{"id":51573757,"url":"https://github.com/euiyounghwang/elk-stack-proj","last_synced_at":"2026-07-10T22:02:23.996Z","repository":{"id":342667541,"uuid":"1174714961","full_name":"euiyounghwang/ELK-Stack-Proj","owner":"euiyounghwang","description":"ELK_Stack_Repo_Upgrade","archived":false,"fork":false,"pushed_at":"2026-06-15T15:30:07.000Z","size":1963,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-15T17:18:31.526Z","etag":null,"topics":["docker","goconvey","golang","golang-library","jupyter-notebook","nodejs","python-script","rest-api","search-guard","searchguard","shell-script","vagrant"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/euiyounghwang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-06T18:57:10.000Z","updated_at":"2026-06-15T15:28:54.000Z","dependencies_parsed_at":"2026-04-29T21:05:08.426Z","dependency_job_id":null,"html_url":"https://github.com/euiyounghwang/ELK-Stack-Proj","commit_stats":null,"previous_names":["euiyounghwang/elk-stack-proj"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/euiyounghwang/ELK-Stack-Proj","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/euiyounghwang%2FELK-Stack-Proj","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/euiyounghwang%2FELK-Stack-Proj/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/euiyounghwang%2FELK-Stack-Proj/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/euiyounghwang%2FELK-Stack-Proj/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/euiyounghwang","download_url":"https://codeload.github.com/euiyounghwang/ELK-Stack-Proj/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/euiyounghwang%2FELK-Stack-Proj/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35344523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-10T02:00:06.465Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","goconvey","golang","golang-library","jupyter-notebook","nodejs","python-script","rest-api","search-guard","searchguard","shell-script","vagrant"],"created_at":"2026-07-10T22:02:21.917Z","updated_at":"2026-07-10T22:02:23.989Z","avatar_url":"https://github.com/euiyounghwang.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ELK Upgrade with Search Guard\n\u003ci\u003eELK Upgrade with Search Guard\n\n\nFastAPI is a modern, fast (high-performance), web framework for building APIs with Python 3.8+ based on standard Python.\nThis is a repository that provides to deliver the records to the Prometheus-Export application.\n\n\nVagrant is a tool for working with virtual environments, and in most circumstances, this means working with virtual machines.\n\nWhen a node fails, Elasticsearch will rebalance the cluster by moving shards from the failed node to the remaining nodes in the cluster. This ensures that all data is always available even if a node fails\n\nAn Elasticsearch index consists of one or more primary shards. As of Elasticsearch version 7, the current default value for the number of primary shards per index is 1. In earlier versions, the default was 5 shards.\n- It depends on the query you used and how many documents with the size of each document that you might have in daily or monthly. \n- We can consider making a dynamic template explicitly to optimize for an index before creating the field. \n- Shard size should not exceed 30-50GB (with a mathematical formula, Core number * The number of Nodes). Also we can consider avoiding ‘wild card query’, ‘script_query to calculate hits’ and retrieve only necessary fields when searching in query_string fields and highlighting.\n- Use filter context instead of query context because Elasticsearch does not need to calculate relevance score for filter context. \n- Please note, the replica number should not be zero, otherwise you will have data loss.  In other words, as the number of replica shards increases, search performance should be increased and index performance decreased. Therefore, it is important to find the optimal number of shards according to the data size or the number of requests.\n- [Shards] Using the 30-80 GB value, you can calculate how many shards you’ll need. For instance, let’s assume you rotate indices monthly and expect around 600 GB of data per month. In this example, you would allocate 8 to 20 shards.\n- ELK : https://scrawled-note.tistory.com/entry/ELK-%EB%AC%B4%EC%9E%91%EC%A0%95-%EC%84%A4%EC%B9%98%ED%95%98%EA%B8%B0\n\n\nElasticsearch Performance (https://logz.io/learn/complete-guide-elk-stack/#common-pitfalls)\n- Typically the heap usage will be a saw tooth pattern, oscillating between around 30% and 75% of the maximum heap being used. This is because the JVM steadily increases heap usage percentage until the garbage collection process frees up memory again (When memory is insufficient, it is executed immediately when additional memory is requested).\n- You should see `the maximum usage be no more than 75% of the assigned memory`, and when it hits that 75%, it should perform a full GC and reduce the memory down to at least 50% free available heap\n- The best practices for managing heap size usage and JVM garbage collection in a large Elasticsearch cluster are to ensure that the heap size is set to a maximum of 50% of the available RAM, and that the JVM garbage collection settings are optimized for the specific use case. It is important to monitor the heap size and garbage collection metrics to ensure that the cluster is running optimall\n- It depends on various factors like the number of indexing requests, search requests, cache utilization, size of search and indexing requests, number of shards/segments etc, also heap size should follow the sawtooth pattern. The good thing is that you can starting right, by assigning 50% of RAM as ES Heap size which is not crossing 32 GB.\n- Elasticsearch memlock(https://opster.com/guides/elasticsearch/how-tos/elasticsearch-memlock/) is an important setting that can help prevent memory-related issues and improve the overall performance of your Elasticsearch cluster. Memlock is a setting that allows Elasticsearch to lock its memory into RAM, preventing the operating system from swapping out the memory to disk. To prevent swapping, it is recommended to enable memlock for the Elasticsearch process. This can be done by setting the `bootstrap.memory_lock` parameter to `true` in the `elasticsearch.yml` configuration file.\n-  Set the JVM heap size appropriately: To make the most of memory locking, it is crucial to set the JVM heap size correctly. The general recommendation is to allocate 50% of the available system memory to the JVM heap, but not more than 30.5GB.\n- While the official advice(https://bigdataboutique.com/blog/tuning-elasticsearch-the-ideal-java-heap-size-2toq2j) is to `set 50% of available system memory for the heap size, and not to set it to more than 26-30GB` due to pointer compaction, in `more recent versions Elasticsearch is attempting to set the actual heap size automatically`. Now it is clear how benchmarking can help find the right value to use, with the optimal value going to highly depend on the desired workload, not only on node role.\n\n\nImplementation:\n  - According to the documentation, using compatibility mode in \"the Java High Level REST Client\" 7 allows use with ES 8.x.\n  - Connection: The High Level Client version 7.16 and higher can communicate with Elasticsearch version 8.x after enabling API compatibility mode (https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/java-rest-high-compatibility.html).. see below screenshot.