éå»ã«
ãã®ãããã¯ã«é¢ããèšå€§ãªæ°ã®èšäºãããããããã®ã³ãŒã¹ã§ã¯ ELK ã¹ã¿ãã¯ã®ã€ã³ã¹ããŒã«ã«ã€ããŠã¯èª¬æããŸãããæ§æã³ã³ããŒãã³ãã«ã€ããŠæ€èšããŸãã
Logstash æ§æã®ã¢ã¯ã·ã§ã³ ãã©ã³ãäœæããŸãããã
- elasticsearch ããã°ãåãå ¥ããããšã確èªããŸã (ããŒãã®æ©èœãšãªãŒãã³æ§ã確èªããŸã)ã
- Logstash ã«ã€ãã³ããéä¿¡ããæ¹æ³ãæ€èšããæ¹æ³ãéžæããŠå®è£ ããŸãã
- Logstash æ§æãã¡ã€ã«ã§å ¥åãæ§æããŸãã
- ãã° ã¡ãã»ãŒãžãã©ã®ãããªãã®ããç解ããããã«ããããã° ã¢ãŒã㧠Logstash æ§æãã¡ã€ã«ã®åºåãæ§æããŸãã
- ãã£ã«ã¿ãŒã®èšå®ã
- ElasticSearch ã§ã®æ£ããåºåã®èšå®ã
- Logstash ãèµ·åããŸãã
- Kibana ã§ãã°ã確èªããŸãã
åãã€ã³ããããã«è©³ããèŠãŠã¿ãŸãããã
elasticsearch ããã°ãåãå ¥ããããšã確èªãã
ãããè¡ãã«ã¯ãcurl ã³ãã³ãã䜿çšããŠãLogstash ããããã€ãããŠããã·ã¹ãã ãã Elasticsearch ãžã®ã¢ã¯ã»ã¹ã確èªããŸãã èªèšŒãèšå®ãããŠããå Žåã¯ãcurl çµç±ã§ãŠãŒã¶ãŒ/ãã¹ã¯ãŒãã転éãããå€æŽããŠããªãå Žåã¯ããŒã 9200 ãæå®ããŸãã 以äžã®ãããªå¿çãåãåã£ãå Žåã¯ããã¹ãŠãæ£åžžã§ãã
[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
"name" : "elastic-1",
"cluster_name" : "project",
"cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
"version" : {
"number" : "7.4.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
"build_date" : "2019-10-22T17:16:35.176724Z",
"build_snapshot" : false,
"lucene_version" : "8.2.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$
å¿çãåä¿¡ãããªãå Žåã¯ãããã€ãã®çš®é¡ã®ãšã©ãŒãèããããŸããelasticsearch ããã»ã¹ãå®è¡ãããŠããªããééã£ãããŒããæå®ãããŠããããŸã㯠elasticsearch ãã€ã³ã¹ããŒã«ãããŠãããµãŒããŒäžã®ãã¡ã€ã¢ãŠã©ãŒã«ã«ãã£ãŠããŒãããããã¯ãããŠããå¯èœæ§ããããŸãã
ãã§ã㯠ãã€ã³ã ãã¡ã€ã¢ãŠã©ãŒã«ãã Logstash ã«ãã°ãéä¿¡ããæ¹æ³ãèŠãŠã¿ãŸããã
Check Point 管çãµãŒããŒãããlog_exporter ãŠãŒãã£ãªãã£ã䜿çšããŠãsyslog çµç±ã§ãã°ã Logstash ã«éä¿¡ã§ããŸãã詳现ã«ã€ããŠã¯ããã¡ããã芧ãã ããã
