*主要参考:
1. 如何配置Elasticsearch的SSL证书开启HTTPS访问
2. ES集群设置访问密码
3. elasticsearch-create-enrollment-token证书https环境下无法生成口令
4. Elastic Stack 8 : Install Elasticsearch on FreeBSD14
1.安装elasticsearch
Install Full-Text search engine [Elasticsearch].
[1] . Install OpenJDK 17
Install OpenJDK 17, refer to here.
[2]. Install and Run Elasticsearch.
root@dlp:~ # pkg install -y elasticsearch8 curl
root@dlp:~ # sysctl security.bsd.unprivileged_mlock=1
root@dlp:~ # echo 'security.bsd.unprivileged_mlock=1' >> /etc/sysctl.conf
root@dlp:~ # service elasticsearch enable
elasticsearch enabled in /etc/rc.conf
root@dlp:~ # service elasticsearch start
Starting elasticsearch.
# reset admin user password
root@dlp:~ # elasticsearch-reset-password --auto --username elastic
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y
Password for the [elastic] user successfully reset.
New value: VC3wulb8T4euiA+DxIbO
# verify status
# password is the one that is shown above
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200
Enter host password for user 'elastic':
{
"name" : "dlp.srv.world",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "Tkls9_WiRm-XricowHjEVA",
"version" : {
"number" : "8.11.3",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "64cf052f3b56b1fd4449f5454cb88aca7e739d9a",
"build_date" : "2023-12-08T11:33:53.634979452Z",
"build_snapshot" : false,
"lucene_version" : "9.8.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
[3]. use Elasticsearch from other Hosts
If you use Elasticsearch from other Hosts, refer to the setting for Clustering.
It needs to configure the same settings with Clustering even if single node using if receiving requests from other Hosts.
[4]. This is the basic usage of Elasticsearch.
Create an Index first, it is like Database on RDB.
# show Index list ([pretty] means it shows JSON with human readable)
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200/_aliases?pretty
Enter host password for user 'elastic':
{
".security-7" : {
"aliases" : {
".security" : {
"is_hidden" : true
}
}
}
}
# create Index
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt -X PUT "https://127.0.0.1:9200/test_index"
Enter host password for user 'elastic':
{"acknowledged":true,"shards_acknowledged":true,"index":"test_index"}
# verify
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200/_aliases?pretty
Enter host password for user 'elastic':
{
".security-7" : {
"aliases" : {
".security" : {
"is_hidden" : true
}
}
},
"test_index" : {
"aliases" : { }
}
}
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200/test_index/_settings?pretty
Enter host password for user 'elastic':
{
"test_index" : {
"settings" : {
"index" : {
"routing" : {
"allocation" : {
"include" : {
"_tier_preference" : "data_content"
}
}
},
"number_of_shards" : "1",
"provided_name" : "test_index",
"creation_date" : "1726619545200",
"number_of_replicas" : "1",
"uuid" : "MDldtWojT7ScXGXUzVmiIg",
"version" : {
"created" : "8500003"
}
}
}
}
}
[5]. Define Mapping and insert test data.
Mapping defines structure of Index. If inserting data, Mapping will be defined automatically, but it's possible to define manually, of course.
# insert data
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt \
-H "Content-Type: application/json" \
-X PUT "https://127.0.0.1:9200/test_index/_doc/001" -d '{
"subject" : "Test Post No.1",
"description" : "This is the initial post",
"content" : "This is the test message for using Elasticsearch."
}'
{"_index":"test_index","_id":"001","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
# show Mapping
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt "https://127.0.0.1:9200/test_index/_mapping/?pretty"
Enter host password for user 'elastic':
{
"test_index" : {
"mappings" : {
"properties" : {
"content" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"description" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"subject" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}
# show data
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt "https://127.0.0.1:9200/test_index/_doc/001?pretty"
Enter host password for user 'elastic':
{
"_index" : "test_index",
"_id" : "001",
"_version" : 1,
"_seq_no" : 0,
"_primary_term" : 1,
"found" : true,
"_source" : {
"subject" : "Test Post No.1",
"description" : "This is the initial post",
"content" : "This is the test message for using Elasticsearch."
