ProHoster > Блог > Gudanarwa > Na roba ƙarƙashin kulle da maɓalli: kunna zaɓuɓɓukan tsaro na Elasticsearch don samun dama daga ciki da waje
Na roba ƙarƙashin kulle da maɓalli: kunna zaɓuɓɓukan tsaro na Elasticsearch don samun dama daga ciki da waje
Elastic Stack sanannen kayan aiki ne a cikin kasuwar tsarin SIEM (a zahiri, ba kawai su ba). Yana iya tattara bayanai masu girma dabam-dabam masu yawa, duka masu hankali kuma ba su da hankali sosai. Ba daidai ba ne gabaɗaya idan ba a kariyar samun damar zuwa abubuwan da ke cikin Elastic Stack da kansu ba. Ta hanyar tsoho, duk abubuwan da ke cikin akwatin na roba (Elasticsearch, Logstash, Kibana, da masu tarawa Beats) suna gudana akan buɗaɗɗen ladabi. Kuma a cikin Kibana kanta, an hana tantancewa. Duk waɗannan hulɗar ana iya kiyaye su kuma a cikin wannan labarin za mu gaya muku yadda ake yin wannan. Don saukakawa, mun raba labarin zuwa sassa 3 na ma'ana:
Samfurin samun damar bayanai na tushen rawar aiki
Tsaron bayanai a cikin gungun Elasticsearch
Tsare bayanai a wajen gungu na Elasticsearch
Cikakken bayani a ƙarƙashin yanke.
Samfurin samun damar bayanai na tushen rawar aiki
Idan kun shigar da Elasticsearch kuma ba ku kunna ta ta kowace hanya ba, samun damar yin amfani da duk firikwensin zai buɗe wa kowa. To, ko waɗanda za su iya amfani da curl. Don guje wa wannan, Elasticsearch yana da abin koyi wanda ke samuwa yana farawa tare da Biyan kuɗi na asali (wanda yake kyauta). A tsari yana kama da wani abu kamar haka:
Me ke cikin hoton
Masu amfani sune duk wanda zai iya shiga ta amfani da takardun shaidar su.
Abubuwan bayanai fihirisa ne, takardu, filaye, masu amfani, da sauran abubuwan ma'ajiya (abin koyi na wasu albarkatun ana samunsu tare da biyan kuɗi kawai).
Ta hanyar tsoho Elasticsearch yana da masu amfani da akwatin, wanda aka haɗa su akwatin matsayin. Da zarar kun kunna saitunan tsaro, zaku iya fara amfani da su nan take.
Don ba da damar tsaro a cikin saitunan Elasticsearch, kuna buƙatar ƙara shi zuwa fayil ɗin sanyi (ta tsohuwa wannan shine elasticsearch/config/elasticsearch.yml) sabon layi:
xpack.security.enabled: true
Bayan canza fayil ɗin sanyi, ƙaddamar ko sake kunna Elasticsearch don canje-canjen suyi tasiri. Mataki na gaba shine sanya kalmomin shiga ga masu amfani da akwatin. Bari mu yi wannan ta hanyar mu'amala ta amfani da umarnin da ke ƙasa:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Binciken:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Kuna iya shafa kanku a baya - an kammala saitin da ke gefen Elasticsearch. Yanzu lokaci yayi da za a saita Kibana. Idan kun kunna shi yanzu, kurakurai za su bayyana, don haka yana da mahimmanci don ƙirƙirar kantin maɓalli. Ana yin wannan a cikin umarni biyu (mai amfani kiban da kalmar sirri da aka shigar a matakin ƙirƙirar kalmar sirri a cikin Elasticsearch):
Idan komai yayi daidai, Kibana zai fara neman shiga da kalmar sirri. Biyan kuɗi na asali ya ƙunshi abin koyi dangane da masu amfani da ciki. Fara da Zinariya, zaku iya haɗa tsarin tabbatarwa na waje - LDAP, PKI, Directory Active da tsarin sa hannu guda ɗaya.
