From 9d8088a156ac025084219d02b7e717c4630f09c5 Mon Sep 17 00:00:00 2001 From: Your Name Date: Sat, 20 Sep 2025 09:16:27 +1200 Subject: [PATCH] auth key --- logclient/config/service.env | 17 +---- logclient/install.sh | 44 +++++-------- logclient/start.sh | 2 +- logserver/SETUP.md | 100 +++++++++++++++++++++++++++++ logserver/config/service.env | 13 +--- logserver/generate-api-key.sh | 115 ++++++++++++++++++++++++++++++++++ logserver/install.sh | 18 +++--- 7 files changed, 243 insertions(+), 66 deletions(-) create mode 100644 logserver/SETUP.md create mode 100755 logserver/generate-api-key.sh diff --git a/logclient/config/service.env b/logclient/config/service.env index 3128180..bfd378c 100644 --- a/logclient/config/service.env +++ b/logclient/config/service.env @@ -8,21 +8,8 @@ IMAGE_TAG="7.17.23" LOGSERVER_HOST= LOGSERVER_PORT=5044 -# REQUIRED: Authentication method -AUTH_MODE=mtls # mtls, apikey, or basic - -# mTLS Authentication (if AUTH_MODE=mtls) -CLIENT_CERT_PATH=/certs/client.crt -CLIENT_KEY_PATH=/certs/client.key -CA_CERT_PATH=/certs/ca.crt -SSL_VERIFICATION_MODE=full - -# API Key Authentication (if AUTH_MODE=apikey) -API_KEY="" # Will be provided by logserver admin - -# Basic Authentication (if AUTH_MODE=basic) -USERNAME=filebeat -PASSWORD=changeme +# REQUIRED: API Key Authentication +API_KEY="" # Get from logserver admin using generate-api-key.sh # Performance tuning BULK_MAX_SIZE=2048 # Maximum batch size diff --git a/logclient/install.sh b/logclient/install.sh index 8e751b9..3e7e5ef 100755 --- a/logclient/install.sh +++ b/logclient/install.sh @@ -3,36 +3,20 @@ source "${AGENT_PATH}/common.sh" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Check required environment variables -_check_required_env_vars "CONTAINER_NAME" "IMAGE_REGISTRY" "IMAGE_REPO" "IMAGE_TAG" "LOGSERVER_HOST" "LOGSERVER_PORT" "AUTH_MODE" +_check_required_env_vars "CONTAINER_NAME" "IMAGE_REGISTRY" "IMAGE_REPO" "IMAGE_TAG" "LOGSERVER_HOST" "LOGSERVER_PORT" "API_KEY" -# Validate authentication configuration -case "$AUTH_MODE" in - mtls) - _check_required_env_vars "CLIENT_CERT_PATH" "CLIENT_KEY_PATH" "CA_CERT_PATH" - if [ ! -f "$CLIENT_CERT_PATH" ]; then - _die "Client certificate not found at $CLIENT_CERT_PATH" - fi - if [ ! -f "$CLIENT_KEY_PATH" ]; then - _die "Client key not found at $CLIENT_KEY_PATH" - fi - if [ ! -f "$CA_CERT_PATH" ]; then - _die "CA certificate not found at $CA_CERT_PATH" - fi - ;; - apikey) - _check_required_env_vars "API_KEY" - if [ -z "$API_KEY" ]; then - _die "API_KEY is empty. Please get an API key from the logserver administrator" - fi - ;; - basic) - _check_required_env_vars "USERNAME" "PASSWORD" - echo "WARNING: Basic authentication is not recommended for production" - ;; - *) - _die "Invalid AUTH_MODE: $AUTH_MODE. Must be one of: mtls, apikey, basic" - ;; -esac +# Validate API key +if [ -z "$API_KEY" ]; then + echo "" + echo "ERROR: API_KEY is not configured" + echo "" + echo "To get an API key:" + echo "1. On the logserver, run: ./generate-api-key.sh" + echo "2. Enter this client's hostname when prompted" + echo "3. Copy the generated API_KEY to this client's service.env" + echo "" + _die "Missing API_KEY configuration" +fi # Check Docker is available _check_docker_installed || _die "Docker test failed" @@ -59,4 +43,4 @@ bash ./start.sh || _die "Failed to start Filebeat" echo "Installation of ${CONTAINER_NAME} complete" echo "Collecting logs from Docker API and shipping to ${LOGSERVER_HOST}:${LOGSERVER_PORT}" -echo "Authentication mode: ${AUTH_MODE}" \ No newline at end of file +echo "Using API key authentication" \ No newline at end of file diff --git a/logclient/start.sh b/logclient/start.sh index cd447fb..8067f90 100755 --- a/logclient/start.sh +++ b/logclient/start.sh @@ -14,7 +14,7 @@ cmd="docker run -d \ -v ${CERTS_VOLUME}:/usr/share/filebeat/certs:ro \ -e LOGSERVER_HOST=${LOGSERVER_HOST} \ -e LOGSERVER_PORT=${LOGSERVER_PORT} \ - -e AUTH_MODE=${AUTH_MODE} \ + -e API_KEY=${API_KEY} \ $IMAGE_REGISTRY/$IMAGE_REPO:$IMAGE_TAG \ filebeat -e -strict.perms=false \ -c /usr/share/filebeat/config/filebeat.yml" diff --git a/logserver/SETUP.md b/logserver/SETUP.md new file mode 100644 index 0000000..187d715 --- /dev/null +++ b/logserver/SETUP.md @@ -0,0 +1,100 @@ +# LogServer Quick Setup Guide + +## Prerequisites +- Docker and Docker Compose installed +- 4GB+ RAM, 10GB+ disk space +- Port 5601 (Kibana) and 5044 (Logstash) available + +## Initial Setup + +### 1. System Configuration +```bash +# Required for Elasticsearch +sudo sysctl -w vm.max_map_count=262144 +echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf +``` + +### 2. Configure Server +Edit `config/service.env`: +```bash +# Change default password +KIBANA_PASSWORD=your-secure-password +``` + +### 3. Install +```bash +dropshell install logserver +``` + +## Generate Client API Keys + +Run the interactive key generator: +```bash +./generate-api-key.sh +``` + +Follow the prompts: +1. Enter hostname for each client +2. Script generates secure API key +3. Shows configuration to copy to client +4. Repeat for additional clients + +## Access Kibana + +1. Open browser: `http://your-server-ip:5601` +2. Login: `elastic` / `your-secure-password` +3. Create index pattern: `filebeat-*` +4. View logs in Discover tab + +## Add Log Clients + +On each client machine: +```bash +# Get API key from server admin (they run ./generate-api-key.sh) + +# Edit logclient/config/service.env: +LOGSERVER_HOST=your-server-ip +LOGSERVER_PORT=5044 +API_KEY=your-api-key-here + +# Install and start +dropshell install logclient +``` + +## Verify Setup + +```bash +# Check server status +dropshell status logserver + +# View server logs +dropshell logs logserver + +# Test client connection (from client) +docker logs logclient-filebeat | grep "connection" +``` + +## Troubleshooting + +**Elasticsearch won't start**: Check `vm.max_map_count` is 262144+ + +**No logs in Kibana**: +- Verify client can reach server port 5044 +- Check API key is correct in client's service.env +- Verify API key exists in server's api-keys.yml +- Refresh index pattern in Kibana + +**High memory usage**: Adjust heap sizes in `service.env`: +```bash +ES_HEAP_SIZE=1g # Reduce from 2g +LS_HEAP_SIZE=512m # Reduce from 1g +``` + +## Security Checklist + +- [ ] Changed default Kibana password +- [ ] Generated unique API key per client +- [ ] API keys stored securely +- [ ] Firewall allows only necessary ports (5601, 5044) +- [ ] Regular backup configured +- [ ] Reviewed api-keys.yml for old/unused keys \ No newline at end of file diff --git a/logserver/config/service.env b/logserver/config/service.env index 75ed386..74f2c71 100644 --- a/logserver/config/service.env +++ b/logserver/config/service.env @@ -25,18 +25,9 @@ LOGSTASH_SYSLOG_PORT=514 LOG_RETENTION_DAYS=30 LOG_MAX_SIZE_GB=50 -# Authentication Mode -AUTH_MODE=mtls # Options: mtls, apikey, basic +# Authentication ENABLE_TLS=true - -# mTLS Settings (if AUTH_MODE=mtls) -CA_CERT_PATH=/certs/ca.crt -SERVER_CERT_PATH=/certs/server.crt -SERVER_KEY_PATH=/certs/server.key -CLIENT_CERT_REQUIRED=true - -# API Key Settings (if AUTH_MODE=apikey) -API_KEYS_PATH=/config/api-keys.yml +API_KEYS_FILE=${CONFIG_PATH}/api-keys.yml # Network Security ALLOWED_IPS="" # Comma-separated list, empty = all diff --git a/logserver/generate-api-key.sh b/logserver/generate-api-key.sh new file mode 100755 index 0000000..7c54591 --- /dev/null +++ b/logserver/generate-api-key.sh @@ -0,0 +1,115 @@ +#!