es集群迁移操作

logstash迁移集群

     /home/secure/logstash-7.8.1/bin/logstash -f /home/secure/logstash-7.8.1/config/event0515.conf -f --debug
     -f 检查配置文件语法

    /home/secure/logstash-7.8.1/bin/logstash -f /home/secure/logstash-7.8.1/config/event0515.conf > /home/secure/ca/event0515.log 2>&1

    可以使用ssl加密传输并且忽略证书内容验证

input{elasticsearch{hosts =>  ["10.30.90.147:9200"]user => "elastic"password => "11111"index => "full_flow_file_202311,full_flow_file_202312,prob_file_description_202402"//index => "full_flow*,-.security*" //正则匹配多个索引docinfo=>trueslices => 1size => 10000ssl => trueca_file => "/home/secure/147/ca.crt"}
}filter {mutate {remove_field => ["@timestamp", "@version"]}
}output{elasticsearch{hosts => ["https://121.229.203.43:9200"]user => "elastic"password => "111111"index => "%{[@metadata][_index]}"ilm_enabled => falsessl => truessl_certificate_verification => false //这个配置如果配置在input那么就会提示unknow settings
    }
}

 

es集群密码重置

     1.先修改es的配置文件不启用安全认证 然后再重启es服务

      2.重新生成keystore文件

        rm -fr elasticsearch.keystore
       ./elasticsearch-keystore create
        chown -R admin:admin /app/taishi/elasticsearch-7.8.1/config/elasticsearch.keystore

     3.拷贝到其它节点

       scp -r elasticsearch.keystore admin@10.72.17.15:/app/taishi/elasticsearch-7.8.1/config/
       scp -r elasticsearch.keystore admin@10.72.17.23:/app/taishi/elasticsearch-7.8.1/config/

     4.删除原来的系统索引

        curl -X DELETE "10.72.17.7:9200/.security-*"

     5.修改elasticsearch.yml文件配置重新启用安全认证

     6.开始重新设置新的用户密码

        ./elasticsearch-setup-passwords  interactive  --batch --url https://instance:9200

     7.集群启动正常

es迁移字段过大问题

        迁移的时候提示字段内容太长,无法同步成功

        

        

      这个问题在源索引中字段是text类型，同步到新的索引中就自动设置为keyword类型

      同步索引之前必须先给索引创建好索引模板

es索引模板操作

      1.模板操作

         curl -k -u elastic:Transfar111 -XGET http://121.229.203.22:9200/_template/event
         curl -k -u elastic:Transfar111 -XDELETE http://121.229.333.46:9200/_template/event

         同步索引数据前必须先创建索引模板 否则某些列的值会转换异常导致同步丢失
         curl -k -u elastic:Transfar111 -XPUT http://121.229.22.46:9200/_template/event -H 'content-Type:application/json' -d @./event.json

