在CentOS上安全配置Filebeat需围绕权限控制、加密传输、认证机制、网络隔离及监控审计五大核心维度展开,以下是具体步骤:
通过Elastic官方YUM仓库安装最新稳定版Filebeat,确保软件来源可信:
# 导入Elastic GPG密钥
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# 添加Elastic YUM仓库
echo "[elasticsearch-8.x]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1" | sudo tee /etc/yum.repos.d/elasticsearch.repo
# 安装Filebeat
sudo yum install filebeat -y
避免以root用户运行Filebeat,降低权限滥用风险:
# 创建专用用户(无登录权限)
sudo useradd -r -s /sbin/nologin filebeat
# 修改Filebeat目录归属
sudo chown -R filebeat:filebeat /etc/filebeat
sudo chown -R filebeat:filebeat /var/lib/filebeat
sudo chown -R filebeat:filebeat /var/log/filebeat
# 修改服务配置以非特权用户运行
sudo sed -i 's/User=root/User=filebeat/g' /usr/lib/systemd/system/filebeat.service
sudo sed -i 's/Group=root/Group=filebeat/g' /usr/lib/systemd/system/filebeat.service
# 重新加载服务配置并重启
sudo systemctl daemon-reload
sudo systemctl restart filebeat
通过SSL/TLS加密Filebeat与Elasticsearch之间的数据传输,防止中间人攻击:
# 生成CA私钥和证书(有效期365天)
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/pki/tls/private/ca.key \
-out /etc/pki/tls/certs/ca.crt
# 生成Filebeat客户端私钥和证书
sudo openssl req -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/pki/tls/private/filebeat.key \
-out /etc/pki/tls/certs/filebeat.csr
# 用CA签发Filebeat证书
sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/filebeat.csr \
-CA /etc/pki/tls/certs/ca.crt -CAkey /etc/pki/tls/private/ca.key \
-CAcreateserial -out /etc/pki/tls/certs/filebeat.crt
编辑/etc/filebeat/filebeat.yml,添加以下内容:
output.elasticsearch:
hosts: ["localhost:9200"]
ssl.certificate_authorities: ["/etc/pki/tls/certs/ca.crt"]
ssl.certificate: "/etc/pki/tls/certs/filebeat.crt"
ssl.key: "/etc/pki/tls/private/filebeat.key"
# 强制验证服务器证书(生产环境必选)
ssl.verification_mode: certificate
若Elasticsearch启用了X-Pack安全功能,需通过用户名/密码或API密钥认证:
output.elasticsearch:
hosts: ["https://localhost:9200"]
username: "elastic" # 替换为你的Elasticsearch用户名
password: "your_secure_password" # 替换为你的密码
ssl.certificate_authorities: ["/etc/pki/tls/certs/ca.crt"]
ssl.certificate: "/etc/pki/tls/certs/filebeat.crt"
ssl.key: "/etc/pki/tls/private/filebeat.key"
ssl.verification_mode: certificate
output.elasticsearch:
hosts: ["https://localhost:9200"]
api_key: "id:api_key_value" # 替换为你的API密钥(格式:ID:Key)
ssl.certificate_authorities: ["/etc/pki/tls/certs/ca.crt"]
ssl.certificate: "/etc/pki/tls/certs/filebeat.crt"
ssl.key: "/etc/pki/tls/private/filebeat.key"
ssl.verification_mode: certificate
限制Filebeat与Elasticsearch之间的网络访问,仅允许可信IP通信:
# 允许Elasticsearch默认端口(9200)
sudo firewall-cmd --permanent --zone=public --add-port=9200/tcp
# 允许Filebeat输出端口(若使用Logstash,需开放5044端口)
# sudo firewall-cmd --permanent --zone=public --add-port=5044/tcp
# 重新加载防火墙规则
sudo firewall-cmd --reload
严格控制Filebeat配置文件、日志文件及数据目录的访问权限:
# 配置文件权限(仅root可读写,filebeat用户可读)
sudo chmod 640 /etc/filebeat/filebeat.yml
sudo chown root:filebeat /etc/filebeat/filebeat.yml
# 日志文件权限(仅filebeat用户可写)
sudo chmod 640 /var/log/filebeat/filebeat.log
sudo chown filebeat:filebeat /var/log/filebeat/filebeat.log
# 数据目录权限(仅filebeat用户可读写)
sudo chmod 750 /var/lib/filebeat
sudo chown -R filebeat:filebeat /var/lib/filebeat
通过Elastic Stack监控Filebeat状态,及时发现异常:
# 在filebeat.yml中启用监控
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.hosts: ["https://localhost:9200"]
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "your_secure_password"
xpack.monitoring.elasticsearch.ssl.certificate_authorities: ["/etc/pki/tls/certs/ca.crt"]
定期检查并安装Filebeat安全更新,修复已知漏洞:
sudo yum update filebeat -y
通过以上步骤,可全面强化CentOS上Filebeat的安全性,确保日志数据在传输、存储及处理过程中的机密性与完整性。
