Elastic Stack ααΊααΆα§αααααααααααΈαα½ααα
αααα»αααΈααααΆααααααααα SIEM (ααΆααα·ααα
αα·αααααΉαααααα»ααααα)α ααΆα’αΆα
αααααΌααα·αααααααααααΆαααα ααα»ααααααΆααΆα
αααΎα ααΆαααααΎα αα·ααα·ααααΎαααααΆααα ααΆαα·αααααΉαααααΌαααΆαααααα»ααα ααααα·αααΎααΆαα
αΌααα
ααΆααααΆαα» Elastic Stack αααα½αα―ααα·αααααΌαααΆαααΆαααΆαα ααΆαααααΆαααΎα ααΆαα» Elastic out-of-the-box ααΆααα’αα (Elasticsearch, Logstash, Kibana, and Beats collectors) ααααΎαααΆαααΎαα·ααΈααΆαααΎαα
αα α α αΎααα
αααα»α Kibana αααα½αααΆ ααΆααααααααααΆααααααΌαααΆααα·αα α’ααααααααααΆααα’αααααα’αΆα
ααΆααΆααΆα α αΎααα
αααα»αα’ααααααααααΎαααΉαααααΆααα’αααααΈααααααααΎααΆα ααΎααααΈααΆαααΆααααα½α ααΎαααΆααααα
ααααΆααα·ααΆαααΏααα
ααΆ 3 αααα»α semantic:
- ααααΌα αΌαααααΎαα·ααααααααα’ααααΎαα½ααΆααΈ
- αα»ααααα·ααΆααα·αααααααα αααα»αα ααααα Elasticsearch
- ααΆαααΆααΆαα·αααααααα ααΆααααα αααα»α Elasticsearch
ααααααΆααααα’α·ααα
αααααααΆαααΆααα
ααααΌα αΌαααααΎαα·ααααααααα’ααααΎαα½ααΆααΈ
ααααα·αααΎα’αααααα‘αΎα Elasticsearch α αΎααα·ααααααααΆααΆααααααααΆαααΆαα½ααα ααΆαα αΌαααααΎαα·αα·ααααααΆααα’ααααΉαααΎαα αα αααααΆααααα»ααααααααααααΆα ααΆααΆααααααΎαααΆαα, α¬α’ααααααα’αΆα ααααΎ curl α ααΎααααΈαααααΆααααα αΆααα Elasticsearch ααΆαααααΌαα½ααααα’αΆα ααααΆααααα αΆααααααΎαααΆαα½αααΉαααΆαααΆα Basic (ααααα·ααα·ααααα)α ααΆααααααααΆαααααΆααΎααα ααΌα αααα
ααΎααΆαα’αααΈαα αααα»αααΌαααΆα
- α’αααβααααΎβααΊβααΆβα’αααβααΆααβααααΆβαααβα’αΆα βα αΌαβαααβααααΎβαα·αα·αβαααααΆααβααααβαα½αβααα
- αα½ααΆααΈααΊααΆαααα»ααααα·αααα·α
- αα·αααα·ααΊααΆαααα»ααααα·αααα·α
- αα·αααα·ααΊααΆαα’αα»ααααΆαα±ααααααα α’αΆα αα»α ααΆααΎαα (
αααααΈαααααααααα·αααα· ) - ααααΆαααΊααΆαα·αα·αααα α―αααΆα ααΆα α’αααααααΎααααΆαα αα·αα’αααααΆααααα»ααααααααα (ααααΌαααααΆααααααΆααα½αα ααα½αα’αΆα ααααΎααΆαααααΆαα½αααΆαααΆααααααΆαααα)α
ααΆαααααΆαααΎα Elasticsearch ααΆα
ααΎααααΈααΎααα»ααααα·ααΆααααα»αααΆαααααα Elasticsearch α’αααααααΌαααααααααΆαα αααα»αα―αααΆαααααααα ααΆαααααααα (ααΆαααααΆαααΎα αααααΊ elasticsearch/config/elasticsearch.yml) αα½αααααΈα
xpack.security.enabled: true
αααααΆααααΈααααΆααααααΌαα―αααΆαααααααα ααΆαααααααα ααΌαααΎαααααΎαααΆα α¬α αΆααααααΎα Elasticsearch α‘αΎααα·αααΎααααΈα±ααααΆαααααΆααααααΌαααΆαααααα·αααααΆαα ααα αΆααααααΆααααΊααΆααααααααααααααΆαααααα’αααααααΎααααΆαααααα’ααα αααααααΎα’αααααααααααααααΎααΆααααααααΆααΆααααααα
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
αααα»ααα·αα·ααα:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
α’αααα’αΆα ααΆααααα½αα’ααααα ααΆαααααα - ααΆαααααααα ααααα Elasticsearch ααααΌαααΆααααα ααα α₯α‘αΌααααααΆααααααααααααα ααΆαααααααα Kibana α ααααα·αααΎα’αααααααΎαααΆαααΆα₯α‘αΌαααα ααα α»αααΉαααα α‘αΎα ααΌα ααααααΆααΆαααΆααααααΆααααΆαααααα»αααΆααααααΎαααααΆαααααααΆααα αααααααΌαααΆαααααΎαα αααα»αααΆααααααααΆααΈα (α’αααααααΎααααΆαα ααΈαααΈααΆ αα·αααΆααααααααΆαααααααΆααααα αΌααααα»αααα αΆααααααΎαααΆααααααααΆαααα αααα»α Elasticsearch)α
