iac
/
docker-elk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(ext/beats): Monitor using unprivileged user 

Both the collection and storage of monitoring data are now performed
using the unpriviliged built-in users 'remote_monitoring_user' and
'beats_system' respectively, instead of the 'elastic' superuser.
This commit is contained in:
Antoine Cotten 2022-11-18 17:07:16 +01:00
parent 595f42cc90
commit 654a18dcdb
No known key found for this signature in database
GPG Key ID: 94637E68D4A79DD0
10 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.env
View File

@ -20,3 +20,15 @@ LOGSTASH_INTERNAL_PASSWORD='changeme'
# The user Kibana uses to connect and communicate with Elasticsearch. # The user Kibana uses to connect and communicate with Elasticsearch.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html # https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
KIBANA_SYSTEM_PASSWORD='changeme' KIBANA_SYSTEM_PASSWORD='changeme'
# User 'beats_system' (built-in)
#
# The user the Beats use when storing monitoring information in Elasticsearch.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
BEATS_SYSTEM_PASSWORD=''
# User 'remote_monitoring_user' (built-in)
#
# The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
REMOTE_MONITORING_USER_PASSWORD=''

2
README.md
View File

@ -163,7 +163,7 @@ reset the passwords of all aforementioned Elasticsearch users to random secrets.
1. Reset passwords for default users 1. Reset passwords for default users
The commands below resets the passwords of the `elastic`, `logstash_internal` and `kibana_system` users. Take note The commands below reset the passwords of the `elastic`, `logstash_internal` and `kibana_system` users. Take note
of them. of them.
```console ```console

2
docker-compose.yml
View File

@ -24,6 +24,8 @@ services:
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-} LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-} KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
networks: networks:
- elk - elk
depends_on: depends_on:

3
extensions/filebeat/config/filebeat.yml
View File

@ -21,6 +21,9 @@ processors:
monitoring: monitoring:
enabled: true enabled: true
elasticsearch:
username: beats_system
password: ${BEATS_SYSTEM_PASSWORD}
output.elasticsearch: output.elasticsearch:
hosts: [ http://elasticsearch:9200 ] hosts: [ http://elasticsearch:9200 ]

1
extensions/filebeat/filebeat-compose.yml
View File

@ -28,6 +28,7 @@ services:
read_only: true read_only: true
environment: environment:
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
networks: networks:
- elk - elk
depends_on: depends_on:

3
extensions/heartbeat/config/heartbeat.yml
View File

@ -22,6 +22,9 @@ processors:
monitoring: monitoring:
enabled: true enabled: true
elasticsearch:
username: beats_system
password: ${BEATS_SYSTEM_PASSWORD}
output.elasticsearch: output.elasticsearch:
hosts: [ http://elasticsearch:9200 ] hosts: [ http://elasticsearch:9200 ]

1
extensions/heartbeat/heartbeat-compose.yml
View File

@ -17,6 +17,7 @@ services:
- ./extensions/heartbeat/config/heartbeat.yml:/usr/share/heartbeat/heartbeat.yml:ro,Z - ./extensions/heartbeat/config/heartbeat.yml:/usr/share/heartbeat/heartbeat.yml:ro,Z
environment: environment:
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
networks: networks:
- elk - elk
depends_on: depends_on:

11
extensions/metricbeat/config/metricbeat.yml
View File

@ -18,8 +18,8 @@ metricbeat.autodiscover:
metricbeat.modules: metricbeat.modules:
- module: elasticsearch - module: elasticsearch
hosts: [ http://elasticsearch:9200 ] hosts: [ http://elasticsearch:9200 ]
username: elastic username: remote_monitoring_user
password: ${ELASTIC_PASSWORD} password: ${REMOTE_MONITORING_USER_PASSWORD}
xpack.enabled: true xpack.enabled: true
period: 10s period: 10s
- module: logstash - module: logstash
@ -28,8 +28,8 @@ metricbeat.modules:
period: 10s period: 10s
- module: kibana - module: kibana
hosts: [ http://kibana:5601 ] hosts: [ http://kibana:5601 ]
username: elastic username: remote_monitoring_user
password: ${ELASTIC_PASSWORD} password: ${REMOTE_MONITORING_USER_PASSWORD}
xpack.enabled: true xpack.enabled: true
period: 10s period: 10s
- module: docker - module: docker
@ -51,6 +51,9 @@ processors:
monitoring: monitoring:
enabled: true enabled: true
elasticsearch:
username: beats_system
password: ${BEATS_SYSTEM_PASSWORD}
output.elasticsearch: output.elasticsearch:
hosts: [ http://elasticsearch:9200 ] hosts: [ http://elasticsearch:9200 ]

2
extensions/metricbeat/metricbeat-compose.yml
View File

@ -39,6 +39,8 @@ services:
read_only: true read_only: true
environment: environment:
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
networks: networks:
- elk - elk
depends_on: depends_on:

2
setup/entrypoint.sh
View File

@ -13,6 +13,8 @@ declare -A users_passwords
users_passwords=( users_passwords=(
[logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}" [logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}"
[kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}" [kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}"
[beats_system]="${BEATS_SYSTEM_PASSWORD=:-}"
[remote_monitoring_user]="${REMOTE_MONITORING_USER_PASSWORD:-}"
) )
declare -A users_roles declare -A users_roles