\n  - Using the Elasticsearch 7.16 Java High Level REST Client (HLRC) to query an Elasticsearch 8.x cluster  in terms of basic queries is possible, but Elasticsearch 7 (ES7) and Elasticsearch 8 (ES8) introduce several key differences(\"Removal of _type field, Ranger Query, Nested Sorting ..), particularly regarding query behavior, API changes, and default settings (https://www.google.com/search?q=elasticsearch+query+es7+es8+difference\u0026sca_esv=dad87895c19efbc5\u0026rlz=1C1GCEB_enUS1102US1102\u0026sxsrf=AE3TifMCdtZJ6p6sqXcyqzgPg3BloVs3Gg%3A1757528489211\u0026ei=qcHBaNPVDJGZhbIPzI7AsQU\u0026ved=0ahUKEwiTzqDq586PAxWRTEEAHUwHMFYQ4dUDCBI\u0026uact=5\u0026oq=elasticsearch+query+es7+es8+difference\u0026gs_lp=Egxnd3Mtd2l6LXNlcnAiJmVsYXN0aWNzZWFyY2ggcXVlcnkgZXM3IGVzOCBkaWZmZXJlbmNlMgUQIRigAUiDI1CUBliaIXABeAGQAQCYAesBoAHuGqoBBjAuMTMuNbgBA8gBAPgBAZgCE6ACpBvCAgoQABiwAxjWBBhHwgIEECMYJ8ICBRAAGIAEwgIEEAAYHsICBhAAGAgYHsICCBAAGIAEGKIEwgIFEAAY7wXCAgQQIRgVwgIHECEYoAEYCpgDAIgGAZAGBJIHBjEuMTMuNaAHtT-yBwYwLjEzLjW4B6EbwgcGMi4xNC4zyAcg\u0026sclient=gws-wiz-serp). These differences necessitate careful planning and testing when migrating from ES7 to ES8 to ensure query compatibility and optimal performance.\n\n\nSearch Guard Is An Open Source Security Plugin For Elasticsearch And The Entire ELK stack. Search Guard Encrypts All Data In Transit. \n- Search Guard Versions : https://docs-search--guard-com.webpkgcache.com/doc/-/s/docs.search-guard.com/latest/search-guard-versions\n- Account Maintain : Add user to \"/plugins/search-guard-flx/sgconfig/sg_internal_user.xml\" (Use API : https://docs.search-guard.com/7.x-51/rest-api-internalusers, https://docs.search-guard.com/latest/sgctl, Base64 : https://www.encodebase64.net/, PlainText : \u003cuser\u003e:\u003cpassword\u003e)\n- Basic authentication is a very simple authentication scheme that is built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the Basic word followed by a space and a base64-encoded username:password string (: -\u003e colon).\n- Secure Sockets Layer (SSL) is the technology responsible for data authentication and encryption for internet connections. It encrypts data being sent over the internet between two systems (commonly between a server and a client) so that it remains private. And with the growing importance of online privacy, an SSL port is something you should get familiar with.\n- Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS is encrypted in order to increase security of data transfer.  This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider.\n- What is shield : Shield allows you to easily protect Elasticsearch cluster from unintentional modification or unauthorized access with a username and password. Shield also gives security features like encryption, role-based access control, IP filtering, and auditing are also available when you need them.\n\n\nSef-Signed Certificae(https://a-gyuuuu.tistory.com/356,https://tutorialspedia.com/csr-certificate-signing-request-how-to-get-ca-signed-certificate-from-csr-file/, https://velog.io/@gweowe/OpenSSL-%EC%9E%90%EC%B2%B4-%EC%9D%B8%EC%A6%9D%EC%84%9CSELF-SIGNED-CERTIFICATE-%EB%A7%8C%EB%93%A4%EA%B8%B0-MacOS)\n- Step1, Generate CSR Certificate Signing Request File (.csr) : if you want to generate CSR File using OpenSSL, first run the below command to create a key file:\n- Create private key : `openssl genrsa -out ca.key 2048 `\n```bash\nGenerating RSA private key, 2048 bit long modulus\n....+++\n.......................................................................................................................................+++\ne is 65537 (0x10001)\n\n-bash-4.2$ cat ./ca.key\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAut3ISXBfNS1ex2Q\n...\n-----END RSA PRIVATE KEY-----\n```\n- Create CSR(Cerfiticate Singing Request) : `openssl req -new -key ca.key -out ca.csr ` or `openssl req -new -key ca.key -out ca.csr -config csr_file.conf`\n```bash\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [XX]:US\nState or Province Name (full name) []:NC\nLocality Name (eg, city) [Default City]:Highpoint\nOrganization Name (eg, company) [Default Company Ltd]:gxo\nOrganizational Unit Name (eg, section) []:es\nCommon Name (eg, your name or your server's hostname) []:es\nEmail Address []:\n\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\n\n-bash-4.2$ ls\nca.csr  ca.key\n```\n- Step 2: Submit CSR Certificate Signing Request File to CA to get Signed SSL Certificate\n- Create Self Signed Certifcate : `openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt` or `openssl x509 -req -days 365 -extensions v3_ca -set_serial -in ca.csr -signkey ca.key -out ca.crt -extfile csr_file.conf`\n```bash\n-bash-4.2$ openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt\nSignature ok\nsubject=/C=US/ST=TEST/L=TEST/O=TEST/OU=TEST/CN=TEST\nGetting Private key\n\n-bash-4.2$ ls\nca.crt  ca.csr  ca.key\n\n-bash-4.2$ cat ./ca.crt\n-----BEGIN CERTIFICATE-----\nMIIDKDCCAhACCQCdq0JI5swi9TANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCTkMxEjAQBgNV\n..\nqQtNtAazwrHbx12qWIhHN1BzFZqjQawVw2MfSHb2aUxHmkOFViQ91ikYiWE=\n-----END CERTIFICATE-----\n\n-bash-4.2$ openssl x509 -text -in ./ca.crt\nCertificate:\n    Data:\n        Version: 1 (0x0)\n        Serial Number:\n            9d:ab:42:48:e6:cc:22:f5\n    Signature Algorithm: sha256WithRSAEncryption\n...\n\n```\n- Step 3: Install CA Signed SSL Certificate on Server : Once you have received the signed certificate, you will need to install it on the server along with the private key that was generated when the CSR was created. \n\n\nHow to Choose the Correct Number of Shards per Index in Elasticsearch. (https://opster.com/guides/elasticsearch/capacity-planning/elasticsearch-number-of-shards/)\n- Having multiple primary shards when indexing : Shards are basically used to parallelize work on an index. When you send a bulk request to index a list of documents, they will be split and divided among all available primary shards. So, if you have 5 primary shards and send a bulk request with 100 documents, each shard will have to index 20 documents in parallel.\nIndexing is usually quicker when you have more shards. For instance, `if you have 3 data nodes, you should have 3, 6 or 9 shards. This is very important. If, instead, you have 3 data nodes and decide to use 4 primary shards, then your indexing process will actually be slower than when using 3 shards`, because 1 node (aka server) will have double the work and the other 2 will sit idle. \n- Having multiple primary shards when searching : When you submit a search request, the node that receives the request acts as the coordinating node, which then looks up which shards belong to that index according to the cluster state. \n\n\n#### Test Data using ES API\n```bash\n\nGET _cat/indices\n\nPOST _bulk\n{ \"index\" : { \"_index\" : \"test\", \"_id\" : \"1\" } }\n{ \"field1\" : \"value1\" }\n{ \"delete\" : { \"_index\" : \"test\", \"_id\" : \"2\" } }\n{ \"create\" : { \"_index\" : \"test\", \"_id\" : \"3\" } }\n{ \"field1\" : \"value3\" }\n{ \"update\" : {\"_id\" : \"1\", \"_index\" : \"test\"} }\n{ \"doc\" : {\"field2\" : \"value2\"} }\n\nGET test/search\n\nfrom elasticsearch import Elasticsearch\n\n# es = Elasticsearch([{'host': 'localhost', 'port': 9200, 'scheme': 'http'}])\nes = Elasticsearch(hosts=\"{}\".format(\"localhost\"), headers=get_headers('test'), timeout=5,  