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.password
ααααα·αααΎα’αααΈαααΆααα’ααααααΉαααααΌα Kibana ααΉαα αΆααααααΎαααααΎαα»αααΆαα αΌα αα·αααΆααααααααΆααα ααΆαααΆαααΆααΌαααααΆααα½αααΆαααααΌαααααα’ααααΎα’αααααααΎααααΆααααΆααααα»αα αααα αΆααααααΎαααΆαα½α Gold α’αααα’αΆα ααααΆαααααααααααααααααααΆααααΆααααα - LDAP, PKI, Active Directory αα·α Single sign-on systemsα
αα·αααα·α
αΌαααααΎααααα»αα
ααΆααααα»α Elasticsearch ααα’αΆα
ααααΌαααΆαααααααααααα ααααααΆαααΆααααα ααΎααααΈααααΎααΌα
ααααΆαααααΆααα―αααΆα α¬ααΆα α’αααααΉαααααΌαααΆαααΆαααΆααααααααΆαα (αααααΈαααΆααααα
αΆααααααΎαααΆαα½αααΉαααααα·αααααΆααΈα)α ααΆααααααααΆαααααααΆααα
αααα»αα
ααα»α
αααααΆαα Kibana α¬ααΆαααα
ααΆααααααΎααα½ααΆααΈ
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}
ααΆααααααΎαα’αααααααΎααααΆαα
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}
αα»ααααα·ααΆααα·αααααααα αααα»αα ααααα Elasticsearch
αα αααααα Elasticsearch ααααΎαααΆααααα»αα ααααα (αααααΆααΏαααααααΆ) ααΆαααααααα»ααααα·ααΆααα αααα»αα αααααααααΆαααΆααααΆααα αααααΆααααΆαααααΆαααααααααααααααα»ααααα·ααΆααααΆαααααΆαα Elasticsearch ααααΎαα·ααΈααΆα TLS α ααΎααααΈαααα αα’αααααααααααααααααα»ααααα·ααΆααααΆααα½ααα α’αααααααΌαααΆααα·ααααΆααααααα ααΎααααααΎααα·ααααΆαααααα αα·αααα―ααααααα»ααααααα PEMα
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pem
αααααΆααααΈααααα·ααααα·ααΆααααααααΆααΆαααΎαα αααα»ααα /../elasticsearch αααααααΆαααΉαααα α‘αΎα elastic-stack-ca.zip. αα ααΆααααα»αα’αααααΉαααΎααα·ααααΆαααααα αα·αααα―ααααα½ααααααΆαααααααααααα crt ΠΈ αααααΉα αααααααα½αα ααΆααααΌαααΆαααααΆαα±ααααΆαααα½αααΆαα ααΎααααΆαα ααααααα ααααα½αα’αΆα α αΌαααααΎααΆαααΈααααΆααααΆααα’αααα αααα»αα αααααα
α₯α‘αΌααααααααΆααααΈαα½ααααααΌαααΆααα·ααααΆααααααααααΆαααααα½α αα·αααα―ααα αααααα’ααααΎα’αααΈααααα αααα»ααααααααΆαα αααααααα αα αααααααα·ααααα·ααΆααααααααΆ α’αααααΉαααααΌαααΆααα½αα±αααααααααΆααααααααΆααα α’αααα’αΆα αααααααααααΎααααααα -ip αα·α -dns αααααΆααααΆααααααααααΆααααααααααααααΆααα’ααααααααα
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key
ααΆααααααααααΆαααααα·ααααα·ααΆααααααααΆ ααΎαααΉαααα½αααΆααα·ααααΆαααααα αα·αααα―ααααααα»ααααααα PKCS#12 αααααααΌαααΆαααΆαααΆααααααΆααααααααΆααα α’αααΈααααα αααααΊααααΌαααααΆααααΈα―αααΆααααααΆααααααΎα p12 αα ααΆααααααααααα ααΆααααααααα
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/config
ααααααααΆααααααααΆαααα αα·ααααΆαααααααααα»ααααααα p12 αα αααα»α keystore αα·α truststore αα ααΎ node ααΈαα½ααα
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