/bin/bash + +# Interactive API Key Generation Script for LogServer +# This script generates secure API keys and adds them to api-keys.yml + +API_KEYS_FILE="${CONFIG_PATH:-./config}/api-keys.yml" + +# Colors for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +# Generate a secure random API key +generate_key() { + openssl rand -hex 32 2>/dev/null || cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1 +} + +# Initialize api-keys.yml if it doesn't exist +init_api_keys_file() { + if [ ! -f "$API_KEYS_FILE" ]; then + echo "# API Keys for LogServer Authentication" > "$API_KEYS_FILE" + echo "# Format: hostname:api_key" >> "$API_KEYS_FILE" + echo "# Generated by generate-api-key.sh" >> "$API_KEYS_FILE" + echo "" >> "$API_KEYS_FILE" + echo "api_keys:" >> "$API_KEYS_FILE" + echo -e "${GREEN}Created new api-keys.yml file${NC}" + fi +} + +# Check if hostname already has a key +check_existing_key() { + local hostname=$1 + if grep -q "^ ${hostname}:" "$API_KEYS_FILE" 2>/dev/null; then + return 0 + fi + return 1 +} + +# Add key to api-keys.yml +add_key_to_file() { + local hostname=$1 + local api_key=$2 + echo " ${hostname}: ${api_key}" >> "$API_KEYS_FILE" +} + +# Main script +echo -e "${GREEN}=== LogServer API Key Generator ===${NC}" +echo "" + +# Initialize file if needed +init_api_keys_file + +# Interactive mode +while true; do + echo -e "${YELLOW}Enter hostname for the client (or 'done' to finish):${NC}" + read -p "> " hostname + + if [ "$hostname" = "done" ] || [ -z "$hostname" ]; then + break + fi + + # Validate hostname + if [[ ! "$hostname" =~ ^[a-zA-Z0-9][a-zA-Z0-9-_.]*$ ]]; then + echo -e "${RED}Invalid hostname format. Use only letters, numbers, dots, dashes, and underscores.${NC}" + continue + fi + + # Check if key already exists + if check_existing_key "$hostname"; then + echo -e "${YELLOW}Key already exists for ${hostname}${NC}" + read -p "Generate new key? (y/n): " overwrite + if [ "$overwrite" != "y" ]; then + continue + fi + # Remove old key + sed -i "/^ ${hostname}:/d" "$API_KEYS_FILE" + fi + + # Generate new key + api_key=$(generate_key) + + # Add to file + add_key_to_file "$hostname" "$api_key" + + echo -e "${GREEN}✓ Generated API key for ${hostname}${NC}" + echo "" + echo "Configuration for ${hostname}:" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "Add to client's service.env:" + echo "" + echo "LOGSERVER_HOST=$(hostname -I | awk '{print $1}')" + echo "LOGSERVER_PORT=5044" + echo "API_KEY=${api_key}" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "" + + # Option to add more + read -p "Add another client? (y/n): " add_more + if [ "$add_more" != "y" ]; then + break + fi +done + +# Show summary +echo "" +echo -e "${GREEN}=== Summary ===${NC}" +echo "API keys file: $API_KEYS_FILE" +echo "Total clients configured: $(grep -c "^ " "$API_KEYS_FILE" 2>/dev/null || echo 0)" +echo "" +echo "To view all keys: cat $API_KEYS_FILE" +echo "To revoke a key: Edit $API_KEYS_FILE and remove the line" +echo "" +echo -e "${YELLOW}Remember to restart logserver after adding keys:${NC}" +echo " dropshell restart logserver" \ No newline at end of file diff --git a/logserver/install.sh b/logserver/install.sh index 056e641..087c9fd 100755 --- a/logserver/install.sh +++ b/logserver/install.sh @@ -31,10 +31,12 @@ docker pull docker.elastic.co/elasticsearch/elasticsearch:${ES_VERSION} || _die docker pull docker.elastic.co/logstash/logstash:${LS_VERSION} || _die "Failed to pull Logstash" docker pull docker.elastic.co/kibana/kibana:${KIBANA_VERSION} || _die "Failed to pull Kibana" -# Generate certificates if using mTLS -if [ "$AUTH_MODE" = "mtls" ]; then - bash ./scripts/generate-ca.sh || _die "Failed to generate CA certificate" - bash ./scripts/generate-server-cert.sh || _die "Failed to generate server certificate" +# Initialize API keys file if it doesn't exist +if [ ! -f "${CONFIG_PATH}/api-keys.yml" ]; then + echo "No API keys configured yet." + echo "Run ./generate-api-key.sh to add client keys" + mkdir -p "${CONFIG_PATH}" + echo "api_keys:" > "${CONFIG_PATH}/api-keys.yml" fi # Start the ELK stack @@ -55,8 +57,6 @@ echo "Username: elastic" echo "Password: ${KIBANA_PASSWORD}" echo "" echo "Logstash listening on port ${LOGSTASH_BEATS_PORT} for Filebeat clients" -if [ "$AUTH_MODE" = "mtls" ]; then - echo "Authentication: mTLS (generate client certs with ./scripts/generate-client-cert.sh)" -elif [ "$AUTH_MODE" = "apikey" ]; then - echo "Authentication: API Keys (generate with ./scripts/generate-api-key.sh)" -fi \ No newline at end of file +echo "" +echo "To add client authentication:" +echo " ./generate-api-key.sh" \ No newline at end of file