verify_certs=False)\n\n# bulk #1\n# bulk_memory = [\n#     {\n#          \"index\" : {\n#             \"_index\" : \"test\", \n#             # \"_type\" : \"WX_ORDER\", \n#             \"_id\" : \"{}|{}|{}\".format(pd_dataframe_dict.get(\"JSON\")[0].get(\"ORDERKEY\"), pd_dataframe_dict.get(\"JSON\")[0].get(\"SITEID\"), KEY_DB)\n        \n#     }}),\n#     pd_dataframe_dict.get(\"JSON\")[0]\n# ]\n\n# bulk #2\n# bulk_memory = [\n#     {\"_op_type\": \"index\", \"_index\": \"my-index\", \"_id\": \"1\", \"_source\": {\"field1\": \"value1\"}},\n#     {\"_op_type\": \"index\", \"_index\": \"my-index\", \"_id\": \"2\", \"_source\": {\"field1\": \"value2\"}},\n#     {\"_op_type\": \"delete\", \"_index\": \"my-index\", \"_id\": \"3\"}\n# ]\n\ntry:\n    from elasticsearch.helpers import bulk\n\n    # bulk #1\n    # response = es.bulk(body=bulk_memory)\n     # print(f\"Successfully indexed: {response['items']}, Errors: {response['errors']}\")\n\n    # bulk #2\n    success, errors = bulk(es, bulk_memory)\n    print(f\"Successfully indexed: {success}, Errors: {errors}\")\n    \nexcept Exception as e:\n    print(f\"Bulk indexing error: {e}\")\n\n```\n\n#### Python V3.9 Install\n```bash\nsudo yum install gcc sqlite-devel openssl-devel bzip2-devel libffi-devel zlib-devel git sqlite-devel\nwget https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz \ntar –zxvf Python-3.9.0.tgz or tar -xvf Python-3.9.0.tgz \ncd Python-3.9.0 \n./configure --libdir=/usr/lib64 \nsudo make \nsudo make altinstall \n\n# python3 -m venv .venv --without-pip\nsudo yum install python3-pip\n\nsudo ln -s /usr/lib64/python3.9/lib-dynload/ /usr/local/lib/python3.9/lib-dynload\n\npython3 -m venv .venv\nsource .venv/bin/activate\n\n# pip install -r ./dev-requirement.txt\n# -- Swagger\npip install poetry\npoetry add fastapi\npoetry add uvicorn\npoetry add gunicorn\npoetry add pytz\npoetry add httpx\npoetry add pytest\npoetry add pytest-cov\npoetry add requests\npoetry add pyyaml\npoetry add elasticsearch==7.13\npoetry add python-dotenv\npoetry add jupyter\n\n# when error occur like this\n# ImportError: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2k-fips  26 Jan 2017'. See: https://github.com/urllib3/urllib3/issues/2168\npip install urllib3==1.26.18\npip install pytz\n```\n\n\n### Using Poetry: Create the virtual environment in the same directory as the project and install the dependencies:\n```bash\npython -m venv .venv\nsource .venv/bin/activate\npip install poetry\n\n# --\npoetry config virtualenvs.in-project true\npoetry init\npoetry add pytz\npoetry add httpx\npoetry add python-dotenv\npoetry add pytest-cov\npeetry add pandas\n```\nor you can run this shell script `./create_virtual_env.sh` to make an environment. then go to virtual enviroment using `source .venv/bin/activate`\n\n\nThe first time installation procedure on a production cluster is to:\n\n1) Disable shard allocation\n- Cluster Reboot\n\n```bash\nGET _cat/indices\nGET _cluster/stats?human\u0026pretty\n\n# Set shard allocation to stop\nPUT _cluster/settings\n{\n  \"persistent\": {\n    \"cluster.routing.allocation.enable\": \"none\"\n  }\n}\n\nPOST _flush/synced\n\n```\n2) Stop all nodes\n\n3) Install the Search Guard plugin on all nodes\n- Add user\n```bash\nsudo groupadd elasticsearch\nsudo useradd -g elasticsearch elasticsearch\n```\n- If you install ES at the first time, \n```bash\nsudo sysctl -w vm.max_map_count=262144\nvi /etc/security/limits.conf\n\nelasticsearch soft memlock unlimited\nelasticsearch hard memlock unlimited\nelasticsearch soft nofile 65536\nelasticsearch hard nofile 65536\n\n#euiyoung soft    nofile  65536\n#euiyoung hard    nofile  65536\n#euiyoung hard    nproc   65536\n#euiyoung soft    nproc   65536\n#euiyoung soft    memlock unlimited\n#euiyoung hard    memlock unlimited\n\nsudo su -l elasticsearch\n\n```\n- Search Guard License : https://search-guard.com/licensing/\n- Search Guard : https://docs.search-guard.com/latest/search-guard-versions\n\n```bash\n- Elasticsearch Plugin for Search Guard\n\n$ ./bin/elasticsearch-plugin install -b file:////apps/elasticsearch/node1/elasticsearch-8.12.2/search-guard-flx-elasticsearch-plugin-2.0.0-es-8.12.2.zip\n\n[devuser@localhost elasticsearch-8.12.2]$ ./bin/elasticsearch-plugin install -b file:////apps/elasticsearch/node1/elasticsearch-8.12.2/search-guard-flx-elasticsearch-plugin-2.0.0-es-8.12.2.zip\n-\u003e Installing file:////apps/elasticsearch/node1/elasticsearch-8.12.2/search-guard-flx-elasticsearch-plugin-2.0.0-es-8.12.2.zip\n-\u003e Downloading file:////apps/elasticsearch/node1/elasticsearch-8.12.2/search-guard-flx-elasticsearch-plugin-2.0.0-es-8.12.2.zip\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@     WARNING: plugin requires additional permissions     @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n* java.lang.RuntimePermission accessClassInPackage.com.sun.jndi.*\n* java.lang.RuntimePermission accessClassInPackage.sun.misc\n* java.lang.RuntimePermission accessClassInPackage.sun.nio.ch\n* java.lang.RuntimePermission accessClassInPackage.sun.security.x509\n* java.lang.RuntimePermission accessDeclaredMembers\n* java.lang.RuntimePermission getClassLoader\n* java.lang.RuntimePermission loadLibrary.*\n* java.lang.RuntimePermission setContextClassLoader\n* java.lang.reflect.ReflectPermission suppressAccessChecks\n* java.net.NetPermission getProxySelector\n* java.net.SocketPermission * connect,accept,resolve\n* java.security.SecurityPermission insertProvider\n* java.security.SecurityPermission org.apache.xml.security.register\n* java.security.SecurityPermission putProviderProperty.BC\n* java.util.PropertyPermission * read,write\n* java.util.PropertyPermission org.apache.xml.security.ignoreLineBreaks write\n* javax.security.auth.AuthPermission doAs\n* javax.security.auth.AuthPermission modifyPrivateCredentials\n* javax.security.auth.kerberos.ServicePermission * accept\nSee https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html\nfor descriptions of what these permissions allow and the associated risks.\n-\u003e Installed search-guard-flx\n-\u003e Please restart Elasticsearch to activate any plugins installed\n[devuser@localhost elasticsearch-8.12.2]$\n\n\n- Change chmod to run *.sh\n[devuser@localhost tools]$ pwd\n/apps/elasticsearch/node1/elasticsearch-8.12.2/plugins/search-guard-flx/tools\n[devuser@localhost tools]$ ls\ninstall_demo_configuration.sh\n[devuser@localhost tools]$ chmod 755 *.sh\n\ndevuser@localhost tools]$ ./install_demo_configuration.sh\nSearch Guard Demo Installer\n ** Warning: Do not use on production or public reachable systems **\nInitialize Search Guard? [y/N] y\nCluster mode requires maybe additional setup of:\n  - Virtual memory (vm.max_map_count)\n    See https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html\n\nEnable cluster mode? [y/N] n\nBasedir: /apps/elasticsearch/node1/elasticsearch-8.12.2\nElasticsearch install type: .tar.gz on NAME=\"Red Hat Enterprise Linux Server\"\nElasticsearch config dir: /apps/elasticsearch/node1/elasticsearch-8.12.2/config\nElasticsearch config file: /apps/elasticsearch/node1/elasticsearch-8.12.2/config/elasticsearch.yml\nElasticsearch bin dir: /apps/elasticsearch/node1/elasticsearch-8.12.2/bin\nElasticsearch plugins dir: /apps/elasticsearch/node1/elasticsearch-8.12.2/plugins\nElasticsearch lib dir: /apps/elasticsearch/node1/elasticsearch-8.12.2/lib\n/apps/elasticsearch/node1/elasticsearch-8.12.2/config/elasticsearch.yml seems to be already configured for Search Guard. Quit.