}
}
# search data
# example of Search conditions below means [description] field includes a word [initial]
root@dlp:~ # curl -u elastic --cacert /usr/local/etc/elasticsearch/certs/http_ca.crt "https://127.0.0.1:9200/test_index/_search?q=description:initial&pretty=true"
Enter host password for user 'elastic':
{
"took" : 61,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 0.2876821,
"hits" : [
{
"_index" : "test_index",
"_id" : "001",
"_score" : 0.2876821,
"_source" : {
"subject" : "Test Post No.1",
"description" : "This is the initial post",
"content" : "This is the test message for using Elasticsearch."
}
}
]
}
}
2.安装kibana
Install Kibana which is the Data Visualization tool for Elasticsearch.
[1]. Get SSL Certificate, or Create self-signed Certificate.
Get SSL Certificate, or Create self-signed Certificate.
It uses self signed Certificate on this example.
[2]. Install Kibana.
root@dlp:~ # pkg install -y kibana8
root@dlp:~ # cp /usr/local/etc/ssl/server.crt /usr/local/etc/kibana/
root@dlp:~ # cp /usr/local/etc/ssl/server.key /usr/local/etc/kibana/
root@dlp:~ # chown www /usr/local/etc/kibana/server.crt /usr/local/etc/kibana/server.key
# generate an enrollment token for Kibana
root@dlp:~ # elasticsearch-create-enrollment-token -s kibana
eyJ2ZXIiOiI4LjExLjMiLCJhZHIiOlsiMTAuMC4wLjMwOjkyMDAiXSwiZmdyIjoiZmFiYzMxY2Q4MDVkOGE2YjQ0ZGViZTI1ZmIyYjEyYjY4NjM1MjljNjBjZWQwZjI0YTJiZTEzYzczOTVmYjE1MCIsImtleSI6IjJqektBcElCaVBodktHWVBYcEhhOmdnUERNMDFqUjItUzZWbEdaMXJlb2cifQ==
# setup Kibana
root@dlp:~ # kibana-setup --enrollment-token \
eyJ2ZXIiOiI4LjExLjMiLCJhZHIiOlsiMTAuMC4wLjMwOjkyMDAiXSwiZmdyIjoiZmFiYzMxY2Q4MDVkOGE2YjQ0ZGViZTI1ZmIyYjEyYjY4NjM1MjljNjBjZWQwZjI0YTJiZTEzYzczOTVmYjE1MCIsImtleSI6IjJqektBcElCaVBodktHWVBYcEhhOmdnUERNMDFqUjItUzZWbEdaMXJlb2cifQ==
✓ Kibana configured successfully.
To start Kibana run:
bin/kibana
root@dlp:~ # vi /usr/local/etc/kibana/kibana.yml
# line 11 : if access to Kibana from other hosts, uncomment and change (listen all)
server.host: "0.0.0.0"
# line 26 : uncomment and specify the public URL of Kibana server
server.publicBaseUrl: "https://dlp.srv.world:5601/"
# line 32 : uncomment and change to your hostname
server.name: "dlp.srv.world"
# line 37-39 : uncomment and change to your certificate
server.ssl.enabled: true
server.ssl.certificate: /usr/local/etc/kibana/server.crt
server.ssl.key: /usr/local/etc/kibana/server.key
root@dlp:~ # service kibana enable
kibana enabled in /etc/rc.conf
root@dlp:~ # service kibana start
Starting kibana.
[3].
Access to [https://(server's Hostname or IP address):5601/] from any client computer, then Kibana login form is shown. It's possible to login with [elastic] user and password. That's OK if successfully login and Dashboard is shown like follows.
3.配置elasticsearch和kibana
[1]. 生成elastic-stack-ca.p12证书机构文件
root@nas:/usr/local/etc/elasticsearch/certs # elasticsearch-certutil ca
warning: ignoring JAVA_HOME=/usr/local/openjdk17; using bundled JDK
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
root@nas:/usr/local/etc/elasticsearch/certs # elasticsearch-certutil cert --ca elastic-stack-ca.p12
warning: ignoring JAVA_HOME=/usr/local/openjdk17; using bundled JDK
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA)
unless the --self-signed command line option is specified.
