在Ubuntu上设置Filebeat的安全策略可以通过以下步骤进行:
使用非特权用户运行Filebeat:
sudo useradd -m filebeat
sudo usermod -aG sudo filebeat
sudo -u filebeat /usr/bin/filebeat
启用TLS/SSL加密:
mkdir -p /etc/filebeat/certs
openssl req -x509 -newkey rsa:4096 -keyout /etc/filebeat/certs/ca.key -out /etc/filebeat/certs/ca.crt -days 3650 -nodes -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=YourCA"
openssl req -newkey rsa:4096 -keyout /etc/filebeat/certs/server.key -out /etc/filebeat/certs/server.csr -nodes -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=your_elasticsearch_host"
openssl x509 -req -in /etc/filebeat/certs/server.csr -CA /etc/filebeat/certs/ca.crt -CAkey /etc/filebeat/certs/ca.key -CAcreateserial -out /etc/filebeat/certs/server.crt -days 3650
openssl req -newkey rsa:4096 -keyout /etc/filebeat/certs/client.key -out /etc/filebeat/certs/client.csr -nodes -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=filebeat_client"
openssl x509 -req -in /etc/filebeat/certs/client.csr -CA /etc/filebeat/certs/ca.crt -CAkey /etc/filebeat/certs/ca.key -CAcreateserial -out /etc/filebeat/certs/client.crt -days 3650
/etc/filebeat/filebeat.yml
中添加SSL相关配置:output.elasticsearch:
hosts: ["elasticsearch:9200"]
ssl.enabled: true
ssl.certificate: "/etc/filebeat/certs/filebeat.crt"
ssl.key: "/etc/filebeat/certs/filebeat.key"
ssl.certificate_authorities: ["/etc/filebeat/certs/ca.pem"]
配置文件权限:
sudo chmod 600 /etc/filebeat/filebeat.yml
sudo chown filebeat:filebeat /etc/filebeat/filebeat.yml
防火墙设置:
sudo iptables -A INPUT -p tcp --dport 5044 -j ACCEPT # Filebeat
sudo iptables -A INPUT -p tcp --dport 9200 -j ACCEPT # Elasticsearch
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
sudo iptables-save /etc/iptables/rules.v4
sudo systemctl enable iptables
sudo systemctl start iptables
定期更新和监控:
sudo apt-get update && sudo apt-get upgrade filebeat
sudo tail -f /var/log/filebeat/filebeat.log
最小化数据传输:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/secure
加密敏感数据:
网络隔离:
通过以上步骤,可以显著提高Filebeat在Ubuntu上的安全性,保护日志数据在传输和存储过程中的机密性和完整性。