Elastic Stack bụ ngwá ọrụ ama ama na ahịa sistemụ SIEM (n'ezie, ọ bụghị naanị ha). Ọ nwere ike ịnakọta ọtụtụ data nha dị iche iche, ma ndị nwere mmetụta na-adịghị ahụkebe. Ọ bụghị ihe ziri ezi ma ọ bụrụ na echekwaghị ohere ịnweta ihe Elastic Stack n'onwe ha. Site na ndabara, ihe niile Elastic na-esi na igbe (Elasticsearch, Logstash, Kibana, na ndị na-anakọta Beats) na-agba ọsọ na usoro mepere emepe. Na na Kibana n'onwe ya, enwere nkwarụ. Enwere ike ịchekwa mmekọrịta ndị a niile na n'isiokwu a anyị ga-agwa gị otu esi eme nke a. Maka ịdị mma, anyị kewara akụkọ ahụ n'ime ngọngọ semantic 3:
- Ụdị nnweta data dabere na ọrụ
- Nchekwa data n'ime ụyọkọ Elasticsearch
- Na-echekwa data na mpụga ụyọkọ Elasticsearch
Nkọwa n'okpuru ịkpụ.
Ụdị nnweta data dabere na ọrụ
Ọ bụrụ na ị wụnye Elasticsearch ma ghara ịmegharị ya n'ụzọ ọ bụla, ịnweta index niile ga-emeghere onye ọ bụla. Ọfọn, ma ọ bụ ndị nwere ike iji curl. Iji zere nke a, Elasticsearch nwere ihe nlereanya nke dị na-amalite site na ndenye aha Basic (nke bụ n'efu). Schematically ọ dị ka nke a:
Kedu ihe dị na foto a
- Ndị ọrụ bụ onye ọ bụla nwere ike iji nzere ha wee banye.
- Ọrụ bụ usoro ikike.
- Ikike bụ usoro ihe ùgwù.
- Ihe ùgwù bụ ikike ide, gụọ, ihichapụ, wdg. ()
- Akụrụngwa bụ ndenye aha, akwụkwọ, ubi, ndị ọrụ, na ụlọ ọrụ nchekwa ndị ọzọ (ihe nlereanya maka ụfọdụ akụrụngwa dị naanị site na ndenye aha akwụ ụgwọ).
Site na ndabara Elasticsearch nwere , nke a na-ejikọta ha . Ozugbo ịmechara ntọala nchekwa, ị nwere ike ịmalite iji ha ozugbo.
Iji mee ka nchekwa dị na ntọala Elasticsearch, ịkwesịrị ịgbakwunye ya na faịlụ nhazi (site na ndabara nke a bụ elasticsearch/config/elasticsearch.yml) ahịrị ọhụrụ:
xpack.security.enabled: trueKa ịgbanwee faịlụ nhazi ahụ, malite ma ọ bụ malitegharịa Elasticsearch maka mgbanwe ndị a ga-arụ ọrụ. Nzọụkwụ ọzọ bụ ikenye okwuntughe maka ndị ọrụ igbe. Ka anyị mee nke a na mmekọrịta site na iji iwu dị n'okpuru:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Anyị na-elele:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Ị nwere ike pịa onwe gị aka n'azụ - ntọala dị n'akụkụ Elasticsearch agwụla. Ugbu a ọ bụ oge ịhazi Kibana. Ọ bụrụ na ị na-agba ọsọ ugbu a, njehie ga-apụta, ya mere ọ dị mkpa ịmepụta ụlọ ahịa isi. Emere nke a na iwu abụọ (onye ọrụ akụ yana okwuntughe etinyere na usoro okike okwuntughe na Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordỌ bụrụ na ihe niile ziri ezi, Kibana ga-amalite ịrịọ maka nbanye na paswọọdụ. Ndebanye aha bụ isi gụnyere ihe nlereanya dabere na ndị ọrụ ime. Malite na ọla edo, ị nwere ike jikọọ sistemu nyocha mpụga - LDAP, PKI, Active Directory na Sistemụ nbanye otu.