The tool can automatically generate a new CA for you, or you can provide your own with
the --ca or --ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
Certificates written to /usr/local/lib/elasticsearch/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
[2]. 生成elastic-certificates.p12证书
root@nas:/usr/local/etc/elasticsearch/certs # elasticsearch-certutil cert --ca elastic-stack-ca.p12
warning: ignoring JAVA_HOME=/usr/local/openjdk17; using bundled JDK
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA)
unless the --self-signed command line option is specified.
The tool can automatically generate a new CA for you, or you can provide your own with
the --ca or --ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
Certificates written to /usr/local/lib/elasticsearch/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
[3]. 移动文件,更改权限
root@nas:/usr/local/etc/elasticsearch/certs # mv /usr/local/lib/elasticsearch/elastic-* ./
root@nas:/usr/local/etc/elasticsearch/certs # ls
elastic-certificates.p12 elastic-stack-ca.p12
root@nas:/usr/local/etc/elasticsearch/certs # chown elasticsearch:elasticsearch elastic-
[4]. 生成http.p12私钥证书
root@nas:/usr/local/etc/elasticsearch/certs # elasticsearch-certutil http
warning: ignoring JAVA_HOME=/usr/local/openjdk17; using bundled JDK
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
Generate a CSR? [y/N]n
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /usr/local/etc/elasticsearch/certs/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
For how long should your certificate be valid? [5y] 10
Sorry, I do not understand '10' (Text cannot be parsed to a Period)
For how long should your certificate be valid? [5y] 100y
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
Generate a certificate per node? [y/N]n
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
localhost
192.68.1.2
127.0.0.1
You entered the following hostnames.
- localhost
- 192.68.1.2
- 127.0.0.1
Is this correct [Y/n]y
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
192.168.1.2
127.0.0.1
You entered the following IP addresses.
- 192.168.1.2
- 127.0.0.1
Is this correct [Y/n]y
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: localhost
Subject DN: CN=localhost
Key Size: 2048
Do you wish to change any of these options? [y/N]n
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none]
Repeat password to confirm:
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/usr/local/lib/elasticsearch/elasticsearch-ssl-http.zip]
Zip file written to /usr/local/lib/elasticsearch/elasticsearch-ssl-http.zip
root@nas:/usr/local/etc/elasticsearch/certs #
[5]. 把包含 CA Cert 的 Keystore 作为 PrivateKeyEntry 类型重新导入
root@nas:/usr/local/etc/elasticsearch/certs # mv /usr/local/lib/elasticsearch/
bin/ config@ elasticsearch-ssl-http.zip lib/ modules/ plugins/
root@nas:/usr/local/etc/elasticsearch/certs # mv /usr/local/lib/elasticsearch/elasticsearch-ssl-http.zip ./
root@nas:/usr/local/etc/elasticsearch/certs # unzip elasticsearch-ssl-http.zip
Archive: elasticsearch-ssl-http.zip
creating: elasticsearch/
extracting: elasticsearch/README.txt
extracting: elasticsearch/http.p12
extracting: elasticsearch/sample-elasticsearch.yml
creating: kibana/
extracting: kibana/README.txt
extracting: kibana/elasticsearch-ca.pem
extracting: kibana/sample-kibana.yml
root@nas:/usr/local/etc/elasticsearch/certs # ls
elastic-certificates.p12 elastic-stack-ca.p12 elasticsearch elasticsearch-ssl-http.zip http.p12_back kibana
root@nas:/usr/local/etc/elasticsearch/certs # mv elasticsearch/http.p12 ./
root@nas:/usr/local/etc/elasticsearch/certs # keytool -importkeystore -destkeystore http.p12 -srckeystore elastic-stack-ca.p12 -srcstoretype PKCS12
正在将密钥库 elastic-stack-ca.p12 导入到 http.p12...