\n[devuser@localhost tools]$\n\n```\n\n4) Change \"elasticsearch.yml\" for Search Guard Configuration\n```bash\n\n- Created certification automatically\n-rw-rw-r--  1 localhost localhost  1704 Jun 21 15:52 esnode-key.pem\n-rw-rw-r--  1 localhost localhost  1720 Jun 21 15:52 esnode.pem\n..\n-rw-rw-r--  1 localhost localhost  1704 Jun 21 15:52 kirk-key.pem\n-rw-rw-r--  1 localhost localhost  1610 Jun 21 15:52 kirk.pem\n..\n-rw-rw-r--  1 localhost localhost  1444 Jun 21 15:52 root-ca.pem\n\n'''https://search-guard.com/blog/elasticsearch-tls-certificates-openssl/ '''\n\nSearchGuard distinguishes three different certificate types:\nNode certificates\n- used to identify and secure traffic between Elasticsearch nodes on the transport layer\nClient certificates\n- used to identify Elasticsearch clients on the REST and transport layer.\nAdmin certificates\n- which basically are client certificates that have elevated rights to perform administrative tasks.\n\n- Root CA (Certificate Authority) is a certificate that will be used to sign all other certificates within a system. In other words, Root CA is an issuer of node, client and admin certificates. A Root CA (Certificate Authority) certificate plays a crucial role in securing Elasticsearch deployments, particularly when enabling TLS/SSL encryption for communication within the cluster and with clients.\n- Next, we generate node certificate issued by the Root CA. We start with a similar config file (country and organisational unit fields may be copied) which additionally contains:\n- If using a publicly trusted SSL certificate for your Elasticsearch cluster, you can often use the certifi package, which provides a default set of common CA certificates.\nIf using a self-signed certificate or a certificate signed by a private CA, you will need to obtain the CAs root certificate (and any intermediate certificates) in PEM format and save them to a file.\n- You need to pass the path to the CA root certificate which was used to sign the server certificate offered by that Elasticsearch node. This way, the client will be able to trust the server connection.\n- To connect to Elasticsearch using the Python client with CA certificates and basic authentication, the Elasticsearch client needs to be instantiated with specific parameters.\n- When connecting to an Elasticsearch instance with the Python elasticsearch client library, especially when SSL/TLS is enabled on the Elasticsearch server, you often need to provide the Certificate Authority (CA) certificate in PEM format to ensure secure and verified communication.\n- Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains a base64-encoded string username:password\n\n- Openssl allows us to retrieve the ssl expiration date from the remote serivce url. The openssl \"s_client\" command is a powerful tool for interacting with \nSSL/TLS servers \n  - openssl s_client -connect localhost:9200 -showcerts \n  - echo | openssl s_client -connect localhost:8480 | openssl x509 -noout -dates\n\n```bash\n\n# Python\nfrom elasticsearch import Elasticsearch\n\nELASTIC_USERID = \"your_userid\"\nELASTIC_PASSWORD = \"your_password\"  # Replace with your actual password\nCA_CERTS_PATH = \"/path/to/your/http_ca.pem\"  # Path to your CA certificate file in PEM format, The ca_certs parameter expects a file in PEM (Privacy-Enhanced Mail) format. This is a common format for storing cryptographic keys and certificates.\n\ntry:\n  client = Elasticsearch(\n      \"https://your_elasticsearch_host:9200\",  # Replace with your Elasticsearch host and port\n      ca_certs=CA_CERTS_PATH,\n      basic_auth=(ELASTIC_USERID, ELASTIC_PASSWORD)  # This parameter sets up basic HTTP authentication using the provided username and password.e\n  )\n\n # Verify the connection\n  info = client.info()\n  print(\"Connected to Elasticsearch:\")\n  print(info)\n\nexcept Exception as e:\n  print(f\"Error connecting to Elasticsearch: {e}\")\n\n# c#\nusing Nest;\nusing System;\nusing System.Security.Cryptography.X509Certificates;\n\npublic class ElasticsearchConnection\n{\n    public static void Main(string[] args)\n    {\n        // Replace with your Elasticsearch URL\n        var uri = new Uri(\"https://your-elasticsearch-host:9200\"); \n\n        // Replace with your username and password for basic authentication\n        var username = \"your_username\";\n        var password = \"your_password\";\n\n        // Replace with the path to your CA certificate file (e.g., in PEM format)\n        var caCertPath = @\"C:\\path\\to\\your\\ca_certificate.pem\"; \n        // Load the CA certificate\n        var caCert = new X509Certificate2(caCertPath);\n\n        // Create ConnectionSettings with basic authentication and CA certificate\n        var settings = new ConnectionSettings(uri)\n            .BasicAuthentication(username, password)\n            .ServerCertificateValidationCallback((sender, certificate, chain, sslPolicyErrors) =\u003e \n            {\n                // Distinguished name (DN) is a term that describes the identifying information in a certificate and is part of the certificate itself.\n                // Check if the certificate from the remote secure ES cluster is the expected CA \n                if (certificate.Issuer == caCert.Subject)\n                {\n                    Console.WriteLine($\"caCert : [{caCert}]\");\n                    return true;\n                }\n                return false; // Reject if validation fails\n            });\n\n        // Create the Elasticsearch client\n        var client = new ElasticClient(settings);\n\n        // Example: Ping the cluster to verify connection\n        var response = client.Ping();\n\n        if (response.IsValid)\n        {\n            Console.WriteLine(\"Successfully connected to Elasticsearch!\");\n        }\n        else\n        {\n            Console.WriteLine($\"Failed to connect to Elasticsearch: {response.DebugInformation}\");\n        }\n    }\n}\n\n\n```\n\n-- Certificate Decoder\nopenssl x509 -enddate -noout -in ./root-ca.pem\nopenssl x509 -in ./root-ca.pem -text -noout\nopenssl x509 -in ./root-ca.pem -subject -noout\nopenssl x509 -in ./esnode.pem -subject -noout\nopenssl x509 -in esnode.pem -issuer -noout\nopenssl x509 -in ./esnode-key.pem -subject -noout\nopenssl rsa -noout -text -in ./esnode-key.pem\n- https://search-guard.com/blog/elasticsearch-tls-certificates-openssl/\n\n# ------------------------------------------------------------------------\n# The TLS Tool has created the following files:\n# root-ca.pem - the root certificate\n# root-ca-key.pem - the private key for the root certificate\n# node.pem - the node certificate\n# node-key.pem - the private key for the node certificate\n# admin.pem - the admin certificate\n# admin-key.pem - the private key for the admin certificate\n\nC = Country Name\nST = State or Province Name\nL = Locality Name (보통 도시 이름)\nO = Organization Name\nOU = Organizational Unit Name\nCN = Common Name (FQDN - Fully Qualified Domain Name)\nemailAddress = 이메일 주소\n\n\n-bash-4.2$ openssl x509 -in esnode.pem -issuer -noout\n\n# openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out root-ca.pem -days 3650 -nodes -config ./cert_config\n# openssl req -newkey rsa:4096 -keyout esnode-key.pem -out esnode.pem -days 3650 -nodes -config ./node_config\n# openssl x509 -req -in esnode.pem -CA ./root-ca.pem -CAkey ca-key.pem -CAcreateserial -out esnode.pem -extensions req_ext -extfile ./node_config -days 3650\n\n# openssl x509 -in test-esnode.pem -issuer -noout\n# openssl x509 -enddate -noout -in ./test-esnode.pem\n\n- elasticsearch.yml\n\npath.repo: [\"/usr/share/elasticsearch/backup\"]\n\n# --------------------------------- Discovery ----------------------------------\n#\n# Pass an initial list of hosts to perform discovery when this node is started:\n# The default list of hosts is [\"127.0.0.1\", \"[::1]\"]\n#\ndiscovery.seed_hosts: [\"192.168.79.107\", \"192.168.79.108\"]\n#\n# Bootstrap the cluster using an initial set of master-eligible nodes:\n#\ncluster.initial_master_nodes: [\"192.168.79.107\"]\n#\n# For more information, consult the discovery and cluster formation module docum\nentation.