd ca
../elasticsearch-6.7.0/bin/elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]: #输入ca证书名称，保持默认即可
Enter password for elastic-stack-ca.p12 : #输入ca证书的密码，要记住别忘了后面用到

# 2 创建节点实例描述文件
vi my-cluster.yml
instances:
  - name: "master"
    dns:
      - "master-node"
    ip:
      - "192.168.43.200"
  - name: "data-node1"
    dns:
      - "data-node1"
    ip:
      - "192.168.43.201"
  - name: "data-node2"
    dns:
      - "data-node2"
    ip:
      - "192.168.43.202"

# 3 为每个节点创建证书
../elasticsearch-6.7.0/bin/elasticsearch-certutil cert --in eyuccELKlogs.yml --ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : # 刚才创建时输入的密码
Please enter the desired output file [certificate-bundle.zip]: # 每个节点的ca生成后被保存在zip压缩包中，这里可以改名字
Enter password for master/master.p12 : #master节点的ca证书密码
Enter password for data-node1/data-node1.p12 : #data-node1节点的ca证书密码
Enter password for data-node2/data-node2.p12 : #data-node2节点的ca证书密码

# 4 解压，部署证书到各个节点
unzip certificate-bundle.zip
在每个服务器上执行
mkdir /usr/local/src/ELK/elasticsearch-6.7.0/config/cert
然后在master服务器上
cp master/master.p12 /usr/local/src/ELK/elasticsearch-6.7.0/config/cert
scp data-node1/data-node1.p12 root@192.168.43.201:/usr/local/src/ELK/elasticsearch-6.7.0/config/cert/
scp data-node2/data-node2.p12 root@192.168.43.202:/usr/local/src/ELK/elasticsearch-6.7.0/config/cert/

# 5 修改每个节点的elasticsearch.yml
cd /usr/local/src/ELK/elasticsearch-6.7.0
vi config/elasticsearch.yml
# 修改或添加如下配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: cert/${node.name}.p12 #因为我们的证书名称都是用的节点名称，所以可以用变量，如果你的证书名称不是这样，需要填写准确的证书名称
xpack.security.transport.ssl.truststore.path: cert/${node.name}.p12

# 6 在每个节点执行下面的命令，保证加密的证书能够被访问
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

# 7 启动elasticsearch，验证配置
# 在每个节点上执行，却表elasticsearch目录下所有内容elk都有权限访问
cd /usr/local/src/ELK
chown elk:elk elasticsearch-6.7.0 -P
# 启动E
cd elasticsearch-6.7.0
su elk
./bin/elasticsearch
# master节点启动成功，再启动其他节点，不要启动kibana
cd elasticsearch-6.7.0
su elk
./bin/elasticsearch
cd elasticsearch-6.7.0
su elk
./bin/elasticsearch

# 8 确定节点启动成功，停掉各节点，用screen启动

6. 配置kibana

# 因为我们启用了安全，所以kibana也需要通过安全机制访问elasticsearch

# 1 为elasticsearch的内置用户配置密码
bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

# 2 配置kibana
vi /usr/local/src/ELK//kibana-6.7.0-linux-x86_64/config/kibana.yml
elasticsearch.username: "kibana"
elasticsearch.password: "你设置的kibana账户密码"
xpack.security.encryptionKey: "1234567890123456789012345678901234567890" #这里要至少32个字符

7. 启动kibana

screen ./bin/kibana

访问 http://192.168.43.204:5601

kibana login

要管理账户、角色等，需要用elastic账户登录

kibana用户管理界面

普通的操作使用kibana账户登录即可

-完-