输入目标密钥库口令:
输入源密钥库口令:
存在现有条目别名 ca, 是否覆盖? [否]: y
已成功导入别名 ca 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
*参考来源 [elasticsearch-create-enrollment-token证书https环境下无法生成口令]
[6]. 更改证书权限
root@nas:/usr/local/etc/elasticsearch/certs # chown elasticsearch:elasticsearch http.p12
root@nas:/usr/local/etc/elasticsearch/certs # elasticsearch-create-enrollment-token -s kibana
warning: ignoring JAVA_HOME=/usr/local/openjdk17; using bundled JDK
11:35:07.481 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - data_stream.dataset="deprecation.elasticsearch" data_stream.namespace="default" data_stream.type="logs" elasticsearch.event.category="settings" event.code="keystore.password" message="[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release."
11:35:09.218 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - data_stream.dataset="deprecation.elasticsearch" data_stream.namespace="default" data_stream.type="logs" elasticsearch.event.category="settings" event.code="keystore.password" message="[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release."
11:35:10.543 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - data_stream.dataset="deprecation.elasticsearch" data_stream.namespace="default" data_stream.type="logs" elasticsearch.event.category="settings" event.code="keystore.password" message="[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release."
11:35:11.828 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - data_stream.dataset="deprecation.elasticsearch" data_stream.namespace="default" data_stream.type="logs" elasticsearch.event.category="settings" event.code="keystore.password" message="[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release."
11:35:12.321 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - data_stream.dataset="deprecation.elasticsearch" data_stream.namespace="default" data_stream.type="logs" elasticsearch.event.category="settings" event.code="keystore.password" message="[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release."
11:35:12.657 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - data_stream.dataset="deprecation.elasticsearch" data_stream.namespace="default" data_stream.type="logs" elasticsearch.event.category="settings" event.code="keystore.password" message="[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release."
11:35:13.668 [main] WARN org.elasticsearch.deprecation.common.settings.Settings - data_stream.dataset="deprecation.elasticsearch" data_stream.namespace="default" data_stream.type="logs" elasticsearch.event.category="settings" event.code="keystore.password" message="[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release."
eyJ2ZXIiOiI4LjExLjMiLCJhZHIiOlsiMTI3LjAuMC4xOjkyMDAiXSwiZmdyIjoiZjgyMGEyMjkyYjMwYjMxZWZiMzM3ZjZjNWJjZmU3ZWE1NGU0MGYyOWVmMzk4ODZlNjdiNDM2ZGYwYjAyOGQ0MCIsImtleSI6ImV3N3FLcGdCWGtZMkFzek54bGpQOnhKS0VCRWMyU0VHUXN5RnA3S0NfQVEifQ==
root@nas:/usr/local/etc/elasticsearch/certs # kibana-setup --enrollment-token eyJ2ZXIiOiI4LjExLjMiLCJhZHIiOlsiMTI3LjAuMC4xOjkyMDAiXSwiZmdyIjoiZjgyMGEyMjkyYjMwYjMxZWZiMzM3ZjZjNWJjZmU3ZWE1NGU0MGYyOWVmMzk4ODZlNjdiNDM2ZGYwYjAyOGQ0MCIsImtleSI6ImV3N3FLcGdCWGtZMkFzek54bGpQOnhKS0VCRWMyU0VHUXN5RnA3S0NfQVEifQ==
✔ Kibana configured successfully.
To start Kibana run:
bin/kibana
root@nas:/usr/local/etc/elasticsearch/certs #
[7]. 把证书密码存入elasticsearc.keystore
root@nas:/usr/local/etc/elasticsearch # elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
warning: ignoring JAVA_HOME=/usr/local/openjdk17; using bundled JDK
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
Enter value for xpack.security.transport.ssl.keystore.secure_password:
root@nas:/usr/local/etc/elasticsearch # elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
warning: ignoring JAVA_HOME=/usr/local/openjdk17; using bundled JDK
Enter value for xpack.security.transport.ssl.truststore.secure_password:
[8]. 配置elasticsearch.yml
root@nas:/usr/local/etc/elasticsearch/certs # cat ../elasticsearch.yml
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /nas/data/db/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
#network.host: 192.168.0.1
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
#discovery.type: single-node
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false
#
# ml is not supported on FreeBSD
xpack.ml.enabled: false
xpack.security.enrollment.enabled: true
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12
xpack.security.http.ssl.keystore.password: "你设置的密码"
[9]. kibana.yml参考
root@nas:/usr/local/etc/kibana # cat kibana.yml
# For more configuration options see the configuration guide for Kibana in
# https://www.elastic.co/guide/index.html
# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"
server.host: "0.0.0.0"
# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""
# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# Defaults to `false`.
