I nga ra o mua i tutaki matou ELK tāpae, he aha nga hua rorohiko kei roto. A ko te mahi tuatahi e pa ana ki tetahi miihini i te wa e mahi tahi ana me te puranga ELK ko te tuku i nga raarangi mo te rokiroki i roto i te rapu elasticsearch mo te tātaritanga o muri mai. Heoi, he ngutu ngutu noa tenei, ko nga toa elasticsearch nga raarangi i roto i te ahua o nga tuhinga me etahi mara me nga uara, ko te tikanga me whakamahi e te miihini nga momo taputapu hei tarai i te karere ka tukuna mai i nga punaha mutunga. Ka taea tenei ma nga huarahi maha - tuhia he papatono maau ake ka taapiri atu i nga tuhinga ki te papaaarangi ma te whakamahi i te API, ka whakamahi ranei i nga otinga kua rite. I tenei akoranga ka whakaarohia e tatou te otinga Te whanui, he waahanga tenei o te puranga ELK. Ka titiro tatou me pehea e taea ai e tatou te tuku rangitaki mai i nga punaha mutunga ki te Logstash, katahi ka whakarite he konae whirihoranga hei whakamaarama me te anga atu ki te paataka raraunga Elasticsearch. Ki te mahi i tenei, ka tango matou i nga raarangi mai i te papaahi Takitaki hei punaha taumai.
Kaore te akoranga e hipoki i te whakaurunga o te ELK stack, na te mea he maha nga tuhinga mo tenei kaupapa; ka whakaarohia e matou te waahanga whirihoranga.
Me tuhi he mahere mahi mo te whirihoranga Logstash:
- Ko te tirotiro ka whakaaehia e te elasticsearch nga raarangi (tirohia te mahi me te tuwhera o te tauranga).
- Ka whakaarohia me pehea e taea ai e matou te tuku kaupapa ki Logstash, te whiriwhiri i tetahi tikanga, me te whakatinana.
- Ka whirihorahia e matou te Whakauru ki te konae whirihoranga Logstash.
- Ka whirihorahia e matou te Putanga i roto i te konae whirihoranga Logstash i roto i te aratau patuiro kia mohio ai he aha te ahua o te karere rangitaki.
- Whakaritea te Tātari.
- Te whakarite i te Putanga tika ki ElasticSearch.
- Ka whakarewahia te Logstash.
- Te tirotiro i nga rakau i Kibana.
Me titiro ki ia waahi i roto i nga korero taipitopito:
Ma te tirotiro elasticsearch ka whakaaehia nga raarangi
Ki te mahi i tenei, ka taea e koe te whakamahi i te whakahau curl ki te tirotiro i te uru ki te Elasticsearch mai i te punaha i tukuna ai a Logstash. Mena kua whirihorahia e koe te whakamotuhēhēnga, ka whakawhiti ano matou i te kaiwhakamahi/kupuhipa ma te curl, me te tohu tauranga 9200 mena kaore koe i whakarereke. Mena ka whiwhi koe i te whakautu e rite ana ki te mea i raro nei, kei te pai nga mea katoa.
[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
"name" : "elastic-1",
"cluster_name" : "project",
"cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
"version" : {
"number" : "7.4.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
"build_date" : "2019-10-22T17:16:35.176724Z",
"build_snapshot" : false,
"lucene_version" : "8.2.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$
Mena kaore i tae mai te whakautu, he maha nga momo hapa: kaore i te rere te tukanga elasticsearch, kua tohua te tauranga he, kei te aukatihia ranei te tauranga e te papangaahi i runga i te tūmau kei te whakauruhia te elasticsearch.
Me titiro tatou me pehea e taea ai e koe te tuku pororakau ki Logstash mai i te papaahi waahi taki
Mai i te tūmau whakahaere Check Point ka taea e koe te tuku rangitaki ki Logstash mā te syslog ma te whakamahi i te whaipainga log_exporter, ka taea e koe te panui atu mo konei , i konei ka waiho noa te whakahau e hanga ana i te awa:
cp_log_export tāpiri ingoa check_point_syslog ūnga-tūmau < > ūnga-tauranga 5555 kawa tcp hōputu whānui aratau-panui āhua-kotahi
< > - te wahitau o te tūmau e whakahaere ana a Logstash, tauranga-tauranga 5555 - te tauranga ka tukuna atu e matou he pororakau, ma te tuku pororakau ma te tcp ka taea te utaina te tūmau, no reira he tika ake te whakamahi udp.
Te whakatu INPUT ki te konae whirihoranga Logstash
Ma te taunoa, ko te konae whirihoranga kei roto i te raarangi /etc/logstash/conf.d/. Ko te konae whirihoranga e 3 nga waahanga whai kiko: INPUT, FILTER, OUTPUT. IN tāuru ka tohu matou ki hea ka tangohia e te punaha nga raarangi, mai i roto FILTER parse the log - whakarite me pehea te wehewehe i te karere ki nga mara me nga uara, i roto i KAUPAPA WHÄITI ka whirihorahia e matou te awa putanga - ki reira ka tukuna atu nga poro poroporoaki.
Tuatahi, me whirihora te INPUT, whakaarohia etahi o nga momo ka taea - te konae, te tcp me te exe.
Tcp:
input {
tcp {
port => 5555
host => “10.10.1.205”
type => "checkpoint"
mode => "server"
}
}
aratau => "tūmau"
E tohu ana kei te whakaae a Logstash ki nga hononga.
tauranga => 5555
kaihautū => "10.10.1.205"
Ka whakaae matou ki nga hononga ma te IP IP 10.10.1.205 (Logstash), tauranga 5555 - me whakaae te tauranga e te kaupapa here paahi.
momo => "takitaki"
Ka tohu matou i te tuhinga, he tino watea mena he maha nga hononga taumai. I muri mai, mo ia hononga ka taea e koe te tuhi i to ake tātari ma te whakamahi i te arorau ki te hanga.
