Dangane da ƙarshen tallace-tallace a cikin Rasha na tsarin log na Splunk da nazari, tambaya ta taso: menene zai iya maye gurbin wannan bayani? Bayan kwashe lokaci ina fahimtar kaina da mafita daban-daban, na yanke shawarar mafita ga mutum na gaske - "ELK tari". Wannan tsarin yana ɗaukar lokaci don saitawa, amma sakamakon haka zaku iya samun tsari mai ƙarfi don nazarin matsayin da kuma ba da amsa cikin sauri ga abubuwan da suka faru na tsaro na bayanai a cikin ƙungiyar. A cikin wannan jerin labaran, za mu dubi ainihin (ko watakila a'a) damar iyakoki na ELK, la'akari da yadda za ku iya rarraba rajistan ayyukan, yadda za a gina hotuna da dashboards, da abin da ayyuka masu ban sha'awa za a iya yi ta amfani da misalin rajistan ayyukan daga. da Check Point Firewall ko na'urar daukar hotan tsaro ta OpenVas. Don fara da, bari mu dubi abin da yake - ELK tari, da kuma abin da aka gyara ya ƙunshi.
"ELK tari" gagara ce ga ayyukan buɗaɗɗen tushe guda uku: Elasticsearch, Logstash и Kibana. Elastic ya haɓaka tare da duk ayyukan da ke da alaƙa. Elasticsearch shine jigon tsarin gaba ɗaya, wanda ya haɗa ayyukan rumbun adana bayanai, bincike da tsarin nazari. Logstash bututun sarrafa bayanai ne na gefen uwar garken wanda ke karɓar bayanai daga maɓuɓɓuka da yawa a lokaci guda, yana rarraba log ɗin, sannan aika shi zuwa bayanan Elasticsearch. Kibana yana bawa masu amfani damar hango bayanai ta amfani da sigogi da zane-zane a cikin Elasticsearch. Hakanan zaka iya sarrafa bayanan ta hanyar Kibana. Na gaba, za mu yi la'akari da kowane tsarin daban daki-daki.
Logstash
Logstash kayan aiki ne don sarrafa abubuwan log daga tushe daban-daban, wanda zaku iya zaɓar filayen da ƙimar su a cikin saƙo, kuma kuna iya saita tacewa da gyara bayanai. Bayan duk magudi, Logstash yana tura abubuwan da suka faru zuwa shagon bayanan ƙarshe. Ana saita mai amfani ta hanyar fayilolin sanyi kawai.
Tsarin logstash na al'ada shine fayil(s) wanda ya ƙunshi rafukan bayanai masu shigowa da yawa (shigarwa), matattara masu yawa don wannan bayanin (tace) da rafukan masu fita da yawa (fitarwa). Yana kama da fayiloli guda ɗaya ko fiye, waɗanda a cikin mafi sauƙi sigar (wanda ba ya yin komai kwata-kwata) yayi kama da wannan:
input {
}
filter {
}
output {
}
A cikin INPUT muna saita tashar jiragen ruwa za a aika da log ɗin zuwa kuma ta wace yarjejeniya, ko daga wane babban fayil don karanta sababbi ko sabunta fayiloli akai-akai. A cikin FILTER muna saita ma'aunin log ɗin: filayen tantancewa, daidaita ƙimar, ƙara sabbin sigogi ko share su. FILTER filin ne don sarrafa saƙon da ke zuwa Logstash tare da zaɓin gyara da yawa. A cikin fitarwa muna saita inda muka aika log ɗin da aka riga aka yi watsi da shi, idan ya zama elasticsearch an aika buƙatar JSON a cikin abin da aka aika filaye tare da ƙima, ko kuma a matsayin ɓangare na debug ana iya fitarwa zuwa stdout ko rubuta zuwa fayil.
ElasticSearch
Da farko, Elasticsearch shine mafita don bincike mai cikakken rubutu, amma tare da ƙarin abubuwan more rayuwa kamar sauƙi mai sauƙi, kwafi da sauran abubuwa, wanda ya sanya samfurin ya dace sosai da kuma kyakkyawan bayani don ayyukan ɗaukar nauyi tare da manyan kundin bayanai. Elasticsearch kantin sayar da daftarin aiki na JSON ba na alaƙa ba ne (NoSQL) da injin bincike bisa Lucene cikakken binciken rubutu. Dandalin kayan masarufi shine Injin Virtual na Java, don haka tsarin yana buƙatar babban adadin processor da albarkatun RAM don aiki.
Kowane saƙo mai shigowa, ko dai tare da Logstash ko ta amfani da API ɗin tambaya, ana lissafta shi azaman “takardun” - kwatankwacin tebur a alaƙar SQL. Ana adana duk takaddun a cikin ma'auni - analogue na bayanan bayanai a cikin SQL.
Misalin daftarin aiki a cikin bayanan bayanai:
{
"_index": "checkpoint-2019.10.10",
"_type": "_doc",
"_id": "yvNZcWwBygXz5W1aycBy",
"_version": 1,
"_score": null,
"_source": {
"layer_uuid": [
"dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0",
"dbee3718-cf2f-4de0-8681-529cb75be9a6"
],
"outzone": "External",
"layer_name": [
"TSS-Standard Security",
"TSS-Standard Application"
],
"time": "1565269565",
"dst": "103.5.198.210",
"parent_rule": "0",
"host": "10.10.10.250",
"ifname": "eth6",
]
}
Duk aiki tare da bayanan yana dogara ne akan buƙatun JSON ta amfani da REST API, wanda ko dai ya samar da takardu ta fihirisa ko wasu ƙididdiga a cikin tsari: tambaya - amsa. Domin ganin dukkan martani ga buƙatun, an rubuta Kibana, wanda shine sabis na yanar gizo.
Kibana
Kibana yana ba ku damar bincika, dawo da bayanai da ƙididdiga na tambaya daga ma'aunin bincike na elasticsearch, amma yawancin hotuna masu kyau da dashboards an gina su bisa amsoshin. Har ila yau, tsarin yana da ayyukan gudanar da bayanai na elasticsearch; a cikin labarai masu zuwa za mu kalli wannan sabis ɗin dalla-dalla. Yanzu bari mu nuna misalin dashboards don Tacewar Wuta ta Check Point da na'urar daukar hoto mai rauni ta OpenVas wanda za'a iya ginawa.
Misalin dashboard don Check Point, hoton ana iya dannawa:
Misalin dashboard don OpenVas, hoton ana iya dannawa:
ƙarshe
Mun duba abin da ya kunsa Farashin ELK, Mun ɗan ɗan saba da manyan samfuran, daga baya a cikin kwas ɗin za mu yi la'akari daban daban don rubuta fayil ɗin daidaitawar Logstash, saita dashboards akan Kibana, sanin buƙatun API, sarrafa kansa da ƙari mai yawa!
Don haka ku kasance da mu, , , ), .
source: www.habr.com