1.安装elk请自行百度,或者看我之前写的一篇简单的文章
2.安装searchguardbin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.1.1-9
证书可以通过脚本生成活着网页生成,这里使用脚本自行生成。
3.配置search guard
es配置文件中添加
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node0.jks
searchguard.ssl.transport.keystore_password: yourpwd
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: yourpwd
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node0.jks
searchguard.ssl.http.keystore_password: yourpwd
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: yourpwd
searchguard.audit.type: internal_elasticsearch
searchguard.authcz.admin_dn:
- CN=sgadmin #这里为集群管理员 根据生成方式不同可能有所不同
tar -xzvf elasticsearch-.tar.gz
./elasticsearch
./sgadmin.sh
假如启动正常至少证明环境是没问题的 就是自己的配置问题
3.配置角色./kibana-plugin install https://github.com/floragunncom/search-guard-kibana-plugin/releases/download/v5.1.1-alpha/searchguard-kibana-alpha-5.1.1.zip
elasticsearch.url: "https://localhost:9200"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "xxxx"
elasticsearch.ssl.ca: CN=sgadmin.key.pem
searchguard.cookie.password: "xxxxxxxx"
output {
elasticsearch {
xxx
ssl => true
ssl_certificate_verification => true
truststore => "/path/to/elasticsearch-2.3.3/config/truststore.jks"
truststore_password => changeit
}
}
sg_testuser:
cluster:
- indices:*
indices:
'test-*':
'*':
- READ
'?kibana':
'*':
- indices:*
在logstash 5.1.1中使用的启动脚本是upstart
initctl start logstash
kibana修改使用中文地图
tilemap.url: 'http://webrd01.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'
mysql的grok正则
"(?m)^#\s+User@Host:\s+%{USER:user}\[[a-zA-Z0-9._-]+\]\s@\s\s\[%{IPV4 :clientip}\]\s\sId:\s%{NUMBER:row_id}\n^#\sSchema:\s%{USERNAME:db_name}\s\sLast_errno:\s%{NUMBER:lasteerr_num}\s\sKilled:\s%{NUMBER:killed_num}\n^#\sQuery_time:\s%{BASE16FLOAT:query_time}\s\sLock_time:\s%{BASE16FLOAT:lock_time}\s\sRows_sent:\s%{NUMBER:rows_send}\s\sRows_examined:\s%{NUMBER:rows_examined}\s\sRows_affected:\s%{NUMBER:rows_affected}\n^#\sBytes_sent:\s%{NUMBER:bytes_sent}\n([a-z]+\s%{USERNAME:use_db};\n)?SET\stimestamp=%{NUMBER:log_date};\n(/\*\s(?(.*))\s\*/\s)?(?(.*));(\s#\sTime:\s(?(.*)))?"