Hey all, this is part question, and part tips for my elastic experience on ec2. for background I am running two servers, one with elasticsearch on an m6gd.large, and the other server runs kibana on an m6gd.medium. this is single node for my use case as at this point I am still experimental, and cost conscious. later I could add more machines to the target groups if I need more compute.
the goal: setup beats on each of my internal servers and have the ability to monitor a few dozen external servers either on another vpc or on prem elsewhere.
the architecture: I have a three tier VPC, public, private(with nat gateways) and secure. both servers are in the private zone, with an Application Load Balancer (ALB) in the public zone. The database secure zone is not used here.
I have a bunch of other servers on the account, all running across one ALB, with different listener rules that resolve to specific Target Groups that contain the specific server needed. As the ALB is setup with a valid ACM certificate, TLS auth is supported already here. Each other server is hidden away behind the cognito auth service with will provide our users with a token to access them, all except the kibana and elasticsearch servers. those are open to the public with xpack security enabled for their auth.
route53 subdomain -> ALB 443 -> Target Group HTTPS to 9200elastic and 5601kibana -> on to the box with TLS because it seems to need TLS internally signed to work.
To get to this point it seems that there is a requirement to setup certificates internally on both machines to get them to talk when using xpack, and if you want them to talk to each other. This means that you also need to use HTTPS on the target groups to get the ALB to allow communication between them.
The Problems: The whole certificate thing is a journey, and I am struggling to get my head around where I need to configure it, and whats the minimum requirement to get it to work with beats, and the elastic agent. It seems the agents refuse to work if there is no TLS configured on the box, but I have TLS on the ALB, so I dont really need it or its headaches, but I cant get past it. Ive tried to set certificates and paths to them in each config file for each beat, and I am missing something.
I ended up giving up on my first install as my whole stack ground to a halt, and queries took 3 or 4 mins to complete in the hosts or network dashboard. im on a fresh install now, and trying to solve this efficently, and preferably in a script to install all my beats, which I will probably build later on once I get these two machines configured properly.
Question: how can I easily configure all the beats and elastic-agents and do I need to have certs copied into every server I want to collect from? What is actually needed here, I tried to follow the documentation, but its hard to read, and does not really have a clear answer for using an ALB intermediate as far as I could tell. Certificates......gah.
feedback: if you have any clear improvement points or suggestions, please drop a comment, so others can also learn from this. I you have questions about how I did it or want more specifics, just ask here too, and Ill try to respond.
elastic server elasticsearch.yml
node.name: node1
xpack:
security:
enabled: true
http:
ssl:
enabled: true
verification_mode: none
key: certs/node1.key
certificate: certs/node1.crt
certificate_authorities: certs/ca.crt
transport:
ssl:
enabled: true
key: certs/node1.key
certificate: certs/node1.crt
certificate_authorities: certs/ca.crt
discovery.seed_hosts: [ "https://elastic.mydomain.com.au:443" ]
cluster:
name: myname
initial_master_nodes: [ "node1" ]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0leting indices:
elastic server metricbeat.yml
metricbeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
name: Elasticsearch-Metricbeat
tags: ["tag", "Internal","Elasticsearch"]
setup.dashboards.enabled: true
setup.kibana:
host: "https://kibana.mydomain.com.au:443"
output.elasticsearch:
hosts: ["https://elastic.mydomain.com.au:443"]
protocol: "https"
pipeline: "geoip"
username: "elastic"
password: "mypassword"
ssl.enabled: true
ssl.verification_mode: "none"
ssl.client_authentication: none
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
logging.level: debug
logging.selectors: ["*"]
monitoring.enabled: true
monitoring.elasticsearch:
instrumentation:
enabled: true
kibana server kibana.yml
server.host: "0.0.0.0"
server.publicBaseUrl: "https://kibana.mydomain.com.au:443"
server.name: "myname"
elasticsearch.hosts: ["https://elastic.mydomain.com.au:443"]
kibana.index: ".kibana"
kibana.defaultAppId: "home"
elasticsearch.username: "kibana_system"
elasticsearch.password: "mypassword"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana/kibana.key
xpack.security.encryptionKey: mylongkey
xpack.security.session.idleTimeout: "1h"
xpack.security.session.lifespan: "30d"
xpack.encryptedSavedObjects.encryptionKey: myotherlongkey
xpack.reporting.encryptionKey: mythirdlongkey