\n\n\n######## Start Search Guard Demo Configuration ########\nsearchguard.enterprise_modules_enabled: true\n# WARNING: revise all the lines below before you go into production\nsearchguard.ssl.transport.pemcert_filepath: esnode.pem\nsearchguard.ssl.transport.pemkey_filepath: esnode-key.pem\nsearchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem\nsearchguard.ssl.transport.enforce_hostname_verification: false\nsearchguard.ssl.http.enabled: true\nsearchguard.ssl.http.pemcert_filepath: esnode.pem\nsearchguard.ssl.http.pemkey_filepath: esnode-key.pem\nsearchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem\nsearchguard.allow_unsafe_democertificates: true\nsearchguard.allow_default_init_sgindex: true\nsearchguard.authcz.admin_dn:\n  - CN=kirk,OU=client,O=client,L=test, C=de\n\nsearchguard.audit.type: internal_elasticsearch\nsearchguard.enable_snapshot_restore_privilege: true\nsearchguard.check_snapshot_restore_write_privileges: true\nsearchguard.restapi.roles_enabled: [\"SGS_ALL_ACCESS\"]\ncluster.routing.allocation.disk.threshold_enabled: false\nnode.max_local_storage_nodes: 3\n\nxpack.security.enabled: false\nsearchguard.enterprise_modules_enabled: false\nindices.breaker.total.use_real_memory: false\n\n######## End Search Guard Demo Configuration ########\n\n#Max Clause count\nindices.query.bool.max_clause_count: 50000\n\n#reindex.remote.whitelist: \"otherhost:9200, another:9200, 127.0.10.*:9200, localhost:*\nreindex.remote.whitelist: \"*:9200\"\n\n\n\n# **************************************************\n# **************************************************\n# Generate key via Search Guard\n# ''' https://subin-0320.tistory.com/174 '''\n\n# ------------------------------------------------------------------------\n\n# -- Keytool for SSL Keys\n# ''' https://blog.naver.com/PostView.naver?blogId=noggame\u0026logNo=222117193132\u0026parentCategoryNo=\u0026categoryNo=33 '''\nsudo keytool -genkeypair -keystore /apps/spark/certs/spark.jks  -storetype pkcs12 -keyalg RSA -keysize 4096 -alias selfsigned  -dname \"CN=spark-cert, L=test, S=test, C=test\"  -storepass test -keypass test -validity 2000\nkeytool -list -v -keystore sparktrust.jks\nkeytool -delete -keystore sparktrust.jks\n\nsudo keytool -exportcert -alias selfsigned -file spark-cert.p12 -keystore ./spark.jks\nsudo keytool -importcert -trustcacerts -alias sparktrust  -file spark-cert.p12 -keystore sparktrust.jks  -keypass sparkpass  -noprompt\n# ------------------------------------------------------------------------\n\n\n# -- Generate ca-cert and node-cert files\n# ------------------------------------------------------------------------\n# The TLS Tool has created the following files:\n# root-ca.pem - the root certificate\n# root-ca-key.pem - the private key for the root certificate\n# node.pem - the node certificate\n# node-key.pem - the private key for the node certificate\n# admin.pem - the admin certificate\n# admin-key.pem - the private key for the admin certificate\n\n''' https://subin-0320.tistory.com/174'''\n''' https://docs.search-guard.com/7.x-53/offline-tls-tool#validating-certificates '''\n\n- Search Guard provide an offline TLS tool which you can use to generate all required certificates for running Search Guard in production:\n- Just download the zip or tar.gz file and unpack it in a directory of your choice\n- The TLS tool will read the node- and certificate configuration settings from a yaml file, and outputs the generated files in a configurable directory.\n\n- Root CA (Certificate Authority) is a certificate that will be used to sign all other certificates within a system. In other words, Root CA is an issuer of node, client and admin certificates\n- Next, we generate node certificate issued by the Root CA. We start with a similar config file (country and organisational unit fields may be copied) which additionally contains:\n\n- you can create the Root and intermediate CA first, and generate node certificates as you need them.\n- To configure the Root CA for all certificates, add the following lines to your configuration file:\n- To generate node certificates, add the node name, the Distinguished Name, the hostname(s) and/or the IP address(es) in the nodes section:\n\nunzip ./Search-Guard/gen_certs/search-guard-tlstool-3.0.2.zip\n\n# -- Generate ca-cert and node-cert files\n./tools/sgtlstool.sh -c ./tlsconfig.yml -ca -crt -t ./certs\n\n./tools/sgtlsdiag.sh -ca ./certs/root-ca.pem -crt ./certs/dev-node-1.pem\n\nopenssl x509 -in ./root-ca.pem -text -noout\nopenssl x509 -in ./root-ca.pem -subject -noout\nopenssl x509 -in ./dev_certs/root-ca.pem -noout -dates\nopenssl x509 -enddate -noout -in ./dev_certs/root-ca.pem\n\n\nsearchguard.enterprise_modules_enabled: false\n## SSL/TLS\nsearchguard.ssl.transport.pemcert_filepath: certs/node-1.pem\nsearchguard.ssl.transport.pemkey_filepath: certs/node-1.key\nsearchguard.ssl.transport.pemkey_password: monitoring\nsearchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem\nsearchguard.ssl.transport.enforce_hostname_verification: false\nsearchguard.ssl.transport.resolve_hostname: false\nsearchguard.ssl.http.enabled: true\nsearchguard.ssl.http.pemcert_filepath: certs/node-1.pem\nsearchguard.ssl.http.pemkey_filepath: certs/node-1.key\nsearchguard.ssl.http.pemkey_password: monitoring\nsearchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem\nsearchguard.allow_unsafe_democertificates: true\nsearchguard.allow_default_init_sgindex: true\nsearchguard.nodes_dn:\n- \"CN=node-1,OU=monitoring,O=monitoring\"\n- \"CN=node-2,OU=monitoring,O=monitoring\"\n- \"CN=node-3,OU=monitoring,O=monitoring\"\nsearchguard.authcz.admin_dn:\n- \"CN=admin,OU=monitoring,O=monitoring\"\n\nsearchguard.audit.type: internal_elasticsearch\nsearchguard.check_snapshot_restore_write_privileges: true\nsearchguard.restapi.roles_enabled: [\"SGS_ALL_ACCESS\"]\ncluster.routing.allocation.disk.threshold_enabled: false\nsearchguard.enterprise_modules_enabled: false\nxpack.security.enabled: false\nxpack.security.autoconfiguration.enabled: false\n######## End Search Guard Demo Configuration ########\n\n#Max Clause count\nindices.query.bool.max_clause_count: 50000\n\n#reindex.remote.whitelist: \"otherhost:9200, another:9200, 127.0.10.*:9200, localhost:*\nreindex.remote.whitelist: \"*:9200\"\n\n# **************************************************\n# **************************************************\n\n\n\n5) Start/Restart Elasticsearch and check that the nodes come up\n- Test connection : https://localhost:9201\n- Linux init.d (https://www.digipine.com/index.php?mid=programming\u0026document_srl=1044\u0026listStyle=viewer\u0026page=1)\n- /etc/init.d/elasticsearch -- startup script for Elasticsearch\n- Once you have the file you can run the command. This will \"install\" elasticsearch as a service.