ELK 系列三、ELK6.5.3 +xpack破解

大吃貨發表於2019-02-21

大家好，繼續上一章安裝部署完環境後需要開啟使用者登入授權等白金許可證的功能。我把許可證續到2050年了

好，不多說了，開始操作

一、編譯生成jar包和license更新

由於在elasticsearch在6.3版本之後x-pack是預設安裝好的，所以不再需要使用者自己去安裝，在此之前你可以先體驗試用版30天（不影響後面破解

1.1開啟試用版

啟動elasticsearch後通過curl啟動試用版(注意埠修改)

curl -H "Content-Type:application/json" -XPOST  http://localhost:9200/_xpack/license/start_trial?acknowledge=true

當然你也可以在網頁上操作

點選Management，點選 Elasticsearch，點選 License Management，再開啟試用

1.2 進入/usr/local目錄（根據自己喜好選擇，建立的檔案後期會刪除）

如果不想自己弄的也可以直接使用我打包好的(然後可以跳到步驟1.4的覆蓋命令去)

jar包下載地址:https://pan.baidu.com/s/1L3cqrSP6Q3s1oREISjEj7g 密碼:t3q4

①建立LicenseVerifier.java檔案

vim LicenseVerifier.java

package org.elasticsearch.license; 
import java.nio.*; import java.util.*; 
import java.security.*; 
import org.elasticsearch.common.xcontent.*; 
import org.apache.lucene.util.*; 
import org.elasticsearch.common.io.*; 
import java.io.*; 
 
public class LicenseVerifier { 
    public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
        return true; 
    } 
    
    public static boolean verifyLicense(final License license)     { 
        return true; 
    } 
}

②建立XPackBuild.java檔案

vim XPackBuild.java

package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*; 
import java.util.jar.*; 
public class XPackBuild { 
    public static final XPackBuild CURRENT;
    private String shortHash; 
    private String date; 
    @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() { 
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try { return PathUtils.get(url.toURI()); }
        catch (URISyntaxException bogus) { 
            throw new RuntimeException(bogus); } 
        } 
        
    XPackBuild(final String shortHash, final String date) {
            this.shortHash = shortHash; 
            this.date = date; 
            } 
            
    public String shortHash() {
        return this.shortHash;
        } 
    public String date(){ 
        return this.date; 
        }
        
    static { 
        final Path path = getElasticsearchCodebase();
        String shortHash = null; 
        String date = null;
        Label_0157: { shortHash = "Unknown"; date = "Unknown"; 
    } 
    
    CURRENT = new XPackBuild(shortHash, date); 
    }
}

1.3 分別編譯兩個檔案

javac -cp "/data/elasticsearch-6.5.3/lib/elasticsearch-6.5.3.jar:/data/elasticsearch-6.5.3/lib/lucene-core-7.5.0.jar:/data/elasticsearch-6.5.3/modules/x-pack-core/x-pack-core-6.5.3.jar" LicenseVerifier.java
javac -cp "/data/elasticsearch-6.5.3/lib/elasticsearch-6.5.3.jar:/data/elasticsearch-6.5.3/lib/lucene-core-7.5.0.jar:/data/elasticsearch-6.5.3/modules/x-pack-core/x-pack-core-6.5.3.jar:/data/elasticsearch-6.5.3/lib/elasticsearch-core-6.5.3.jar"  XPackBuild.java

編譯完成後會生成LicenseVerifier.class和XPackBuild.class兩個檔案

1.4 覆蓋之前的jar檔案

cd /usr/local
mkdir tempJar
cp /data/elasticsearch-6.5.3/modules/x-pack-core/x-pack-core-6.5.3.jar tempJar/
cd tempJar
jar -xf x-pack-core-6.5.3.jar
cp ../LicenseVerifier.class org/elasticsearch/license/
cp ../XPackBuild.class org/elasticsearch/xpack/core/
rm x-pack-core-6.5.3.jar
jar -cvf x-pack-core-6.5.3.jar *
#覆蓋之前備份原jar包
cp /data/elasticsearch-6.5.3/modules/x-pack-core/x-pack-core-6.5.3.jar /data/elasticsearch-6.5.3/modules/x-pack-core/x-pack-core-6.5.3.jar.bak
#覆蓋之前的jar包
cp x-pack-core-6.5.3.jar /data/elasticsearch-6.5.3/modules/x-pack-core/

1.5 修改elasticsearch.yml配置檔案

vim /data/elasticsearch-6.5.3/config/elasticsearch.yml

#新增如下程式碼開啟x-pack安全驗證
xpack.security.enabled: true

1.6 生成使用者名稱和密碼

#需要重啟elasticsearch，上面的配置修改才起作用
5.生成使用者名稱和密碼
cd /data/elasticsearch，上面的配置修改才起作用-6.5.3/bin
#自動生成(二選一)
./elasticsearch-setup-passwords auto
#手動生成(二選一)
./elasticsearch-setup-passwords interactive

我這次使用了自動

./elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = Qql5kU1s0qlgjvH5OeTcZ7

