N'ihe gbasara njedebe nke ahịa na Russia nke usoro nchịkọta akụkọ Splunk na nyocha, ajụjụ ahụ bilitere: gịnị ga-eji dochie ngwọta a? Mgbe m tinyechara oge ịmata onwe m na ngwọta dị iche iche, ekpebiri m na ngwọta maka ezigbo nwoke - "ELK nchịkọta". Usoro a na-ewe oge iji guzobe, mana n'ihi ya ị nwere ike nweta usoro dị ike maka nyochaa ọnọdụ ahụ na ịzaghachi ngwa ngwa maka ihe nchebe ozi na nzukọ. N'ime usoro isiokwu a, anyị ga-eleba anya na isi (ma ọ bụ ma eleghị anya) ikike nke nchịkọta ELK, tụlee otú ị ga-esi sụgharịa ndekọ, otu esi arụ eserese na dashboards, na ọrụ ndị na-adọrọ mmasị nwere ike iji ihe atụ nke ndekọ sitere na. na Check Point firewall ma ọ bụ ihe nyocha nchekwa OpenVas. Iji malite, ka anyị leba anya n'ihe ọ bụ - nchịkọta ELK, yana ihe mejupụtara ya.
"ELK nchịkọta" bụ okwu mkpọokwu maka ọrụ atọ mepere emepe: Elasticsearch, Ebe ọ bụ и Kabana. Elastic mebere ya yana ọrụ niile metụtara ya. Elasticsearch bụ isi nke sistemụ niile, nke jikọtara ọrụ nke nchekwa data, usoro ọchụchọ na nyocha. Logstash bụ ọkpọkọ nhazi data n'akụkụ sava nke na-enweta data sitere n'ọtụtụ isi mmalite n'otu oge, na-atụgharị ndekọ ahụ wee ziga ya na nchekwa data Elasticsearch. Kibana na-enye ndị ọrụ ohere iji eserese na eserese na Elasticsearch were anya data. Ị nwekwara ike ijikwa nchekwa data site na Kibana. Na-esote, anyị ga-atụle usoro ọ bụla iche iche n'ụzọ zuru ezu karị.
Ebe ọ bụ
Logstash bụ akụrụngwa maka ịhazi ihe ndekọ ndekọ sitere na isi mmalite dị iche iche, nke ị nwere ike họrọ mpaghara na ụkpụrụ ha na ozi, ị nwekwara ike hazie nzacha na dezie data. Mgbe mmegharị niile gasịrị, Logstash na-ebugharị ihe omume na ụlọ ahịa data ikpeazụ. A na-ahazi akụrụngwa ahụ naanị site na faịlụ nhazi.
Ụdị nhazi logstash bụ faịlụ (s) nwere ọtụtụ iyi ozi na-abata (ntinye), ọtụtụ nzacha maka ozi a (nyo) na ọtụtụ iyi na-apụ apụ (mpụta). Ọ dị ka otu faịlụ nhazi ma ọ bụ karịa, nke na ụdị kachasị mfe (nke na-emeghị ihe ọ bụla) dị ka nke a:
input {
}
filter {
}
output {
}
Na INPUT, anyị na-ahazi ọdụ ụgbọ mmiri nke a ga-ezigara ndekọ na usoro nke, ma ọ bụ ebe nchekwa iji gụọ faịlụ ọhụrụ ma ọ bụ na-emelite mgbe niile. Na FILTER anyị na-ahazi parser log: ubi nyocha, ụkpụrụ edezi, ịgbakwunye paramita ọhụrụ ma ọ bụ ihichapụ ha. FILTER bụ ubi maka ijikwa ozi na-abịa na Logstash nwere ọtụtụ nhọrọ edezi. Na mmepụta anyị na-ahazi ebe anyị na-ezipụ ndekọ ndekọ nke atụgharịrị, ọ bụrụ na ọ bụ elasticsearch a na-eziga arịrịọ JSON nke ezigara mpaghara nwere ụkpụrụ, ma ọ bụ dịka akụkụ nke debug ọ nwere ike ịmepụta ya na stdout ma ọ bụ dee ya na faịlụ.
ElasticSearch
Na mbụ, Elasticsearch bụ ihe ngwọta maka nchọta ederede zuru oke, mana yana ihe ndị ọzọ dị ka nchacha dị mfe, ntụgharị na ihe ndị ọzọ, nke mere ka ngwaahịa ahụ dịkwuo mma na ngwọta dị mma maka nnukwu ibu ọrụ na nnukwu data. Elasticsearch bụ ụlọ ahịa akwụkwọ JSON na-enweghị njikọ (NoSQL) yana igwe nchọta dabere na nchọ ederede zuru oke nke Lucene. Igwe ikpo okwu ngwaike bụ igwe mebere Java, yabụ sistemụ chọrọ nnukwu ihe nrụpụta na akụrụngwa RAM iji rụọ ọrụ.
Ozi ọ bụla na-abata, ma ọ bụ Logstash ma ọ bụ iji API ajụjụ, na-edepụta aha dị ka "akwụkwọ" - nke yiri tebụl na SQL. A na-echekwa akwụkwọ niile na ndeksi - analog nke nchekwa data na SQL.
Ọmụmaatụ nke akwụkwọ dị na nchekwa data:
{
"_index": "checkpoint-2019.10.10",
"_type": "_doc",
"_id": "yvNZcWwBygXz5W1aycBy",
"_version": 1,
"_score": null,
"_source": {
"layer_uuid": [
"dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0",
"dbee3718-cf2f-4de0-8681-529cb75be9a6"
],
"outzone": "External",
"layer_name": [
"TSS-Standard Security",
"TSS-Standard Application"
],
"time": "1565269565",
"dst": "103.5.198.210",
"parent_rule": "0",
"host": "10.10.10.250",
"ifname": "eth6",
]
}
Ọrụ niile na nchekwa data dabere na arịrịọ JSON na-eji REST API, nke na-ewepụta akwụkwọ site na ndeksi ma ọ bụ ụfọdụ ọnụ ọgụgụ n'ụdị: ajụjụ - azịza. Iji hụta azịza niile maka arịrịọ, edere Kibana, nke bụ ọrụ webụ.
Kabana
Kibana na-enye gị ohere ịchọ, weghachite data na ajụjụ ọnụ ọgụgụ sitere na nchekwa data elasticsearch, mana a na-ewu ọtụtụ eserese na dashboard mara mma dabere na azịza ya. Sistemu nwekwara ọrụ nchịkwa nchekwa data elasticsearch; n'isiokwu ndị na-esote anyị ga-elele ọrụ a nke ọma. Ugbu a, ka anyị gosi ihe atụ nke dashboards maka nchekwa ọkụ Check Point na ihe nyocha ihe ọghọm OpenVas nke enwere ike ịrụ.
Ọmụmaatụ nke dashboard maka Check Point, foto a nwere ike ịpị:
Ọmụmaatụ nke dashboard maka OpenVas, foto a nwere ike ịpị:
nkwubi
Anyị lere anya ihe mejupụtara ya Mkpokọta ELK, Anyị maara ntakịrị ngwaahịa ndị bụ isi, mgbe e mesịrị na usoro ahụ, anyị ga-atụle iche iche ide faịlụ nhazi Logstash, ịmepụta dashboards na Kibana, ịmatakwu arịrịọ API, akpaaka na ọtụtụ ndị ọzọ!
Ya mere nọrọ na nche, , , ), .
isi: www.habr.com