\n```bash\nsudo chmod +x /etc/init.d/elasticsearch\nsudo systemctl enable elasticsearch.service\nsudo update-rc.d elasticsearch defaults\nsudo update-rc.d elasticsearch defaults 95 10\nsudo updated-rc.d -f elasticsearch remove\n```\n- To start and stop the service, you can run the commands :\n```bash\nsudo  service elasticsearch start\nsudo  service elasticsearch stop\n```\n- Run : `/apps/elasticsearch/elasticsearch-8.12.2/bin/elasticsearch -d`\n- Download sgctl tool script (https://maven.search-guard.com/search-guard-flx-release/com/floragunn/sgctl/)\n```bash\n- https://docs.search-guard.com/latest/manual-installation\n- Search Guard guide with Role : https://forum.search-guard.com/t/sgs-kibana-user-allow-to-delete-index-patterns/2182, https://docs.search-guard.com/latest/action-groups\n$ ./sgctl.sh\nUsage: sgctl [COMMAND]\nRemote control tool for Search Guard\nCommands:\n  connect          Tries to connect to a cluster and persists this connection\n                     for subsequent commands\n  get-config       Retrieves Search Guard configuration from the server to\n                     local files\n  update-config    Updates Search Guard configuration on the server from local\n                     files\n  migrate-config   Converts old-style sg_config.yml and kibana.yml into\n                     sg_authc.yml and sg_frontend_authc.yml\n  component-state  Retrieves Search Guard component status information\n  sgctl-licenses   Displays license information for sgctl\n  sgctl-version    Shows the version of this sgctl command\n  add-user-local   Adds a new user to a local sg_internal_users.yml file\n  add-user         Adds a new user\n  update-user      Updates a user\n  delete-user      Deletes a user\n  add-var          Adds a new configuration variable\n  update-var       Updates an existing configuration variable\n  delete-var       Deletes an existing configuration variable\n  set              Modifies a property in the Search Guard Configuration\n  update-license   Updates the SG license\n  rest             REST client for administration\n  special          Commands for special circumstances\n```\n\n- How to use sgctl tool script\n```bash\n[localhost@localhost sgconfig]$ pwd\n/apps/elasticsearch/node1/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig\n[localhost@localhost sgconfig]$ ls\nelasticsearch.yml.example  sg_action_groups.yml  sg_authc.yml  sg_authz.yml  sg_frontend_authc.yml  sg_frontend_multi_tenancy.yml  sg_internal_users.yml  sg_roles_mapping.yml  sg_roles.yml  sg_tenants.yml\n```\n- Account Maintain : Add user to \"/plugins/search-guard-flx/sgconfig/sg_internal_user.xml\" (Use API : https://docs.search-guard.com/7.x-51/rest-api-internalusers, https://docs.search-guard.com/latest/sgctl, Base64 : https://www.encodebase64.net/, PlainText : \u003cuser\u003e:\u003cpassword\u003e)\n```bash\n\n- https://docs.search-guard.com/latest/manual-installation\n- https://docs.search-guard.com/latest/first-steps-user-configuration\n\n# Add User: \n- if you already have a running cluster, you can also sgctl to directly create users on the cluster without modifying a local sg_internal_users.yml file first.\n\n# es_monitoring\nsudo /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh add-user-local es_monitoring --backend-roles sg_public,kibanauser --password 1 -o /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_internal_users.yml\n\nAppending to /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_internal_users.yml\n\n# Alwasy run whenever you add/update something to cluster\n/apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh update-config /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_internal_users.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_roles.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_roles_mapping.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_action_groups.yml\n\n#--\n# Update password\nlogstash:\n  hash: \"$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2\"\n  backend_roles:\n  - \"logstash\"\n  description: \"Demo logstash user\"\n\nsudo /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh add-user-local logstash --backend-roles logstash --password logstash1234 -o /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_internal_users.yml\n\n/apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh update-config /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_internal_users.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_roles.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_roles_mapping.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_action_groups.yml\n#--\n\n\nsudo /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh update-user logstash --password logstash1 --ca-cert /apps/elasticsearch/elasticsearch-8.12.2/config/root-ca.pem --cert /apps/elasticsearch/elasticsearch-8.12.2/config/kirk.pem --key /apps/elasticsearch/elasticsearch-8.12.2/config/kirk-key.pem --host localhost --port 9201 --insecure\n\n# Delete User:  (It doesn't need to update configuation using sgctl tool script to ES cluster with Search Guard)\n[biadmin@localhost ~]$ \nsudo /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh delete-user guest --ca-cert /apps/elasticsearch/elasticsearch-8.12.2/config/root-ca.pem --cert /apps/elasticsearch/elasticsearch-8.12.2/config/kirk.pem --key /apps/elasticsearch/elasticsearch-8.12.2/config/kirk-key.pem --host localhost --port 9201 --insecure\n--\nSuccessfully connected to cluster supplychain-logging-es8-dev (localhost) as user CN=kirk,OU=client,O=client,L=test,C=de\nInternal User user2 has been deleted\n--\n\n\n\n# Update-Config : \n\n1) Create a connectin for updating the configuration\n[biadmin@localhost ~]$\nsudo /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh connect --host localhost --port 9201 --ca-cert /apps/elasticsearch/elasticsearch-8.12.2/config/root-ca.pem --cert /apps/elasticsearch/elasticsearch-8.12.2/config/kirk.pem --key /apps/elasticsearch/elasticsearch-8.12.2/config/kirk-key.pem --insecure\n--\nSuccessfully connected to cluster supplychain-logging-es8-dev (localhost) as user CN=kirk,OU=client,O=client,L=test,C=de\n--\n\n2) Update configuration to add user\n\n[biadmin@localhost ~]$\n\n/apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh update-config /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_internal_users.yml\n\n# Update configuration\n/apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh update-config /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_internal_users.