Page History

...

The following table shows the DNS configuration and the role each machine plays in the cluster.

Cluster node is considered to be the one that joins the cluster. In this setup, cluster nodes are the master-eligible/data nodes and the coordinating node. The pipeline node is not, it doesn’t join the cluster.

...

Port 9200/tcp is used to query the cluster using the Elasticsearch REST API. Port 9300/tcp is used for internal communication between cluster nodes. Port 5044/tcp is where Logstash listens for beats of log events sent from Filebeat. Port 5601/tcp is used to access Kibana platform from the browser.

This setup uses firewalld for the configuration of firewall. On each component a "wifimon" custom zone is created to hold the specific configuration.

On wifimon-kibana.example.org:

firewall-cmd --zone=public --list-ports 
5601/tcp
firewall-cmd --zone=wifimon --list-ports 
9300/tcp
firewall-cmd --zone=wifimon --list-sources
10.0.0.1/32 10.0.0.2/32 10.0.0.3/32

On wifimon-node1.example.org:

firewall-cmd --zone=wifimon --list-ports 
9300/tcp
firewall-cmd --zone=wifimon --list-sources
10.0.0.2/32 10.0.0.3/32 10.0.0.4/32

On wifimon-node2.example.org:

firewall-cmd --zone=wifimon --list-ports 
9300/tcp
firewall-cmd --zone=wifimon --list-sources
10.0.0.1/32 10.0.0.3/32 10.0.0.4/32

On wifimon-node3.example.org:

firewall-cmd --zone=wifimon --list-ports 
9300/tcp
firewall-cmd --zone=wifimon --list-sources
10.0.0.1/32 10.0.0.2/32 10.0.0.4/32

On wifimon-logstash.example.org:

firewall-cmd --zone=wifimon --list-ports 
5044/tcp
firewall-cmd --zone=wifimon --list-sources
10.10.10.111/32 10.10.10.15/32

SSL/TLS Certificates

The cluster communication is secured by configuring SSL/TLS encryption. The elasticsearch-certutil was used to generate a CA certificate, utilized for signing the certificates of the cluster components. This utility comes with the elasticsearch installation, and in this case was used the one installed in the wifimon-kibana.example.org node.

...