cp_log_export è¿œå å check_point_syslog ã¿ãŒã²ãããµãŒã㌠< > ã¿ãŒã²ããããŒã 5555 ãããã³ã« TCP ãã©ãŒãããæ±çšèªã¿åãã¢ãŒãåçµ±å
< > - Logstash ãå®è¡ããããµãŒããŒã®ã¢ãã¬ã¹ãã¿ãŒã²ãã ããŒã 5555 - ãã°ã®éä¿¡å ããŒããtcp çµç±ã§ãã°ãéä¿¡ãããšãµãŒããŒã«è² è·ããããå¯èœæ§ããããããå Žåã«ãã£ãŠã¯ udp ã䜿çšããæ¹ãæ£ããå ŽåããããŸãã
Logstash æ§æãã¡ã€ã«ã§ã® INPUT ã®ã»ããã¢ãã
ããã©ã«ãã§ã¯ãæ§æãã¡ã€ã«ã¯ /etc/logstash/conf.d/ ãã£ã¬ã¯ããªã«ãããŸãã èšå®ãã¡ã€ã«ã¯ãINPUTãFILTERãOUTPUT ãšãã 3 ã€ã®æå³ã®ããéšåã§æ§æãããŸãã 㧠å
¥å ã·ã¹ãã ãã©ããããã°ãååŸããããæå®ããŸãã ãã£ã«ã¿ ãã°ã解æããŸã - ã¡ãã»ãŒãžããã£ãŒã«ããšå€ã«åå²ããæ¹æ³ãèšå®ããŸãã åºå 解æããããã°ãéä¿¡ãããåºåã¹ããªãŒã ãæ§æããŸãã
ãŸããINPUT ãèšå®ããŸãããããã¡ã€ã«ãTCPãããã³ exe ãªã©ã®ã¿ã€ããæ€èšããŠãã ããã
TCP:
input {
tcp {
port => 5555
host => â10.10.1.205â
type => "checkpoint"
mode => "server"
}
}
ã¢ãŒã => ããµãŒããŒã
Logstash ãæ¥ç¶ãåãå
¥ããŠããããšã瀺ããŸãã
ããŒã => 5555
ãã¹ã => ã10.10.1.205ã
IP ã¢ãã¬ã¹ 10.10.1.205 (Logstash)ãããŒã 5555 çµç±ã®æ¥ç¶ãåãå
¥ããŸãããã®ããŒãã¯ãã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒã§èš±å¯ãããŠããå¿
èŠããããŸãã
ããã§ãã¯ãã€ã³ãããšå
¥åããŸã
ããã¥ã¡ã³ãã«ããŒã¯ãä»ãããããããè€æ°ã®åä¿¡æ¥ç¶ãããå Žåã«éåžžã«äŸ¿å©ã§ãã ãã®åŸãæ¥ç¶ããšã«ãè«ç if æ§é ã䜿çšããŠç¬èªã®ãã£ã«ã¿ãŒãäœæã§ããŸãã
ãã¡ã€ã«ïŒ
input {
file {
path => "/var/log/openvas_report/*"
type => "openvas"
start_position => "beginning"
}
}
èšå®ã®èª¬æ:
ãã¹ => "/var/log/openvas_report/*"
ãã¡ã€ã«ãèªã¿åãå¿
èŠããããã£ã¬ã¯ããªãæå®ããŸãã
ãopenvasããšå
¥åããŸã
ã€ãã³ãã¿ã€ãã
start_position => "å§ãŸã"
ãã¡ã€ã«ãå€æŽããå Žåããã¡ã€ã«å
šäœãèªã¿åãããŸãããendããèšå®ãããšãã·ã¹ãã ã¯ãã¡ã€ã«ã®æåŸã«æ°ããã¬ã³ãŒãã衚瀺ããããŸã§åŸ
æ©ããŸãã
å®è¡:
input {
exec {
command => "ls -alh"
interval => 30
}
}
