es服务的xpack加密于 kibana的监控key配置

最新推荐文章于 2026-06-24 09:30:08 发布

原创最新推荐文章于 2026-06-24 09:30:08 发布 · 3.6k 阅读 ·

大模型引用 2 次

本内容遵循CC 4.0 BY-SA版权协议

GEO检测

fiewen

关注

标签

#运维 #elasticsearch

分类数据库

1、x-pack演变

5.X版本之前：没有x-pack，是独立的：security安全,watch查看，alert警告等独立单元。

5.X版本：对原本的安全，警告，监视，图形和报告做了一个封装，形成了x-pack。

6.3 版本之前：需要额外安装。

6.3版本及之后：已经集成在一起发布，无需额外安装，基础安全属于付费黄金版内容。

6.8及以上，6.8默认带上了x-pack认证插件且免费

2.elasticsearch 7.x使用x-pack

第一步：切换到elasticsearch的bin目录下，使用下列命令生成证书

操作记录如下图：

第二步：打开config/elasticsearch.yaml，在尾部添加下面部分配置：

# 开启xpack安全认证，默认为false 
xpack.security.enabled: true 
xpack.security.transport.ssl.enabled: true 
xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 
# xpack安全启用true 
# xpack安全传输ssl已启用true 
# xpack安全传输ssl验证模式证书 
# xpack安全传输ssl密钥库路径弹性证书p12 
# xpack安全传输ssl信任存储路径弹性证书p12

第三步：设置密码

首先cd到bin目录下启动es服务 
cd /softwre/elasticsearch-7.17.0/bin 
./elasticsearch -d 
# 执行./elasticsearch-setup-passwords auto 
# 或者./elasticsearch-setup-passwords interactive， 
# 分别为自动生成和手动生成密码 
./elasticsearch-setup-passwords auto #使用自动的方式生成密码 
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logsta sh_system,beats_system,remote_monitoring_user. 
The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y 
Changed password for user apm_system 
PASSWORD apm_system = 13LPHzQeDlgWsqYv8x8t 
Changed password for user kibana_system 
PASSWORD kibana_system = RCvmo6yHcHwvSkRpXOlN 
Changed password for user kibana
PASSWORD kibana = RCvmo6yHcHwvSkRpXOlN 
Changed password for user logstash_system 
PASSWORD logstash_system = svCBzClVVjFnyorUNy3R 
Changed password for user beats_system 
PASSWORD beats_system = KPRaQC4uQnpVupWwvAdK 
Changed password for user remote_monitoring_user 
PASSWORD remote_monitoring_user = AyDJjCn9TE8nI1lq8dkW 
Changed password for user elastic 
PASSWORD elastic = YoAvfDNI20wqynZbKHDh 
#强烈建议 将密码追加到自定的文件中， （密码一旦配置在文件中后，丢失 重新生成的密码会发生改变，相应的配置也需要调整） 修改密码命令如下（该命令需要源密码（上面生成的密码）） 
curl -H "Content-Type:application/json" -XPOST -u elastic 'http://127.0.0.1:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "123456" }'

第四步：验证一下。打开浏览器，输入我们的elasticsearch的网址

kibana 认证

修改kibana配置文件 增加下面的配置 后重启kibana服务

elasticsearch.username: "kibana"
elasticsearch.password: "RCvmo6yHcHwvSkRpXOlN"

第五步验证kibana登录账密

使用kibana告警功能配置api对象加密，

当在kibana子页面告警选项中出现以下告警和提示的时候配置 kibana 数据加密，

每次启动 Kibana，都会为已保存对象生成新的加密密钥。没有持久性密钥，在 Kibana 重新启动后，将无法删除或修改规则。要设置持久性密钥，请将文本值为 32 个或更多任意字符的 xpack.encryptedSavedObjects.encryptionKey 设置添加到 kibana.yml 文件。

"name": "Error",

"body": {

"message": "exception: Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node.",

"status_code": 500

"message": "Internal Server Error",

"stack": "Error: Internal Server Error\n at fetch_Fetch.fetchResponse (http://192.168.1.10:5601/46534/bundles/core/core.entry.js:8:57043)\n at async http://192.168.1.10:5601/46534/bundles/core/core.entry.js:8:55211\n at async http://192.168.1.10:5601/46534/bundles/core/core.entry.js:8:55168"

}

在kibana的bin目录下执行

#注意这三个值必须进行格外的保存，因为如果忘记了加密密钥，或者需要更改它，您需要重新生成一个新的密钥，并更新 #kibana.yml 文件中的配置。

#请注意，更改加密密钥将导致所有之前加密的保存对象无法访问，除非您有旧密钥的备份。 # 控制台输出的加密结果，encryptionKey复制整行到kibana的配置文件最下面，

./kibana-encryption-keys generate
## Kibana Encryption Key Generation Utility

The 'generate' command guides you through the process of setting encryption keys for:

xpack.encryptedSavedObjects.encryptionKey
    Used to encrypt stored objects such as dashboards and visualizations
    https://www.elastic.co/guide/en/kibana/current/xpack-security-secure-saved-objects.html#xpack-security-secure-saved-objects

xpack.reporting.encryptionKey
    Used to encrypt saved reports
    https://www.elastic.co/guide/en/kibana/current/reporting-settings-kb.html#general-reporting-settings

xpack.security.encryptionKey
    Used to encrypt session information
    https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#security-session-and-cookie-settings


Already defined settings are ignored and can be regenerated using the --force flag.  Check the documentation links for instructions on how to rotate encryption keys.
Definitions should be set in the kibana.yml used configure Kibana.

Settings:
xpack.encryptedSavedObjects.encryptionKey: f2cfd910f7598a22b8afc2ae786fb24e
xpack.reporting.encryptionKey: 6cb60a2f8929d8fecc4742aaa886c360
xpack.security.encryptionKey: df414943b62a81448a6f675839d1ee3a