Logstash 简明教程

Logstash - Security and Monitoring

在本章中，我们将讨论 Logstash 的安全和监控方面。

In this chapter, we will discuss the security and monitoring aspects of Logstash.

Monitoring

Logstash 是一个非常好的工具，可在生产环境中监控服务器和服务。生产环境中的应用程序会产生不同类型的日志数据，例如访问日志、错误日志等。Logstash 可以使用过滤器插件来计数或分析错误、访问或其他事件的数量。此分析和计数可用于监控不同的服务器及其服务。

Logstash is a very good tool to monitor the servers and services in production environments. Applications in production environment produces different kinds of log data like access Logs, Error Logs, etc. Logstash can count or analyze the number of errors, accesses or other events using filter plugins. This analysis and counting can be used for monitoring different servers and their services.

Logstash 提供了 HTTP Poller 等插件来监控网站状态监控。在此，我们正在监控一个名为 mysite 的网站，该网站托管在本地 Apache Tomcat 服务器上。

Logstash offers plugins like HTTP Poller to monitor the website status monitoring. Here, we are monitoring a website named mysite hosted on a local Apache Tomcat Server.

logstash.conf

在此配置文件中，http_poller 插件用于在间隔设置中指定的时间间隔后访问插件中指定站点。最后，它将站点的状态写入标准输出。

In this config file, the http_poller plugin is used to hit the site specified in the plugin after a time interval specified in interval setting. Finally, it writes the status of the site to a standard output.

input {
   http_poller {
      urls => {
         site => "http://localhost:8080/mysite"
      }
      request_timeout => 20
      interval => 30
      metadata_target => "http_poller_metadata"
   }
}
output {
   if [http_poller_metadata][code] == 200 {
      stdout {
         codec => line{format => "%{http_poller_metadata[response_message]}"}
      }
   }
   if [http_poller_metadata][code] != 200 {
      stdout {
         codec => line{format => "down"}
      }
   }
}

Run logstash

我们可以使用以下命令运行 Logstash。

We can run Logstash with the following command.

>logstash –f logstash.conf

stdout

如果站点已启动，则输出将为 -

If the site is up, then the output will be −

Ok

如果我们停止 Tomcat 的 Manager App ，则输出将更改为 -

If we stop the site by using the Manager App of Tomcat, the output will change to −

down

Security

Logstash 为与外部系统进行安全通信提供了大量功能并支持身份验证机制。所有 Logstash 插件都支持通过 HTTP 连接进行身份验证和加密。

Logstash provides plenty of features for secure communication with external systems and supports authentication mechanism. All Logstash plugins support authentication and encryption over HTTP connections.

Security with HTTP protocol

Logstash 提供的各种插件中都有用于身份验证目的的用户和密码等设置，比如 Elasticsearch 插件中。

There are settings like user and password for authentication purposes in various plugins offered by Logstash like in the Elasticsearch plugin.

elasticsearch {
   user => <username>
   password => <password>
}

Elasticsearch 的其他身份验证是 PKI (public key infrastructure) 。开发者需要在 Elasticsearch 输出插件中定义两个设置来启用 PKI 认证。

The other authentication is PKI (public key infrastructure) for Elasticsearch. The developer needs to define two settings in the Elasticsearch output plugin to enable the PKI authentication.

elasticsearch {
   keystore => <string_value>
   keystore_password => <password>
}

在 HTTPS 协议中，开发者可以使用证书机构的证书进行 SSL/TLS。

In the HTTPS protocol, a developer can use the authority’s certificate for SSL/TLS.

elasticsearch {
   ssl => true
   cacert => <path to .pem file>
}

Security with Transport Protocol

要将传输协议用于 Elasticsearch，用户需要将协议设置设置为传输。这避免了 JSON 对象的不解组，从而提高了效率。

To use the transport protocol with Elasticsearch, users need to set protocol setting to transport. This avoids un-marshalling of JSON objects and leads to more efficiency.

基本身份验证与在 Elasticsearch 输出协议中执行的 http 协议中执行的身份验证相同。

The basic authentication is same as performed in http protocol in Elasticsearch output protocol.

elasticsearch {
   protocol => “transport”
   user => <username>
   password => <password>
}

PKI 身份验证还需要在 Elasticsearch 输出协议中将 SSL 设置为 true，以及其他设置 −

The PKI authentication also needs the SSL sets to be true with other settings in the Elasticsearch output protocol −

elasticsearch {
   protocol => “transport”
   ssl => true
   keystore => <string_value>
   keystore_password => <password>
}

最后，SSL 安全性需要比通信中的其他安全方法多一些设置。

Finally, the SSL security requires a little with more settings than other security methods in communication.

elasticsearch {
   ssl => true
   ssl => true
   keystore => <string_value>
   keystore_password => <password>
   truststore =>
   truststore_password => <password>
}

Other Security Benefits from Logstash

Logstash 可以帮助输入系统源来防止拒绝服务攻击之类的攻击。对日志进行监控以及分析其中的不同事件可以帮助系统管理员检查传入连接和错误的变化。这些分析可以帮助查看服务器上是否发生或将要发生攻击。

Logstash can help input system sources to prevent against attacks like denial of service attacks. The monitoring of logs and analyzing the different events in those logs can help system administrators to check the variation in the incoming connections and errors. These analyses can help to see if the attack is happening or going to happen on the servers.

Elasticsearch 公司的其他产品，比如 x-pack 和 filebeat ，提供了一些与 Logstash 安全通信的功能。

Other products of the Elasticsearch Company such as x-pack and filebeat provides some functionality to communicate securely with Logstash.