ãã®å ¥åã䜿çšããŠã(ã®ã¿!) ã·ã§ã« ã³ãã³ããèµ·åããããã®åºåããã° ã¡ãã»ãŒãžã«å€æãããŸãã
ã³ãã³ã => "ls -alh"
åºåã«èå³ãããã³ãã³ãã
éé => 30
ã³ãã³ãåŒã³åºãéé (ç§åäœ)ã
ãã¡ã€ã¢ãŠã©ãŒã«ãããã°ãåä¿¡ããããã«ãã£ã«ã¿ãŒãç»é²ããŸã TCP ãŸã㯠UDPããã°ã Logstash ã«éä¿¡ãããæ¹æ³ã«å¿ããŠç°ãªããŸãã
ãã° ã¡ãã»ãŒãžãã©ã®ãããªãã®ããç解ããããã«ããããã° ã¢ãŒã㧠Logstash æ§æãã¡ã€ã«ã®åºåãæ§æããŸãã
INPUT ãæ§æããåŸããã° ã¡ãã»ãŒãžãã©ã®ãããªãã®ã«ãªããããŸããã° ãã£ã«ã¿ãŒ (ããŒãµãŒ) ãæ§æããããã«ã©ã®ãããªã¡ãœããã䜿çšããå¿ èŠãããããç解ããå¿ èŠããããŸãã
ãããè¡ãã«ã¯ãå ã®ã¡ãã»ãŒãžã衚瀺ããããã«çµæã stdout ã«åºåãããã£ã«ã¿ãŒã䜿çšããŸããçŸæç¹ã§ã®å®å šãªæ§æãã¡ã€ã«ã¯æ¬¡ã®ããã«ãªããŸãã
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => â10.10.1.205â
}
}
output
{
if [type] == "checkpoint"
{
stdout { codec=> json }
}
}
ã³ãã³ããå®è¡ããŠä»¥äžã確èªããŸãã
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
çµæã衚瀺ãããç»åãã¯ãªãã¯ã§ããããã«ãªããŸãã
ãããã³ããŒãããšæ¬¡ã®ããã«ãªããŸãã
action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,
ãããã®ã¡ãã»ãŒãžãèŠããšããã°ã field = value ãŸã㯠key = value ã®ããã«ãªã£ãŠããããšãããããŸããããã¯ãkv ãšãããã£ã«ã¿ãŒãé©åã§ããããšãæå³ããŸãã ç¹å®ã®ã±ãŒã¹ããšã«é©åãªãã£ã«ã¿ãŒãéžæããã«ã¯ãæè¡ææžã§ãã£ã«ã¿ãŒã«ã€ããŠããç解ããŠããããå人ã«å°ããããšããå§ãããŸãã
ãã£ã«ã¿ãŒã®èšå®
kv ãéžæããæåŸã®æ®µéã§ããã®ãã£ã«ã¿ãŒã®æ§æã以äžã«ç€ºããŸãã
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
ãã£ãŒã«ããšå€ãåå²ããããã®èšå·ã=ããéžæããŸãã ãã°ã«åäžã®ãšã³ããªãããå Žåã¯ãããŒã¿ããŒã¹ã«ã€ã³ã¹ã¿ã³ã¹ã XNUMX ã€ã ãä¿åããŸããããã§ãªãå Žåã¯ãåäžã®å€ã®é åãåŸãããããšã«ãªããŸããã€ãŸãããfoo = some foo=someããšããã¡ãã»ãŒãžãããå Žåãfoo ã®ã¿ãæžã蟌ã¿ãŸãã = ããã€ãã
ElasticSearch ã§ã®æ£ããåºåã®èšå®
ãã£ã«ã¿ãŒãæ§æãããããã°ãããŒã¿ããŒã¹ã«ã¢ããããŒãã§ããŸã ãšã©ã¹ãã£ãã¯ãµãŒã:
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
ããã¥ã¡ã³ãããã§ãã¯ãã€ã³ã ã¿ã€ãã§çœ²åãããŠããå Žåã¯ãã€ãã³ãã elasticsearch ããŒã¿ããŒã¹ã«ä¿åããŸãããã®ããŒã¿ããŒã¹ã¯ãããã©ã«ãã§ããŒã 10.10.1.200 ã® 9200 ã§ã®æ¥ç¶ãåãå ¥ããŸãã åããã¥ã¡ã³ãã¯ç¹å®ã®ã€ã³ããã¯ã¹ã«ä¿åãããŸãããã®å Žåãã€ã³ããã¯ã¹ãcheckpoint-ã + çŸåšã®æ¥ä»ã«ä¿åãããŸãã åã€ã³ããã¯ã¹ã«ã¯ç¹å®ã®ãã£ãŒã«ã ã»ãããå«ããããšãã§ããã¡ãã»ãŒãžã«æ°ãããã£ãŒã«ãã衚瀺ããããšãã«èªåçã«äœæãããŸãããã£ãŒã«ãèšå®ãšãã®ã¿ã€ãã¯ãããã³ã°ã§è¡šç€ºã§ããŸãã
èªèšŒãæ§æããŠããå Žå (åŸã§èª¬æããŸã)ãç¹å®ã®ã€ã³ããã¯ã¹ã«æžã蟌ãããã®è³æ Œæ å ±ãæå®ããå¿ èŠããããŸãããã®äŸã§ã¯ããã¹ã¯ãŒãããcoolãã®ãtssolutionãã§ãã ç¹å®ã®ã€ã³ããã¯ã¹ã«ã®ã¿ãã°ãæžã蟌ã¿ããã以äžã¯æžã蟌ãŸãªãããã«ãŠãŒã¶ãŒæš©éãåºå¥ã§ããŸãã
ãã°ã¹ã¿ãã·ã¥ãèµ·åããŸãã
Logstash æ§æãã¡ã€ã«:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => â10.10.1.205â
}
}
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
æ§æãã¡ã€ã«ãæ£ãããã©ããã確èªããŸãã
/usr/share/logstash/bin//logstash -f Checkpoint.conf
Logstash ããã»ã¹ãéå§ããŸãã
sudo systemctl start logstash
ããã»ã¹ãéå§ãããããšã確èªããŸãã
sudo systemctlã¹ããŒã¿ã¹logstash
ãœã±ããã皌åããŠãããã©ããã確èªããŠã¿ãŸãããã
netstat -nat |grep 5555
Kibana ã§ãã°ã確èªããŸãã
ãã¹ãŠãå®è¡ãããããKibana - Discover ã«ç§»åãããã¹ãŠãæ£ããæ§æãããŠããããšãç»åãã¯ãªãã¯ã§ããããšã確èªããŸãã
ãã¹ãŠã®ãã°ãé©åãªå Žæã«ããããã¹ãŠã®ãã£ãŒã«ããšãã®å€ã確èªã§ããŸãã
ãŸãšã
Logstash æ§æãã¡ã€ã«ã®äœææ¹æ³ãæ€èšããçµæããã¹ãŠã®ãã£ãŒã«ããšå€ã®ããŒãµãŒãååŸããŸããã ããã§ãç¹å®ã®ãã£ãŒã«ãã®æ€çŽ¢ãšãããããè¡ãããšãã§ããŸãã ã³ãŒã¹ã®æ¬¡ã¯ãKibana ã§ã®èŠèŠåãèŠãŠãç°¡åãªããã·ã¥ããŒããäœæããŸãã Logstash æ§æãã¡ã€ã«ã¯ããã£ãŒã«ãã®å€ãæ°å€ããåèªã«çœ®ãæããå Žåãªã©ãç¹å®ã®ç¶æ³ã§ã¯åžžã«æŽæ°ããå¿ èŠãããããšã«æ³šæããŠãã ããã ä»åŸã®èšäºã§ã¯ããããç¶ç¶çã«å®è¡ããŠãããŸãã
ä¹ããæåŸ
åºæïŒ habr.com