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_roles.yml /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_roles_mapping.yml\n--\nSuccessfully connected to cluster supplychain-logging-es8-dev (localhost) as user CN=kirk,OU=client,O=client,L=test,C=de\nConfiguration has been updated\n--\n\n# - ES Logs when run the update configuration\n[2024-06-26T17:21:09,643][INFO ][c.f.s.a.PrivilegesEvaluator] [supplychain-logging-es8-node#1] Updated authz config:\n[2024-06-26T17:25:05,415][INFO ][c.f.s.c.ConfigurationRepository] [supplychain-logging-es8-node#1] Index update done:\n'{\"errors\":false,\"took\":25,\"items\":[{\"index\":{\"_index\":\".searchguard\",\"_id\":\"rolesmapping\",\"_version\":17,\"result\":\"updated\",\"forced_refresh\":true,\"_shards\":{\"total\":4,\"successful\":4,\"failed\":0},\"_seq_no\":173,\"_primary_term\":17,\"status\":200}},{\"index\":{\"_index\":\".searchguard\",\"_id\":\"roles\",\"_version\":22,\"result\":\"updated\",\"forced_refresh\":true,\"_shards\":{\"total\":4,\"successful\":4,\"failed\":0},\"_seq_no\":174,\"_primary_term\":17,\"status\":200}},{\"index\":{\"_index\":\".searchguard\",\"_id\":\"internalusers\",\"_version\":131,\"result\":\"updated\",\"forced_refresh\":true,\"_shards\":{\"total\":4,\"successful\":4,\"failed\":0},\"_seq_no\":175,\"_primary_term\":17,\"status\":200}}]}'\n[2024-06-26T17:25:05,422][INFO ][c.f.s.a.AuthorizationService] [supplychain-logging-es8-node#1] Updated authz config:\n\n\n3) Get configuration\n[biadmin@localhost ~]$\n/apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/tools/sgctl-2.0.0.sh get-config -0 /apps/elasticsearch/elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/ --output ./\n\n\n\n-- Other Instance\n1) Create a connectin for updating the configuration\n./sgctl-2.0.0.sh connect --host localhost --port 9201 --ca-cert ./search-guard-keys/dev/root-ca.pem --cert  ./search-guard-keys/dev/kirk.pem --key  ./search-guard-keys/dev/kirk-key.pem --insecure\n\n-bash-4.2$ ./sgctl-2.0.0.sh connect --host localhost --port 9201 --ca-cert ./search-guard-keys/dev/root-ca.pem --cert  ./search-guard-keys/dev/kirk.pem --key  ./search-guard-keys/dev/kirk-key.pem --insecure\nSuccessfully connected to cluster supplychain-logging-es8-dev (localhost) as user CN=kirk,OU=client,O=client,L=test,C=de\n\n\n\nelastic:\n  hash: \"$2y$12$ScV8euAglZETM/H1xTuQkOP36raAW7ylOw/pVpF10QKja3RSW2aYu=-=\"\n  reserved: false\n  backend_roles:\n  - \"admin\"\n  description: \"common admin\"\n\n\n# User Test\nhttp://localhost:9200/_searchguard/api/internalusers/admin  (Header : 'Authorization' : 'Basic YWRtaW46YWRtaW4=')\n\n\n$ curl https://test:test@localhost:9201 --insecure\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100   568  100   568    0     0   1192      0 --:--:-- --:--:-- --:--:--  1200{\n  \"name\" : \"supplychain-logging-es8-node#1\",\n  \"cluster_name\" : \"supplychain-logging-es8-dev\",\n  \"cluster_uuid\" : \"Rs0Ec26mQSK83RIo52il5g\",\n  \"version\" : {\n    \"number\" : \"8.12.2\",\n    \"build_flavor\" : \"default\",\n    \"build_type\" : \"tar\",\n    \"build_hash\" : \"48a287ab9497e852de30327444b0809e55d46466\",\n    \"build_date\" : \"2024-02-19T10:04:32.774273190Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"9.9.2\",\n    \"minimum_wire_compatibility_version\" : \"7.17.0\",\n    \"minimum_index_compatibility_version\" : \"7.0.0\"\n  },\n  \"tagline\" : \"You Know, for Search\"\n}\n\n(.venv)\n\n[biadmin@localhost ~]$ curl -XGET --user test:test \"https://localhost:9201/_cluster/health?pretty\" --insecure\n{\n  \"cluster_name\" : \"localhost\",\n  \"status\" : \"green\",\n  \"timed_out\" : false,\n  \"number_of_nodes\" : 2,\n  \"number_of_data_nodes\" : 2,\n  \"active_primary_shards\" : 43,\n  \"active_shards\" : 86,\n  \"relocating_shards\" : 0,\n  \"initializing_shards\" : 0,\n  \"unassigned_shards\" : 0,\n  \"delayed_unassigned_shards\" : 0,\n  \"number_of_pending_tasks\" : 0,\n  \"number_of_in_flight_fetch\" : 0,\n  \"task_max_waiting_in_queue_millis\" : 0,\n  \"active_shards_percent_as_number\" : 100.0\n}\n\n\n-bash-4.2$  curl -XGET -u test:test https://localhost:9260 --ca-cert /apps/elasticsearch/elasticsearch-8.12.2/config/root-ca.pem\n{\n  \"name\" : \"test-node-1\",\n  \"cluster_name\" : \"test-upgrade\",\n  \"cluster_uuid\" : \"8Jew6_HCSVa1A7KHL2GOlQ\",\n  \"version\" : {\n    \"number\" : \"8.12.2\",\n    \"build_flavor\" : \"default\",\n    \"build_type\" : \"tar\",\n    \"build_hash\" : \"48a287ab9497e852de30327444b0809e55d46466\",\n    \"build_date\" : \"2024-02-19T10:04:32.774273190Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"9.9.2\",\n    \"minimum_wire_compatibility_version\" : \"7.17.0\",\n    \"minimum_index_compatibility_version\" : \"7.0.0\"\n  },\n  \"tagline\" : \"You Know, for Search\"\n}\n-bash-4.2$\n\n\n# Get all users from search guard\n-bash-4.2$  curl -XGET -u test:test https://localhost:9260/_searchguard/api/internalusers/ | jq\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100   582  100   582    0     0   3287      0 --:--:-- --:--:-- --:--:--  3306\n{\n  \"logstash\": {\n    \"backend_roles\": [\n      \"logstash\"\n    ],\n    \"description\": \"Demo logstash user\"\n  },\n  \"snapshotrestore\": {\n    \"backend_roles\": [\n      \"snapshotrestore\"\n    ],\n    \"description\": \"Demo snapshotrestore user\"\n  },\n  \"admin\": {\n    \"backend_roles\": [\n      \"admin\"\n    ],\n    \"description\": \"Demo admin user\"\n  },\n  \"kibanaserver\": {\n    \"description\": \"Demo kibanaserver user\"\n  },\n  \"kibanaro\": {\n    \"backend_roles\": [\n      \"kibanauser\",\n      \"readall\"\n    ],\n    \"attributes\": {\n      \"attribute1\": \"value1\",\n      \"attribute2\": \"value2\",\n      \"attribute3\": \"value3\"\n    },\n    \"description\": \"Demo kibanaro user\"\n  },\n  \"biadmin\": {\n    \"backend_roles\": [\n      \"admin\"\n    ]\n  },\n  \"readall\": {\n    \"backend_roles\": [\n      \"readall\"\n    ],\n    \"description\": \"Demo readall user\"\n  }\n}\n-bash-4.2$\n\n\ncurl -X 'PATCH' \\\n  'https://localhost:9260/_searchguard/api/internalusers' \\\n  -H 'accept: application/json' \\\n  -H 'Content-Type: application/json' \\\n  -H 'Authorization: Basic test=' \\\n  -d '[ \n  { \n    \"op\": \"add\", \"path\": \"/test\", \"value\": { \"password\": \"test\", \"backend_roles\": [\"admin\"] } \n  }\n]' | jq\n\n```\n\n\n6) Re-enable shard allocation by using sgadmin\n```bash\nPUT _cluster/settings\n{\n  \"persistent\": {\n    \"cluster.routing.allocation.enable\": \"all\"\n  }\n}\n```\n\n7) Configure authentication/authorization, users, roles and permissions by uploading the Search Guard configuration with sgadmin\n```bash\n\n- Change the files in ../sgconfig and execute: \n\"/home/biadmin/ELK_UPGRADE/search-guard-hash/tools/sgadmin.sh\" -cd \"/ES/search_guard/elasticsearch-7.9.0/plugins/search-guard-7/sgconfig\" -icl -key \"/ES/search_guard/elasticsearch-7.9.0/config/kirk-key.pem\" -cert \"/ES/search_guard/elasticsearch-7.9.0/config/kirk.pem\" -cacert \"/ES/search_guard/elasticsearch-7.9.0/config/root-ca.pem\" -nhnv\n\n- Searchguard 8.12\n /apps/elasticsearch/sgctl-2.0.0.sh update-config ./elasticsearch-8.12.2/plugins/search-guard-flx/sgconfig/sg_roles.yml --ca-cert=./elasticsearch-8.12.2/config/root-ca.pem  --key=./elasticsearch-8.12.2/config/kirk-key.pem\n\n apps/elasticsearch/sgctl-2.0.0.sh connect localhost --port=9201 --cert=/apps/elasticsearch/elasticsearch-8.12.2/config/root-ca.pem  --key=/apps/elasticsearch/elasticsearch-8.12.2/config/kirk-key.pem\n\n\n```\n\n8) Install Kibana\n```bash\n##Kibaba (kibana plugin install 없이 http 기동하게 되면 messaage box for login)\n# https://docs.search-guard.com/latest/search-guard-versions\n\nPlugin installation was unsuccessful due to error \"No kibana plugins found in archive\"\n[devuser@gsa02 kibana-7.9.0-linux-x86_64]$ ./bin/kibana-plugin install file:////apps/kibana/kibana-8.12.2/search-guard-flx-kibana-plugin-2.0.0-es-8.12.2.zip\nKibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.12/production.html#openssl-legacy-provider\nAttempting to transfer from file:////apps/kibana/kibana-8.12.2/search-guard-flx-kibana-plugin-2.0.0-es-8.12.2.zip\nTransferring 9423509 bytes....................