ααααΆαααα½α α αΎα elasticsearch.yml α’αααΈααααα ααααααααΊααααΌααααααααααααΆααααΆαα½ααα·αααααααα·ααααΆααααααα
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
ααΎαααΎαααααΎαααΆαααααΆαα Elasticsearch ααΆααα’αα α αΎαααααα·ααααα· curl. ααααα·αααΎα’αααΈαααααααααΆαααααΌαααΆαααααΎααΆαααααΉαααααΌα ααΆαααααΎαααααΆαα½αααααΆααααΆα αααΎαααΉαααααΌαααΆααααα‘αααααα·αα
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1
ααΆααααααΎααα»ααααα·ααΆααα½ααααααααα - αααααα’αΆααααααΆα IP (ααΆααα αααα»αααΆαααΆαααΈααααα·αααΆα)α α’αα»ααααΆαα±ααα’ααααααααΎααααααΈαααα’αΆααααααΆα IP αααα’αααααααΌαααΆαα’αα»ααααΆαα±ααα αΌαααααΎααααΆααα
ααΆαααΆααΆαα·αααααααα ααΆααααα αααα»α Elasticsearch
αα ααΆααααα α αααααααΆααααααΆααααΆααα§αααααααΆααααα : Kibana, Logstash, Beats α¬αααΆαααΈααααααααΆααααα ααααααααα
ααΎααααΈααααααα
ααΆααααααααααΆαααΆαααααααααΆαα https (αααα½αα±αα http) αααααααααααΆααααααΈαα
elasticsearch.ymlα
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
αααααΆααα αα·ααααΆααααααααααΌαααΆαααΆαααΆααααααΆααααααααΆαα ααααααααΆαα keystore αα·α truststore αα ααΎ node ααΈαα½ααα
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
αααααΆααααΈααααααααΌααα ααααΆαα Elasticsearch αα½α ααΆααααΎααααΈααααΆααααΆαααα https α α₯α‘αΌαααααα½αααα’αΆα ααααΌαααΆαααΆααα±ααααααΎαααΆαα
ααα αΆααααααΆααααΊαααααΎαααΌαααααΎααααΈααααΆαα Kibana α αΎαααααααααΆαα αααα»αααΆααααααα αααααα’ααααΎαα·ααααΆαααααααααααΆαααΈααΆαααα αααα»ααααααααΆαα ααααααααα½α α αΎα ααΎαααΉααααααΎααα·ααααΆαααααααααα»ααααααα PEM (PKCS#12 Kibana, Logstash αα·α Beats αα·αααΆααααΆαααα)α
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pem
α’αααΈααααα ααααααααΊααααΌαααααΆααααααααΆααααααΎααα αααα»αααα―αααΆαααΆαα½αααΉαααΆαααααααα ααΆαααααααα Kibanaα
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/config
ααααΆααα α»α ααΊαα ααΈααα ααΌα ααααα’αααΈαααααα αααααΊααααΌαααααΆααααααΌαααΆαααααααα ααΆαααααααα Kibana ααΌα ααααααΆα αΆααααααΎαααααΎααααΆαααα½αααΆα αα αααα»αα―αααΆαααααααα ααΆαααααααα kibana.yml ααααΆααααααΌα http αα https α αΎααααααααααααΆααααΆαα½αααΉαααΆααααααααΆααααααΆαα SSL α αααααΆααααΈα α»ααααααααααααα ααΆααααααααααααΆαααααααααααααααα»ααααα·ααΆααααΆααααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·αααααα’αααααααΎ αα·α Kibana α
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crt
ααΌα αααα ααΆααααααααααΌαααΆααααα αα α αΎαααΆαα αΌαααααΎαα·αααααααα αααα»αα ααααα Elasticsearch ααααΌαααΆαα’αα·αααααΈαα
ααααα·αααΎα’αααααΆααααα½αα’αααΈαααααααΆααααα Elastic Stack ααΎααΆαααΆαα₯ααα·ααααα α¬αααααααΆαα ααΆααααα½ααα·αα·αααααΆααα·α
αα
α¬ααΆααααααΎααααααααα SIEM ααΌααα»αααααΎαα½ααα
ααΆαα
α’αααααα αααΎααααααααααΎαα’αααΈ Elastic Stack on Habre:
ααααα: www.habr.com