#server.rewriteBasePath: false
# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""
server.publicBaseUrl: "https://kiban.mpoes.com:5601/"
# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576
# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"
server.name: "kibana.mpoes.com"
# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
#
server.ssl.enabled: true
server.ssl.certificate: /usr/local/etc/kibana/server.crt
server.ssl.key: /usr/local/etc/kibana/server.key
# =================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
#elasticsearch.username: "kibana_system"
#elasticsearch.password: "pass"
# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000
# The maximum number of sockets that can be used for communications with elasticsearch.
# Defaults to `Infinity`.
#elasticsearch.maxSockets: 1024
# Specifies whether Kibana should use compression for communications with elasticsearch
# Defaults to `false`.
#elasticsearch.compression: false
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000
# =================== System: Elasticsearch (Optional) ===================
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full
# =================== System: Logging ===================
# Set the value of this setting to off to suppress all logging output, or to debug to log everything. Defaults to 'info'
#logging.root.level: debug
# Enables you to specify a file where Kibana stores log output.
#logging.appenders.default:
# type: file
# fileName: /var/logs/kibana.log
# layout:
# type: json
# Logs queries sent to Elasticsearch.
#logging.loggers:
# - name: elasticsearch.query
# level: debug
# Logs http responses.
#logging.loggers:
# - name: http.server.response
# level: debug
# Logs system usage information.
#logging.loggers:
# - name: metrics.ops
# level: debug
# =================== System: Other ===================
# The path where Kibana stores persistent data not saved in Elasticsearch. Defaults to data
path.data: /nas/data/db/kibana8/data
# Specifies the path where Kibana creates the process ID file.
pid.file: /var/run/kibana/kibana.pid
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000ms.
#ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".
#i18n.locale: "en"
# =================== Frequently used (Optional)===================
# =================== Saved Objects: Migrations ===================
# Saved object migrations run at startup. If you run into migration-related issues, you might need to adjust these settings.
# The number of documents migrated at a time.
# If Kibana can't start up or upgrade due to an Elasticsearch `circuit_breaking_exception`,
# use a smaller batchSize value to reduce the memory pressure. Defaults to 1000 objects per batch.
#migrations.batchSize: 1000
# The maximum payload size for indexing batches of upgraded saved objects.
# To avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch.
# This value should be lower than or equal to your Elasticsearch cluster’s `http.max_content_length`
# configuration option. Default: 100mb
#migrations.maxBatchSizeBytes: 100mb
# The number of times to retry temporary migration failures. Increase the setting
# if migrations fail frequently with a message such as `Unable to complete the [...] step after
# 15 attempts, terminating`. Defaults to 15
#migrations.retryAttempts: 15
# =================== Search Autocomplete ===================
# Time in milliseconds to wait for autocomplete suggestions from Elasticsearch.
# This value must be a whole number greater than zero. Defaults to 1000ms
#unifiedSearch.autocomplete.valueSuggestions.timeout: 1000
# Maximum number of documents loaded by each shard to generate autocomplete suggestions.
# This value must be a whole number greater than zero. Defaults to 100_000
#unifiedSearch.autocomplete.valueSuggestions.terminateAfter: 100000
# This section was automatically generated during setup.
elasticsearch.hosts: ['https://127.0.0.1:9200']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWmva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE3TTMwNzE5NjczMjE7eWNxZ0NyUDFRV3FENGROOHNrVTJVdw
elasticsearch.ssl.certificateAuthorities: [/usr/local/www/kibana8/data/ca_1753079967723.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://127.0.0.1:9200'], ca_trusted_fingerprint: e5b90d93359a028fa28a4d4342f68916de7ddb4cceb6ca8715c2cfff326c5609}]