前言
之前安裝的是elasticsearch-6.5.0,漏洞掃描報The remote web server hosts a Java application that is vulnerable.,給出的解決方案是將版本升級到elasticsearch-6.5.2以上。
121249 - Elasticsearch ESA-2018-19- Synopsis The remote web server hosts a Java application that is vulnerable. Description Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learnings find_file_structure API. If a policy allowing external network access has been added to Elasticsearchs Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.Please note: by default Elasticsearch has the Java Security Manager enabled with policies which will cause this attack to fail. See Also http://www.nessus.org/u?3f00797e Solution Affected users should upgrade to Elasticsearch version 6.5.2. Risk Factor High References CVE CVE-2018-17247 Plugin Information Published: 2019/01/18, Modified: 2019/01/18 Plugin Output tcp/9200 URL : http://192.168.0.220:9200/ Installed version : 6.5.0 Fixed version : 6.5.2
安裝kibana
為了查看原來的數據,我先安裝kibana
1、准備安裝包
找安裝包不做過多介紹
2、解壓
tar -zxvf kibana-6.5.2-linux-x86_64.tar.gz
3、修改用戶權限
chown -R es:es /es
4、修改配置文件
server.host默認是localhost,但我想在其他windows 上訪問,所以需要改配置文件
vim /es/kibana-6.5.2-linux-x86_64/config/kibana.yml
#添加一行 server.host: "192.168.0.220"
5、啟動
su es
/es/kibana-6.5.2-linux-x86_64/bin/kibana &
6、解決報錯Unable to revive connection: http://localhost:9200/
【1】報錯日志
【2】原因分析
kibana配置文件kibana.yml指定的elasticsearch.url與network.host中指定的ip不匹配。
【3】解決方法
修改kibana.yml的elasticsearch.url
vim /es/kibana-6.5.2-linux-x86_64/config/kibana.yml # 添加一行 elasticsearch.url: "http://192.168.0.220:9200" # 重啟
/es/kibana-6.5.2-linux-x86_64/bin/kibana &
7、查看數據
啟動提示訪問網址:http://192.168.0.220:5601,則表示成功了,直接在瀏覽器輸入該地址即可訪問
備份
1、注冊創建快照倉庫
當前啟動的版本是6.5.0,為當前版本建倉庫
curl -XPUT "192.168.0.220:9200/_snapshot/my-es" -H 'Content-Type: application/json' -d' { "type": "fs", "settings": { "location": "/es/elasticsearch-6.5.0/backup" } }
'
2、解決報錯
【1】報錯日志
{"error":{"root_cause":[{"type":"repository_exception",
"reason":"[my-es] location [/es/elasticsearch-6.5.0/backup] doesn't match any of the locations specified by path.repo because this setting is empty"}],、
"type":"repository_exception","reason":"[my-es] failed to create repository",
"caused_by":{"type":"repository_exception",
"reason":"[my-es] location [/es/elasticsearch-6.5.0/backup] doesn't match any of the locations specified by path.repo because this setting is empty"}},
"status":500}
【2】原因分析
報錯信息里面已經說明了,倉庫位置不匹配,需要在配置文件里面配置倉庫位置/es/elasticsearch-6.5.0/backup
【3】解決
vim /es/elasticsearch-6.5.0/config/elasticsearch.yml #添加以下內容 path.repo: ["/es/elasticsearch-6.5.0/backup"]
【4】再次創建
#重啟 su es /es/elasticsearch-6.5.0/bin/elasticsearch -d #創建倉庫 curl -XPUT "192.168.0.220:9200/_snapshot/my-es" -H 'Content-Type: application/json' -d' { "type": "fs", "settings": { "location": "/es/elasticsearch-6.5.0/backup" } } '
3、查看已注冊快照倉庫
curl -XGET "192.168.0.220:9200/_snapshot/my-es/" curl -XPOST "192.168.0.220:9200/_snapshot/my-es/_verify"
4、備份
這里es_sys_opreate_log_data_park是剛剛在kibana上看到的索引
#備份 curl -XPUT '192.168.0.220:9200/_snapshot/my-es/es_sys_opreate_log_data_park?wait_for_completion=true' #查看備份數據
cd /es/elasticsearch-6.5.0/backup/
升級
1、准備安裝包 elasticsearch-6.5.2.tar.gz
2、解壓
tar -zxvf elasticsearch-6.5.2.tar.gz
3、修改配置文件
#進入配置文件目錄 cd /es/elasticsearch-6.5.2/config/ #備份配置文件 mv elasticsearch.yml elasticsearch.yml.bak #將6.5.0的配置文件復制過來 cp /es/elasticsearch-6.5.0/config/elasticsearch.yml ./ #修改倉庫位置 vim /es/elasticsearch-6.5.2/config/elasticsearch.yml
4、修改權限
chown -R es:es elasticsearch-6.5.2
5、啟動新版本
啟動之前,kill掉舊版本。
#重啟 su es /es/elasticsearch-6.5.2/bin/elasticsearch -d
查看數據
用kibana查看數據,發現沒有任何數據
還原數據
#新建6.5.2的倉庫 curl -XPUT "192.168.0.220:9200/_snapshot/my-es" -H 'Content-Type: application/json' -d' { "type": "fs", "settings": { "location": "/es/elasticsearch-6.5.2/backup" } } ' #將6.5.0的備份數據移動到6.5.2的倉庫 cp -r /es/elasticsearch-6.5.0/backup/* /es/elasticsearch-6.5.2/backup/ #還原 curl -XPOST 192.168.0.220:9200/_snapshot/my-es/es_sys_opreate_log_data_park/_restore
檢查數據
查看版本
注:
后面經測試,將老版本中的data文件夾移動到新版本中,同樣能完成版本升級及數據的遷移。
補充:
logstash的啟動
#切換用戶 su es #進入安裝目錄 cd logstash-6.5.0/bin/ #啟動 ./logstash -f ../config/logstash-sample.conf &
還原時,報index with same name already exists in the cluster
#還原 curl -XPOST 192.168.0.231:9200/_snapshot/my-es/es_sys_opreate_log_data/_restore #報錯信息 {"error":{"root_cause":[{"type":"snapshot_restore_exception","reason":"[my-es:es_sys_opreate_log_data/eQgyqRvXQYyhhpdH5b46Mg]
cannot restore index [.kibana] because an open index with same name already exists in the cluster.
Either close or delete the existing index or restore the index under a different name by providing a rename pattern and replacement name"}],
"type":"snapshot_restore_exception","reason":"[my-es:es_sys_opreate_log_data/eQgyqRvXQYyhhpdH5b46Mg] cannot restore index [.kibana]
because an open index with same name already exists in the cluster. Either close or delete the existing index or restore the index under a different name
by providing a rename pattern and replacement name"},"status":500} #查看當前所有索引 curl -X GET "192.168.0.231:9200/_cat/indices?v" #刪除索引 curl -X DELETE "192.168.0.231:9200/es_sys_opreate_log_data"
curl -X DELETE "192.168.0.231:9200/.kibana"
#再次還原
curl -XPOST 192.168.0.231:9200/_snapshot/my-es/es_sys_opreate_log_data/_restore