Changed password for user kibana
PASSWORD kibana = 9BTNVpn1xF21k2bcAKH1He

Changed password for user logstash_system
PASSWORD logstash_system = JFboJA33c997QcxMetkMTX

Changed password for user beats_system
PASSWORD beats_system = PEjPdJw9r4HUZ8kHezOK5Zy

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = 1yn3L53C71Wgml8uGdKUcf

Changed password for user elastic
PASSWORD elastic = 1CHYC5IO6T86rgZM66kyOw

1.7 將生成的elastic密碼配置到kibana中

vim /data/kibana-6.5.3-linux-x86_64/config/kibana.yml
#找到以下引數並修改(以下使用者名稱和密碼均為你自己的elasticsearch的賬戶和密碼)
#就是上一步驟5生成的密碼
elasticsearch.username: elastic
elasticsearch.password: 1CHYC5IO6T86rgZM66kyOw

1.8 啟動kibana(先重啟elasticsearch)

supervisorctl restart elasticsearch
supervisorctl restart kibana

啟動完成後訪問kibana(這個就不用我多說了吧，記得要開放埠哦)

但是我們發現只有一個月的試用時間（在登陸成功後的主頁面Management->LicenseManagement可以看到）

更新license前先關閉x-pack，不然會報錯

{"error":{"root_cause":[{"type":"illegal_state_exception","reason":"Cannot install a [PLATINUM] license unless TLS is configured or security is disabled"}],"type":"illegal_state_exception","reason":"Cannot install a [PLATINUM] license unless TLS is configured or security is disabled"},"status":500}

關閉操作：

vim /data/elasticsearch-6.5.3/config/elasticsearch.yml
#新增如下程式碼開啟x-pack安全驗證
xpack.security.enabled: false


#然後重啟
supervisorctl restart elasticsearch

我生成的license內容為：

"type":"platinum" 為白金版許可證，如果需要自己生成license可去官網申請然後修改

license.json的內容如下：

{"license":{"uid":"21b42476-d3a5-4662-95e3-7463c9a9c167","type":"platinum","issue_date_in_millis":1545177600000,"expiry_date_in_millis":2544271999999,"max_nodes":100,"issued_to":"wei wu (wu2700222)","issuer":"Web Form","signature":"AAAAAwAAAA0BdC1OCE7WMDdZ1TX7AAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQCCwaKavNagUevP7tN1UWQm/z55fhxtdtdjWkE5MD5pI34OZFd8UZmvy5k0zhhE1wteH8AglWG7J5TPFbpW4dkQ2SdhOmvv5QeFjrzeCgmQl4r1H0lBmZ9sznAwK9yKKh4v4BTNIW6y4LDzYmKdMU1JUpbr9gvULOlZxRyGijA09phlyJ97mQfnjPSvn55Bg8PXhsoJ2RIabUAK204z5bYHINKfRltKyy6b3QuRjPHtzEP6xsON6STHROAVWLrmy3XUp2VMC2gQnx9G64xgMBdvC7KZQfpJiXqWAJf49Ojz+xAf0xC9DhGopq+a29fb5GutPaeIi10XDopfkn9z4ZeL","start_date_in_millis":1545177600000}}

然後把license.json上傳到伺服器並使用curl提交

curl -XPUT -u elastic 'http://127.0.0.1:9200/_xpack/license' -H "Content-Type: application/json" -d @elk_license.json

返回{"acknowledged":true,"license_status":"valid"} 則成功

接著重啟開啟x-pack

vim /data/elasticsearch-6.5.3/config/elasticsearch.yml
#新增如下程式碼開啟x-pack安全驗證
xpack.security.enabled: true


#然後重啟
supervisorctl restart elasticsearch

有網友反應碰到一個情況，重啟es後報錯資訊如下：

[2019-01-21T21:23:07,030][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://elastic:xxxxxx@192.168.1.222:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://elastic:xxxxxx@192.168.1.222:9200/][Manticore::SocketException] Connection refused"}

解決方法：

在上面的配置檔案中再增加一項：

xpack.security.transport.ssl.enabled: true

二、配置logstash

因為我們開啟了x-pack，需要認證才能上傳資料，所有需要在logstash的配置檔案中加入認證

[root@i-uzt2a3oi local]# vim /data/logstash-6.5.3/default.conf

需要修改output中的設定，新增user和password

output {
if [logtype] == "otosaas_app_xingneng" {
elasticsearch {
user => "elastic"
password => "XXXXXX"
hosts => ["127.0.0.1:9200"]
index => "otosaas_app_xingneng-%{+YYYY.MM.dd}"
}
}
if [logtype] == "otosaas_app_yunxing" {
elasticsearch {
user => "elastic"
password => "XXXXXX"
hosts => ["127.0.0.1:9200"]
index => "otosaas_app_yunxing-%{+YYYY.MM.dd}"
}
}
if [logtype] == "otosaas_konglog" {
elasticsearch {
user => "elastic"
password => "XXXXXX"
hosts => ["127.0.0.1:9200"]
index => "otosaas_konglog-%{+YYYY.MM.dd}"
}
}
}