Ikike ịnweta ihe dị n'ime Elasticsearch nwekwara ike kpachapụrụ anya. Otú ọ dị, iji mee otu ihe ahụ maka akwụkwọ ma ọ bụ ubi, ị ga-achọ ndenye aha akwụ ụgwọ (okomoko a na-amalite na ọkwa Platinum). Ntọala ndị a dị na interface Kibana ma ọ bụ site na . Ị nwere ike ịlele site na menu Ngwaọrụ Dev amaralarị:
Ịmepụta ọrụ
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Ịmepụta onye ọrụ
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Nchekwa data n'ime ụyọkọ Elasticsearch
Mgbe Elasticsearch na-agba ọsọ na ụyọkọ (nke a na-ahụkarị), ntọala nchekwa n'ime ụyọkọ ahụ ga-adị mkpa. Maka nkwurịta okwu echekwara n'etiti ọnụ ọnụ, Elasticsearch na-eji protocol TLS. Ka ịtọlite mmekọrịta echekwabara n'etiti ha, ịchọrọ asambodo. Anyị na-ewepụta asambodo na igodo nzuzo n'ụdị PEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemMgbe emechara iwu dị n'elu, na ndekọ /.../elasticsearch Archive ga-apụta elastic-stack-ca.zip. N'ime ya ị ga-ahụ asambodo na igodo nzuzo nwere ndọtị crt и isi n'otu n'otu. Ọ bụ ihe amamihe dị na ya itinye ha na akụrụngwa nkekọrịta, nke kwesịrị ịnweta site na ọnụ ụzọ niile dị na ụyọkọ ahụ.
Ọnụ ụzọ ọ bụla chọrọ ugbu a asambodo nke ya na igodo nzuzo dabere na ndị nọ na ndekọ nkekọrịta. Mgbe ị na-eme iwu ahụ, a ga-ajụ gị ka ịtọọ paswọọdụ. Ịnwere ike ịgbakwunye nhọrọ -ip na -dns maka nkwenye zuru oke nke ọnụ ọnụ.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyN'ihi imezu iwu ahụ, anyị ga-enweta asambodo na igodo nzuzo na usoro PKCS#12, nke paswọọdụ chebere. Naanị ihe fọdụrụ bụ ịkwaga faịlụ emepụtara p12 gaa na ndekọ nhazi:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configTinye paswọọdụ na asambodo n'ụdị p12 n'ime ụlọ ahịa na ụlọ ahịa ntụkwasị obi n'ọnụ ọnụ nke ọ bụla:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordAmaralarị elasticsearch.yml Naanị ihe fọdụrụ bụ ịgbakwunye ahịrị nwere data asambodo:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Anyị na-ewepụta ọnụ Elasticsearch niile wee mee curl. Ọ bụrụ na emechara ihe niile nke ọma, a ga-eweghachi nzaghachi nwere ọtụtụ ọnụ:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Enwere nhọrọ nchekwa ọzọ - nzacha adreesị IP (dị na ndenye aha sitere na ọkwa ọla edo). Na-enye gị ohere ịmepụta ndepụta ọcha nke adreesị IP nke enyere gị ohere ịnweta ọnụ.
Na-echekwa data na mpụga ụyọkọ Elasticsearch
Na mpụga ụyọkọ ahụ pụtara ijikọ ngwaọrụ mpụga: Kibana, Logstash, Beats ma ọ bụ ndị ahịa mpụga ndị ọzọ.
Iji hazie nkwado maka https (kama http), tinye ahịrị ọhụrụ na elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12N'ihi na A na-echekwa asambodo ahụ okwuntughe, tinye ya na ebe nchekwa na ntụkwasị obi n'ọnụ ọnụ nke ọ bụla:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordMgbe ịgbakwunye igodo, ọnụ Elasticsearch dị njikere ijikọ site na https. Ugbu a enwere ike ịmalite ha.
Nzọụkwụ ọzọ bụ ịmepụta igodo iji jikọọ Kibana ma tinye ya na nhazi ahụ. Dabere na asambodo nke dị na ndekọ nkekọrịta, anyị ga-ewepụta asambodo n'ụdị PEM (PKCS#12 Kibana, Logstash na Beats anaghị akwado):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemNaanị ihe fọdụrụ bụ iji nhazi Kibana bupu igodo emepụtara n'ime folda:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configIgodo dị ebe ahụ, yabụ naanị ihe fọdụrụ bụ ịgbanwe nhazi Kibana ka ọ malite iji ha. Na faịlụ nhazi kibana.yml, gbanwee http gaa https wee tinye ahịrị na ntọala njikọ SSL. Ahịrị atọ ikpeazụ na-ahazi nzikọrịta ozi echekwara n'etiti ihe nchọgharị onye ọrụ na Kibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtYa mere, emechaala ntọala ahụ wee nweta data na ụyọkọ Elasticsearch ezoro ezo.
Ọ bụrụ na ị nwere ajụjụ gbasara ike nke Elastic Stack na ndenye aha efu ma ọ bụ akwụ ụgwọ, ọrụ nlekota ma ọ bụ ịmepụta sistemụ SIEM, hapụ arịrịọ ka na weebụsaịtị anyị.
Ọtụtụ akụkọ anyị gbasara Elastic Stack na Habré:
isi: www.habr.com