Elastic Stack chishandiso chinozivikanwa mumusika weSIEM masisitimu (chaizvo, kwete ivo chete). Inogona kuunganidza yakawanda-yakasiyana-saizi data, zvese zvine hunyoro uye zvisinganyanyi kunetseka. Izvo hazvina kunyatso kurongeka kana kuwana kune Elastic Stack zvinhu pachazvo hakuna kuchengetedzwa. Nekumisikidza, ese Elastic kunze-kwe-iyo-bhokisi zvinhu (Elasticsearch, Logstash, Kibana, uye Beats vateresi) inomhanya pamaprotocol akavhurika. Uye muKibana pachayo, kuvimbiswa kwakadzimwa. Kudyidzana kwese uku kunogona kuchengetedzwa uye mune ino chinyorwa tichakuudza maitiro ekuita izvi. Kuti zvive nyore, takakamura rondedzero kuita 3 semantic blocks:
- Role-based data access model
- Kuchengetedzwa kwedata mukati meElasticsearch cluster
- Kuchengetedza data kunze kweElasticsearch cluster
Tsanangudzo pasi pekucheka.
Role-based data access model
Kana iwe ukaisa Elasticsearch uye usingaigadzirise neimwe nzira, kuwana kune ese indexes kuchavhurika kune wese munhu. Zvakanaka, kana avo vanogona kushandisa curl. Kuti udzivise izvi, Elasticsearch ine muenzaniso unowanikwa uchitanga neBasic subscription (iyo yemahara). Schematically inotaridzika seizvi:
Chii chiri pamufananidzo
- Vashandisi ndivo vese vanogona kupinda vachishandisa magwaro avo.
- Basa iboka rekodzero.
- Kodzero iboka reropafadzo.
- Ropafadzo mvumo yekunyora, kuverenga, kudzima, nezvimwe. ()
- Zviwanikwa indekisi, magwaro, minda, vashandisi, uye mamwe masangano ekuchengetedza (muenzaniso wezvimwe zviwanikwa unongowanikwa nekunyoreswa kwakabhadharwa).
By default Elasticsearch ine , kwavakanamatira . Paunenge wagonesa zvigadziriso zvekuchengetedza, unogona kutanga kuzvishandisa nekukurumidza.
Kugonesa chengetedzo muElasticsearch marongero, iwe unofanirwa kuiwedzera kune yekumisikidza faira (nekudaro izvi ndizvo. elasticsearch/config/elasticsearch.yml) mutsetse mutsva:
xpack.security.enabled: trueMushure mekuchinja faira yekumisikidza, tanga kana tangazve Elasticsearch kuti shanduko dziite. Nhanho inotevera ndeyekupa mapassword kubhokisi vashandisi. Ngatiite izvi tichidyidzana tichishandisa murairo uri pazasi:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Tinotarisa:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Unogona kuzvibata kumusana - marongero ari padivi reElasticsearch apera. Iye zvino yave nguva yekugadzirisa Kibana. Kana iwe uchimhanya ikozvino, zvikanganiso zvichaonekwa, saka zvakakosha kugadzira kiyi chitoro. Izvi zvinoitwa mumirairo miviri (mushandisi kibana uye password yakapinda padanho rekugadzira password muElasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordKana zvese zviri izvo, Kibana anozotanga kukumbira kupinda uye password. Kunyoreswa kweBasic kunosanganisira muenzaniso unoenderana nevashandisi vemukati. Kutanga neGoridhe, unogona kubatanidza ekunze echokwadi masisitimu - LDAP, PKI, Active Directory uye Single sign-on masisitimu.
Kodzero dzekuwana kuzvinhu zviri mukati meElasticsearch dzinogonawo kudzikiswa. Nekudaro, kuti uite zvakafanana kune magwaro kana minda, iwe unozoda kunyoreswa kwakabhadharwa (umbozha uhu hunotanga nePlatinum level). Aya marongero anowanikwa muKibana interface kana kuburikidza . Unogona kutarisa kuburikidza neyakatozivikanwa Dev Zvishandiso menyu:
Kugadzira basa
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Kugadzira mushandisi
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Kuchengetedzwa kwedata mukati meElasticsearch cluster
Kana Elasticsearch ichimhanya musumbu (iyo yakajairika), zvigadziriso zvekuchengetedza mukati mesumbu zvinova zvakakosha. Kutaurirana kwakachengeteka pakati penode, Elasticsearch inoshandisa iyo TLS protocol. Kuti ugadzire kushamwaridzana kwakachengeteka pakati pavo, unoda chitupa. Isu tinogadzira chitupa uye kiyi yakavanzika muPEM fomati:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemMushure mekuita murairo uri pamusoro, mune dhairekitori /../elasticsearch archive ichaonekwa elastic-stack-ca.zip. Mukati mayo iwe unowana chitupa uye yakavanzika kiyi ine ekuwedzera crt ΠΈ anokosha zvichiteerana. Zvinokurudzirwa kuti uzviise pane yakagovaniswa sosi, iyo inofanirwa kuwanikwa kubva kune ese nodes musumbu.
Imwe neimwe node ikozvino inoda zvitupa zvayo uye zvakavanzika makiyi zvichibva pane izvo zvakagovaniswa dhairekitori. Paunenge uchiita murairo, iwe uchakumbirwa kuseta password. Iwe unogona kuwedzera dzimwe sarudzo -ip uye -dns yekusimbisa yakazara yekudyidzana node.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyNekuda kwekuita murairo, tichagamuchira chitupa uye kiyi yakavanzika muPKCS#12 fomati, yakachengetedzwa nepassword. Chasara kufambisa faira rakagadzirwa p12 kune dhairekitori rekugadzirisa:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configWedzera password kune chitupa mune iyo fomati p12 mu keystore uye truststore pane imwe neimwe node:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordZvakatozivikanwa elasticsearch.yml Chasara ndechekuwedzera mitsara ine data yechitupa:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Isu tinotangisa ese Elasticsearch node uye tiite curl they. Kana zvese zvakaitwa nemazvo, mhinduro ine node dzakawanda inodzoserwa:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Pane imwe sarudzo yekuchengetedza - IP kero kusefa (inowanikwa mukunyoreswa kubva paGold level). Inokutendera iwe kuti ugadzire machena mazita eIP kero kubva kwaunotenderwa kuwana node.
Kuchengetedza data kunze kweElasticsearch cluster
Kunze kwesumbu kunoreva kubatanidza maturusi ekunze: Kibana, Logstash, Beats kana vamwe vatengi vekunze.
Kugadzirisa rutsigiro rwe https (panzvimbo ye http), wedzera mitsetse mitsva ku elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12Nokuti Chitupa chakachengetedzwa pasiwedhi, chiwedzere kune kiyi chitoro uye truststore pane imwe neimwe node:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordMushure mekuwedzera makiyi, Elasticsearch node dzakagadzirira kubatana kuburikidza ne https. Iye zvino vanogona kutangwa.
Nhanho inotevera ndeyekugadzira kiyi yekubatanidza Kibana uye kuiwedzera kune iyo gadziriso. Zvichienderana nechitupa chatove mudhairekitori rakagovaniswa, isu tichagadzira chitupa muPEM fomati (PKCS#12 Kibana, Logstash uye Beats haisati yatsigira):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemChasara kuburitsa makiyi akagadzirwa muforodha ine Kibana gadziriso:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configMakiyi aripo, saka chasara kushandura iyo Kibana configuration kuti itange kuishandisa. Mune kibana.yml configuration file, shandura http ku https uye wedzera mitsetse ine SSL yekubatanidza marongero. Mitsetse mitatu yekupedzisira inogadzirisa kutaurirana kwakachengeteka pakati pebrowser yemushandisi neKibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtSaka, marongero anopedzwa uye kuwana data muElasticsearch cluster yakavharirwa.
Kana iwe uine mibvunzo nezve kugona kweElastic Stack pane yemahara kana yakabhadharwa kunyoreswa, yekutarisa mabasa kana kugadzira SIEM system, siya chikumbiro kuna pane yedu webhusaiti.
Zvimwe zvezvinyorwa zvedu nezve Elastic Stack paHabrΓ©:
Source: www.habr.com