elk加固插件searchguard

国内资源不是太稳定
https://docs.search-guard.com/6.x-25/search-guard-versions
https://www.newbe.pro/Mirrors/Mirrors-Kibana/
对应自己版本下载对应的plugin

Elasticsearch

es：./elasticsearch-plugin install -b file:///home/search-guard-6-6.4.1-25.5.zip
cd /usr/share/elasticsearch/plugins/search-guard-6/tools

使用demo部署ssl ./install_demo_configuration.sh （y-y-n），默认密码admin，admin（可以用hash修改）

检查配置文件

# WARNING: revise all the lines below before you go into production
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
xpack.security.enabled: false
######## End Search Guard Demo Configuration ########

访问：https://localhost:9200

Kibana

kibana： ./kibana-plugin install file:///home/search-guard-kibana-plugin-6-6.8.10-19.2.zip

server.port: 5601
server.host: "192.168.50.113"
elasticsearch.url: "https://192.168.50.113:9200"
kibana.index: ".kibana"
elasticsearch.username: "admin"
elasticsearch.password: "admin"
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
xpack.security.enabled: false

logstash

[root@localhost home]# vim test/std.conf 

input{
    file{
        path=>"/var/log/messages"
        start_position=>"beginning"
    }
}
output {
    elasticsearch {
            hosts => [ "192.168.50.113:9200" ]
            index => "messageslog-%{[log_source]}-%{+YYYY.MM.dd}"
            user => "admin"
            password => "admin"
            ssl => true
            ssl_certificate_verification => false
    }
    stdout { codec => rubydebug}

}