文書の過去の版を表示しています。
Pandora FMS 用の OpenSearch クラスタの設定
概要
This is a configuration guide for installing multiple OpenSearch worker nodes, optionally with self-signed certificates and SSL connection. You may start from an existing node with data or a completely new cluster.
これは、複数の OpenSearch ワーカーノード(オプションで自己署名証明書と SSL 接続を使用)をインストールするための設定ガイドです。データが存在する既存のノードから開始することも、完全に新しいクラスタから開始することもできます。
It has been tested on:
以下の環境でテスト済みです:
- CentOS® 8.4 and 8.5.
- Rocky Linux® 8.4, 8.5, 8.6, 8.7 and 9.5.
- RedHat® 8.5 and 9.5 .
- CentOS® 8.4 および 8.5.
- Rocky Linux® 8.4, 8.5, 8.6, 8.7 および 9.5.
- RedHat® 8.5 および 9.5 .
It is recommended to distribute Pandora FMS server and OpenSearch on independent servers.
Pandora FMS サーバと OpenSearch を独立したサーバに分散することをお勧めします。
スクリプトインストール
The installation process required for each node that will work with Pandora FMS is performed by downloading and running (which may be customized) the following file:
Pandora FMS で動作する各ノードに必要な インストール 処理は、次のファイルをダウンロードして実行することにより行えます (カスタマイズ可能)。
bash pandorafms-opensearch-el
デフォルト環境変数
[ “$CLUSTER_NAME” ], default value:CLUSTER_NAME='pandora_opensearch'.[ “$OPENSEARCH_PASS” ], default value:OPENSEARCH_PASS=“P4nd0r4!FMS”.
[ “$CLUSTER_NAME” ], デフォルト値:CLUSTER_NAME='pandora_opensearch'.[ “$OPENSEARCH_PASS” ], デフォルト値:OPENSEARCH_PASS=“P4nd0r4!FMS”.
env CLUSTER_NAME="pandora_opensearch" \ OPENSEARCH_PASS="P4nd0r4!FMS" \ bash -c "$(curl -SsL https://pfms.me/pandorafms-opensearch-el)"
Configuration on all nodes
Although these instructions should be followed for each node, some aspects must be customized for each one: the memory of each computer and whether it is an existing node with data.
- Disable the network firewall on each node:
systemctl stop firewalld
- Using your favorite text editor, open the
/etc/opensearch/opensearch.ymlfile and make several changes.
Comment out (or delete) the following line:
discovery.type: single-node │
Add the following line to the end to temporarily disable security:
plugins.security.disabled: true
Configure the discovery hosts by IP address or DNS. The line should have the following structure, replacing, adding, or deleting as needed for each network and until all network elements are complete:
discovery.seed_hosts: ["172.42.42.101", "172.42.42.102", "172.42.42.103"]
Configure each manager host as needed for each network. The line should have the following structure, replacing, deleting, or adding each of them (you should include the hostname of the machine used by default as a node indicator or the custom node identifier from YAML, if applicable):
cluster.initial_cluster_manager_nodes: ["rocky8-node1", "rocky8-node2", "rocky8-node3"]
Save the changes and exit the text editor.
- Memory configuration on each node.
Memory configuration should be less than the available memory minus the memory needed by the system. Therefore, if you need to configure 4 gigabytes for OpenSearch, the system must have at least 6 GB (4 for OpenSearch and 2 free for the system).
Once calculation is complete, the memory size is specified in the /etc/opensearch/jvm.options file, replacing it with the resulting numerical value:
-Xms4g -Xmx4g
Save the changes and exit the text editor.
- Delete the data directory on the clean nodes.
If the cluster is growing from a single node with data, just clean up the data directory for the new nodes, not the one with data.
Stop the OpenSearch service and clear the data if the node is new:
systemctl stop opensearch rm -rf /var/lib/opensearch/*
Restart the OpenSearch service:
systemctl restart opensearch
- Check each node locally.
curl "http://127.0.0.1:9200/_cat/nodes?v"
You should get an output similar to:
- At this point, you should have the cluster OpenSearch fully functional.
- To add security to connections, see “Adding SSL Authentication”.
- To configure Pandora FMS with OpenSearch, see “Log Collection and Monitoring”.
Security Configuration for SSL Connections
- Enable firewall and add rules.
systemctl start firewalld firewall-cmd --zone=public --add-port=9300/tcp --permanent firewall-cmd --zone=public --add-port=9200/tcp --permanent firewall-cmd --reload
- Enable security in OpenSearch.
Using your favorite text editor, open file /etc/opensearch/opensearch.yml and set the value to false on the following line:
plugins.security.disabled: false
For self-signed certificates, add the following line to the end of the file:
plugins.security.ssl.transport.enforce_hostname_verification: false
Save your changes and exit the text editor.
- Copy certificates.
The self-signed certificates generated in the installation step will be used. Copy the certificates from the master node to the other nodes.
On node 1 (replace node_n with each of the other nodes):
tar cvzf certs.tar.gz /etc/opensearch/*.pem scp certs.tar.gz root@node_n:
Then run on each of the other nodes:
tar xvzf certs.tar.gz cp etc/opensearch/* /etc/opensearch/
On each of the other nodes, restart the OpenSearch service:
systemctl restart opensearch
Verify nodes:
curl -XGET -ku admin:'P4nd0r4!FMS' "https://127.0.0.1:9200/_cat/nodes?v"
A call verification to the cluster similar to the one above must be performed using both HTTPS and username and password authentication.
At this point, the cluster OpenSearch should have a fully functional SSL connection. To configure Pandora FMS with OpenSearch, see “Log Collection and Monitoring”.