Hakanan ana iya iyakance haƙƙin samun damar abubuwa a cikin Elasticsearch. Koyaya, don yin haka don takardu ko filayen, kuna buƙatar biyan kuɗi da aka biya (wannan alatu yana farawa da matakin Platinum). Ana samun waɗannan saitunan a cikin mahallin Kibana ko ta hanyar API ɗin Tsaro. Kuna iya duba ta cikin menu na Dev Tools da kuka saba:
Lokacin da Elasticsearch ke gudana a cikin gungu (wanda ya zama gama gari), saitunan tsaro a cikin tarin sun zama mahimmanci. Don amintaccen sadarwa tsakanin nodes, Elasticsearch yana amfani da ka'idar TLS. Don saita amintaccen hulɗa tsakanin su, kuna buƙatar takaddun shaida. Muna samar da takaddun shaida da maɓalli na sirri a tsarin PEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pem
Bayan aiwatar da umarnin da ke sama, a cikin directory /.../lasticsearch rumbun adana bayanai zai bayyana roba-stack-ca.zip. A ciki za ku sami takaddun shaida da maɓalli na sirri tare da kari amsar и key bi da bi. Yana da kyau a sanya su a kan albarkatun da aka raba, wanda ya kamata a sami dama daga duk nodes a cikin tari.
Kowane kumburi yanzu yana buƙatar takaddun takaddun kansa da maɓallan sirri bisa waɗanda ke cikin kundin adireshi. Lokacin aiwatar da umarnin, za a tambaye ku don saita kalmar sirri. Kuna iya ƙara ƙarin zaɓuɓɓuka -ip da -dns don cikakken tabbatar da nodes masu mu'amala.
Sakamakon aiwatar da umarnin, za mu sami takaddun shaida da maɓalli na sirri a cikin tsarin PKCS#12, mai kariya ta kalmar sirri. Abin da ya rage shi ne matsar da fayil ɗin da aka ƙirƙira p12 zuwa ga tsarin daidaitawa:
Akwai wani zaɓin tsaro - tace adireshin IP (akwai a cikin biyan kuɗi daga matakin Zinare). Yana ba ku damar ƙirƙirar jerin fararen adiresoshin IP daga waɗanda aka ba ku damar samun damar nodes.
Tsare bayanai a wajen gungu na Elasticsearch
Waje gungu yana nufin haɗa kayan aikin waje: Kibana, Logstash, Beats ko wasu abokan ciniki na waje.
Don saita tallafi don https (maimakon http), ƙara sabbin layi zuwa elasticsearch.yml:
Bayan ƙara makullin, Elasticsearch nodes suna shirye don haɗi ta https. Yanzu ana iya kaddamar da su.
Mataki na gaba shine ƙirƙirar maɓalli don haɗa Kibana kuma ƙara shi zuwa daidaitawa. Dangane da takardar shaidar da ta riga ta kasance a cikin kundin adireshi, za mu samar da takaddun shaida a cikin tsarin PEM (PKCS#12 Kibana, Logstash da Beats ba su goyi bayan):
Maɓallai suna nan, don haka abin da ya rage shine canza tsarin Kibana don fara amfani da su. A cikin fayil ɗin sanyi na kibana.yml, canza http zuwa https kuma ƙara layi tare da saitunan haɗin SSL. Layuka uku na ƙarshe sun tsara ingantaccen sadarwa tsakanin mai binciken mai amfani da Kibana.
Don haka, an kammala saitunan kuma an rufaffen samun damar yin amfani da bayanai a cikin tarin Elasticsearch.
Idan kuna da tambayoyi game da iyawar Elastic Stack akan biyan kuɗi kyauta ko biya, ayyukan sa ido ko ƙirƙirar tsarin SIEM, bar buƙatar zuwa form feedback akan shafin yanar gizon mu.
Ƙarin labaran mu game da Elastic Stack akan Habré: