ELK 常見問題解法

=========
HTTPS 相關問題
=========
elasticsearch log 出現相關資訊
[2020–10–15T16:26:09,008][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [esnode02] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.242.136.248:9200, remoteAddress=/10.242.24.95:40437}

原因:
有 client 嘗試透過 http 連線到 elasticsearch

解法:
1. filebeat.yml 要設定 ssl.certificate_authorities: [elasticsearch/ca.crt]
2. 在此台 elasticsearch.yml 內關閉 https 認證。(xpack.security.http.ssl.enabled: false)

==============
metricbeat x509 相關錯誤
==============
ERR log:
Failed to connect to backoff … x509: certificate signed by unknown authority

原因:
CA 與 ES 上的 mismatch

解法:
調整成與 ES 相同的 CA (ca.crt)

Failed to connect to backoff … x509: cannot validate certificate for

================
metricbeat 一啟動就 shutdown
================
ERR log:
Exiting: error initializing publisher: 1 error: file is not a certificate adding [CA PATH] to the list of known CAs

原因:
CA 檔案格式錯誤

解法:
調整成 SSL 的檔案(ca.crt)

================
metricbeat 一啟動就 shutdown
================
ERR log:
Connection marked as failed because the onConnect callback failed: failed to check for alias ‘filebeat-ans-metric-test’

原因:
rollover alias 名稱與 ES 設定的 user 的 role 不一致

解法:
ES 內的 user role 需和 yml 內的 rollover alias 一致

===============
setup.ilm.policy_name 錯誤
===============
Connection marked as failed because the onConnect callback failed: 403 Forbidden: {“error”:{“root_cause”:[{“type”:”security_exception”,”reason”:”action [cluster:admin/ilm/put] is unauthorized for user [hans]”}]

原因:
setup.ilm.policy_name 與 ES 設定的名稱不一致

解法:
setup.ilm.policy_name 與 ES 內的設定的 policy name 一致

===============
Remove template ILM policy
===============

POST [template name]/_ilm/remove

EX:
 POST shaman-2020.10.06/_ilm/remove
 POST rbsc-2020.10.04/_ilm/remove

=============
查看/設定 role privilege
=============

查看所有可以設定的 privilege
GET /_security/privilege
設定 role
GET /_security/role/user_role_admin
PUT /_security/role/user_role_admin
{
  "cluster" : [
      "manage_security"
    ],
  "applications": [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "all"        //全部權限都可以，
        ],
        "resources" : [
          "*"
        ]
      }
  ]
}
好像是能看到所有的 kibana dashboard 設定的 privilege(?)
{
  "applications": [
      {
        "privileges" : [
          "feature_dashboard.read"
        ],
      }
  ]
}