\nTransfer complete\nRetrieving metadata from plugin archive\nExtracting plugin archive\nExtraction complete\nPlugin installation complete\n[devuser@gsa02 kibana-7.9.0-linux-x86_64]$ \n\n```bash\n# =================== System: Kibana Server (Optional) ===================\n# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.\n# These settings enable SSL for outgoing requests from the Kibana server to the browser.\nserver.ssl.enabled: true\nserver.ssl.certificate: /apps/kibana/kibana-8.17.0/config/certs/es_admin.pem\nserver.ssl.key: /apps/kibana/kibana-8.17.0/config/certs/es_admin.key\nserver.ssl.keyPassphrase: test\n\n# =================== System: Elasticsearch ===================\n# The URLs of the Elasticsearch instances to use for all your queries.\nelasticsearch.hosts: [\"https://localhost1.test.com:9201\", \"https://localhost2.test:9201\", \"https://localhost3.test.com:9201\"]\n#elasticsearch.hosts: [\"https://localhost1.test.com:9201\"]\n\n# If your Elasticsearch is protected with basic authentication, these settings provide\n# the username and password that the Kibana server uses to perform maintenance on the Kibana\n# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which\n# is proxied through the Kibana server.\nelasticsearch.username: \"kibanaserver\"\nelasticsearch.password: \"kibanaserver\"\n\n\nelasticsearch.requestHeadersWhitelist: [\"Authorization\", \"sgtenant\", \"security_tenant\"]\n\n#elasticsearch.ssl.verificationMode: none\n#elasticsearch.ssl.verificationMode: certificate\nelasticsearch.ssl.certificateAuthorities: [\"/apps/kibana/kibana-8.17.0/config/certs/local-es8-ca.pem\"]\nelasticsearch.ssl.alwaysPresentCertificate: true\n\n\nsecurity.showInsecureClusterWarning: false\nsearchguard.allow_client_certificates: true\nsearchguard.cookie.secure: true\n\n\nxpack.reporting.roles.enabled: false\nxpack.infra.enabled: false\nxpack.canvas.enabled: false\nxpack.observability.enabled: false\nxpack.reporting.capture.browser.chromium.disableSandbox: false\nxpack.security.authc.http.enabled: false\n\n\n# Specifies the path where Kibana creates the process ID file.\npid.file: /apps/kibana/kibana-8.17.0/kibana.pid\n\n```\n\n# - LOGO (/apps/kibana/kibana-8.12.2/plugins/searchguard/public/assets)\n\n/home/ES/kibana-7.9.0-linux-x86_64/plugins/searchguard/public/apps/loginlogin.html\n\nCOPY /apps/kibana/kibana-8.12.2/plugins/searchguard/public/assets/searchguard_logo.svg from /home/biadmin/ELK_UPGRADE/searchguard_logo.svg\n\n# Run\nnohup sudo /apps/kibana/kibana-8.12.2/bin/kibana --allow-root \u0026\u003e /dev/null \u0026\nnohup sudo /apps/kibana/kibana-8.17.0/bin/kibana --allow-root \u0026\u003e /dev/null \u0026\n\nsudo /apps/kibana/latest/bin/kibana --allow-root \u0026\nsudo netstat -nlp | grep :5601\n\ncd /apps\nsudo vi . puppeteerrc\nskipDownload: true\nsudo chown -R kibana:kibana .puppeteerrc\n\n```\n\n\n9) Logstash Configuration\n- Logstash Reference :https://princehood69.rssing.com/chan-69503895/article83.html, https://m.blog.naver.com/inggi/221816427585\n- Path for Service\n\n```bash\nsudo groupadd logstash\nsudo useradd -g  logstash logstash\ncd /apps\nsudo mkdir logstash\nsudo chmod 755 ./logstash\ncd /apps\nsudo chown -R logstash:logstash ./logstash/\nunzip ./logstash-5.6.4-dev.zip\nln -s ./logstash-5.6.4 latest\nmkdir data\nmkdir logs\n\nsudo mv logstash /etc/init.d/\n[logstash@localhost system]$ systemctl status logstash.service\n● logstash.service - LSB: logstash\n   Loaded: loaded (/etc/rc.d/init.d/logstash; bad; vendor preset: disabled)\n   Active: active (running) since Wed 2024-06-19 08:42:25 EDT; 1 weeks 2 days ago\n     Docs: man:systemd-sysv-generator(8)\n  Process: 1213 ExecStart=/etc/rc.d/init.d/logstash start (code=exited, status=0/SUCCESS)\n   CGroup: /system.slice/logstash.service\n           └─1267 /apps/java/latest//bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=true -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -Dlo...\n[logstash@localhost system]$ less /etc/rc.d/init.d/logstash\n[logstash@localhost system]$\n```\ncd /apps/logstash/latest/config/\nvi ./logstash.yml\n\n------------ Debugging Settings --------------\n\nOptions for log.level:\n   * fatal\n   * error\n   * warn\n   * info (default)\n   * debug\n   * trace\n\n#log.level: debug\nlog.level: info\npath.logs: /apps/logstash/logs/\n\n- Run with /config/conf.d/ : `/home/biadmin/ELK_UPGRADE/logstash-7.13.0/bin/logstash -f /home/biadmin/ELK_UPGRADE/logstash-7.13.0/config/conf.d/`\n- /apps/logstash/logstash-8.12.2/bin/logstash -f /apps/logstash/logstash-8.12.2/config/conf.d/ (QA1/QA2 with `logstash` account)\n\n```bash\ninput {\n  stdin {}\n}\noutput {\n  elasticsearch {\n    hosts =\u003e \"localhost:9200\"\n    user =\u003e logstash\n    password =\u003e logstash\n    ssl =\u003e true\n    ssl_certificate_verification =\u003e false\n    truststore =\u003e \"\u003clogstash path\u003e/config/truststore.jks\"\n    truststore_password =\u003e changeit\n    index =\u003e \"test\"\n    document_type =\u003e \"test_doc\"\n  }\n  stdout{\n    codec =\u003e rubydebug\n  }\n}\n```\n\n10) Reindex\n- To continue reindexing if there are conflicts, set the \"conflicts\" request body parameter to proceed.\n- Set to create to only index documents that do not already exist (put if absent). Valid values: index, create. Defaults to index.\n```bash\nPOST _reindex?wait_for_completion=false\n{\n  \"conflicts\": \"proceed\",\n  \"source\": {\n    \"remote\": {\n      \"host\": \"http://host.docker.internal:9209\",\n      \"username\": \"elastic\",\n      \"password\": \"your_password\"\n    },\n    \"index\": \"performance_metrics\",\n    \"query\": {\n     \"match_all\": {}\n    }\n  },\n  \"dest\": {\n    \"index\": \"cp99_performance_metrics\",\n    \"op_type\": \"create\"\n  }\n}\n\n\nGET _tasks?detailed=true\u0026actions=*reindex\nGET _tasks/BH_UUNP2RjafE0aNHGi_Hw:216731707\n\n```\n\n\n### Pytest\n- Run `py.test -sv tests` or `test-pytest.sh` to validate whether ingestion is working with sample records based on search-guard.\n- SSL Cert Verfication : https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification\n- Sample (You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs): `requests.get('https://github.com', verify='/path/to/certfile')`\n```bash\n$ py.test -v tests\n============================= test session starts =============================\nplatform win32 -- Python 3.11.7, pytest-8.2.2, pluggy-1.5.0 -- C:\\Users\\euiyoung.hwang\\Git_Workspace\\ELK-upgrade\\.venv\\Scripts\\python.exe\ncachedir: .pytest_cache\nrootdir: C:\\Users\\euiyoung.hwang\\Git_Workspace\\ELK-upgrade\\tests\nconfigfile: pytest.ini\ncollecting ... collected 3 items\n\ntests\\test_elasticsearch.py::test_elasticsearch_create_index_index PASSED [ 33%]\ntests\\test_elasticsearch.py::test_indics_analyzer_elasticsearch PASSED   [ 66%]\ntests\\test_elasticsearch.py::test_search_elasticsearch PASSED            [100%]\n\n============================== 3 passed in 3.75s ==============================\n(.venv)\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feuiyounghwang%2Felk-stack-proj","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feuiyounghwang%2Felk-stack-proj","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feuiyounghwang%2Felk-stack-proj/lists"}