     2.模板操作脚本

#!/bin/baship=${IP}
echo $ip
DATE=`date +%Y%m`
DATE1=`date +%Y`
result_event=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/event_${DATE}`
result_alarm=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/alarm_${DATE}`
DATE2=`date +%m`
if [ ${DATE2} -le 6 ] ; then
result_incident=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/incident_${DATE1}01`
result_merge=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/merge_alarm_${DATE1}01`
DATE3=${DATE1}01
else
result_incident=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/incident_${DATE1}02`
result_merge=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/merge_alarm_${DATE1}02`
DATE3=${DATE1}02
fi
#result_incident=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/incident_${DATE}`
#result_merge=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/merge_alarm_${DATE}`
result_operation=`curl -k -s -u elastic:${ES_PASSWD} -XGET https://${ip}:9200/_cat/indices/operation_incident`
echo -e "####导入event模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/event -H 'content-Type:application/json' -d @./template/event.json
echo -e "\n"
sleep 1
echo -e "####导入alarm模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/alarm -H 'content-Type:application/json' -d @./template/alarm.json
echo -e "\n"
sleep 1
echo -e "####导入excep模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/excep -H 'content-Type:application/json' -d @./template/excep.json
echo -e "\n"
sleep 1
echo "####导入incident模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/incident -H 'content-Type:application/json' -d @./template/incident.json
echo -e "\n"
sleep 1
echo "####导入merge_alarm模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/merge_alarm -H 'content-Type:application/json' -d @./template/merge_alarm.json
echo -e "\n"
sleep 1
echo "####导入operation模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/operation -H 'content-Type:application/json' -d @./template/operation.json
echo -e "\n"
sleep 1
echo "####导入unmatch模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/unmatch -H 'content-Type:application/json' -d @./template/unmatch.json
echo -e "\n"
sleep 1
echo "####导入ES_label模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/label -H 'content-Type:application/json' -d @./template/ES_label.json
echo -e "\n"
echo "####导入offline_merge_alarm.json模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/offline_merge_alarm -H 'content-Type:application/json' -d @./template/offline_merge_alarm.json
echo -e "\n"
echo "####导入offline_incident.json模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/offline_incident -H 'content-Type:application/json' -d @./template/offline_incident.json
echo -e "\n"
echo "####导入offline_alarm.json模板####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_template/offline_alarm -H 'content-Type:application/json' -d @./template/offline_alarm.json
echo -e "\n"
sleep 1
echo "####设置分片副本####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_settings -H 'content-Type:application/json' -d @./template/replicas.json
echo -e "\n"
echo "####设置分片10000####"
curl -k -u elastic:${ES_PASSWD} -XPUT https://${ip}:9200/_cluster/settings -H 'content-Type:application/json' -d @./template/EePerNode.json
echo -e "\n"
echo "####删除默认event索引####"
if [[ ${result_event} =~ "error" ]];thenecho "默认event索引不存在"echo -e "\n"sleep 1
elsecurl -k -u elastic:${ES_PASSWD} -XDELETE https://${ip}:9200/event_${DATE}echo -e "\n"echo "默认event索引删除成功"echo -e "\n"sleep 1
fi
echo "####删除默认alarm索引####"
if [[ ${result_alarm} =~ "error" ]];thenecho "默认alarm索引不存在"echo -e "\n"sleep 1
elsecurl -k -u elastic:${ES_PASSWD} -XDELETE https://${ip}:9200/alarm_${DATE}echo -e "\n"echo "默认alarm索引删除成功"echo -e "\n" sleep 1
fi
echo "####删除默认incident索引####"
if [[ ${result_incident} =~ "error" ]];thenecho "默认incident索引不存在"echo -e "\n"sleep 1
elsecurl -k -u elastic:${ES_PASSWD} -XDELETE https://${ip}:9200/incident_${DATE3}echo -e "\n"echo "默认incident索引删除成功"echo -e "\n"sleep 1
fi
echo "####删除默认merge_alarm索引####"
if [[ ${result_merge} =~ "error" ]];thenecho "默认merge_alarm索引不存在"echo -e "\n"sleep 1
elsecurl -k -u elastic:${ES_PASSWD} -XDELETE https://${ip}:9200/merge_alarm_${DATE3}echo -e "\n"echo "默认merge_alarm索引删除成功" echo -e "\n"sleep 1
fi
echo "####删除默认operation索引####"
if [[ ${result_operation} =~ "error" ]];thenecho "默认operation索引不存在"echo -e "\n"sleep 1
elsecurl -k -u elastic:${ES_PASSWD} -XDELETE https://${ip}:9200/operation_incidentecho -e "\n"echo "默认operation索引删除成功"echo -e "\n"sleep 1
fi
echo -e "####模板导入完成####\n"
echo -e "\033[33m ###安装完成#### \033[0m\n"

{"index_patterns" : ["event*"],"settings" : { "index" : {"number_of_shards" : "1","number_of_replicas" : "0"}},"mappings" : {"_meta" : { },"_source" : { },"dynamic_templates": [{"strings": {"mapping": {"type": "keyword"},"match_mapping_type": "string"}}],"properties" : {"asset_ids": {"type": "keyword"},"dev_address": {"type": "keyword"},"dev_port": {"type": "keyword"},"label_id": {"type": "keyword"},"protocol": {"type": "keyword"},"product": {"type": "keyword"},"vendor": {"type": "keyword"},"data_source": {"type": "keyword"},"dst_address": {"type": "keyword"},"dst_port": {"type": "keyword"},"event_id": {"type": "keyword"},"event_name": {"type": "keyword"},"equipment": {"type": "keyword"},"event_type": {"type": "keyword"},"event_type_name": {"type": "keyword"},"input_id": {"type": "long"},"log_id": {"type": "keyword"},"occur_time": {"type": "date"},"opt_time": {"type": "keyword"},"original_log": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"out_index_or_topic": {"type": "keyword"},"parse_filter_name": {"type": "keyword"},"parse_filter_ruleid": {"type": "keyword"},"receive_time": {"type": "date"},"src_address": {"type": "keyword"},"src_port": {"type": "keyword"},"syslog_facility": {"type": "long"},"syslog_level": {"type": "long"},"level": {"type": "keyword"},"dev_name": {"type": "keyword"},"threat_category": {"type": "keyword"},"classify": {"type": "keyword"},"log_source": {"type": "keyword"},"rule_tags": {"type": "keyword"},"dept_id": {"type": "long"},"packet_data": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"potential_impact": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"rsp_body": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"rsp_header": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"referer": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"user_agent": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"info_content": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"req_arg": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"req_body": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"req_header": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"req_info": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"bulletin": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"operation_command": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}},"threat_advice": {"type": "text","fields": {"keyword": {"type": "keyword","ignore_above": 256}}}}},"aliases" : { }
}

    event.json定义了新创建以event开头的索引的所有列的属性,这样在创建索引后写入数据的时候就不会用默认的所有的列都是keyword类型

     

    不需要每个索引都单独设置一个mapping了