Kōnae:
input {
file {
path => "/var/log/openvas_report/*"
type => "openvas"
start_position => "beginning"
}
}
Whakaahuatanga o nga tautuhinga:
ara => "/var/log/openvas_report/*"
Ka tohu matou i te whaiaronga e tika ana kia panuihia nga konae.
momo => "openvas"
Momo takahanga.
start_position => "tīmatanga"
Ka huri ana i te konae, ka panuihia te katoa o te konae; mena ka whakatauhia e koe te "mutunga", ka tatari te punaha kia puta nga rekoata hou ki te mutunga o te konae.
Kaiwhakahaere:
input {
exec {
command => "ls -alh"
interval => 30
}
}
Ma te whakamahi i tenei whakaurunga, ka whakarewahia he whakahau anga (anake!) ka huri tona putanga hei karere poro.
whakahau => "ls -alh"
Ko te whakahau e pai ana ki a tatou te whakaputanga.
wā => 30
Whakahauhia te wa tono i roto i nga hēkona.
Kia riro mai he pororakau mai i te papangaahi, ka rehitatia he tātari Tcp ranei udp, i runga i te pehea e tukuna ai nga rakau ki Logstash.
Ka whirihorahia e matou te Putanga i roto i te konae whirihoranga Logstash i roto i te aratau patuiro kia mohio ai he aha te ahua o te karere rangitaki
I muri i te whirihora i te INPUT, me mohio tatou ki te ahua o te karere rangitaki me nga tikanga hei whakamahi hei whirihora i te tātari rangitaki (parser).
Ki te mahi i tenei, ka whakamahia e matou he tātari e whakaputa ana i te hua ki te stdout hei tiro i te karere taketake; ka penei te ahua o te konae whirihoranga i tenei wa:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
output
{
if [type] == "checkpoint"
{
stdout { codec=> json }
}
}
Whakahaerehia te tono ki te taki:
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
Ka kite tatou i te hua, ka taea te panui te pikitia:
Mena ka kape koe ka penei te ahua:
action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,
Ki te titiro ki enei karere, ka mohio matou he rite te ahua o nga raarangi: mara = uara, matua ranei = uara, ko te tikanga he pai te tātari e kiia nei ko kv. Hei whiriwhiri i te tātari tika mo ia keehi motuhake, he mea pai kia mohio koe ki a raatau i roto i nga tuhinga hangarau, patai atu ranei ki tetahi hoa.
Whakaritea te Tātari
I te waahanga whakamutunga i tohua e matou kv, ko te whirihoranga o tenei tātari ka whakaatuhia i raro nei:
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
Ka tohua e matou te tohu ka wehewehea e matou te mara me te uara - "=". Mēnā he ōrite ā mātou tāurunga i roto i te rākau, kotahi noa te wā ka tiakina e mātou ki te pātengi raraunga, ki te kore ka mutu he momo uara riterite, ara, mena kei a matou te karere "foo = some foo=some" ka tuhia he foo anake. = etahi.
Te whakarite i te Putanga tika ki ElasticSearch
Kia whirihorahia te Tātari, ka taea e koe te tuku ake i nga raarangi ki te paataka raraunga kirihipi:
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Mena kua hainatia te tuhinga me te momo tohutaki, ka tiakina e matou te huihuinga ki te paataka elasticsearch, e whakaae ana ki nga hononga i te 10.10.1.200 i te tauranga 9200 ma te taunoa. Ka tiakina ia tuhinga ki tetahi taurangi motuhake, i tenei keehi ka tiakina e matou ki te tohu "takitaki-" + te ra o naianei. Ka taea e ia taurangi he huinga mara motuhake, ka hanga aunoa ranei ina puta mai he mara hou i roto i te karere; ka taea te tiro i nga tautuhinga mara me o raatau momo ki nga mapi.
Mena kua whirihorahia e koe te whakamotuhēhēnga (ka tirohia i muri mai), me tohu nga tohu mo te tuhi ki tetahi taurangi motuhake, i tenei tauira ko te "tssolution" me te kupuhipa "cool". Ka taea e koe te wehewehe i nga mana kaiwhakamahi ki te tuhi i nga raarangi ki tetahi taurangi motuhake, kare atu.
Whakarewa Logstash.
Kōnae whirihoranga Logstash:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Ka tirohia e matou te konae whirihoranga mo te tika:
/usr/share/logstash/bin//logstash -f checkpoint.conf
Tīmatahia te tukanga Logstash:
sudo systemctl tīmata logstash
Ka tirohia kua timata te tukanga:
sudo systemctl status logstash
Me titiro mena kei runga te turanga:
netstat -nat |grep 5555
Te tirotiro i nga rakau i Kibana.
I muri i te rere o nga mea katoa, haere ki Kibana - Tirohia, kia tika te whirihora o nga mea katoa, ka taea te panui te pikitia!
Kua takoto nga poroporo katoa ka kite tatou i nga mara katoa me o raatau uara!
mutunga
I titiro matou me pehea te tuhi i te konae whirihoranga Logstash, a, na te mea i riro mai he parser o nga mara me nga uara katoa. Inaianei ka taea e taatau te mahi me te rapu me te whakatakoto mo nga mara motuhake. I muri mai i roto i te akoranga ka titiro tatou ki te whakakitenga i Kibana me te hanga i tetahi papatohu ngawari. He mea tika kia whakahuahia ko te konae whirihoranga Logstash me whakahou tonu i etahi ahuatanga, hei tauira, ina hiahia tatou ki te whakakapi i te uara o te mara mai i te tau ki te kupu. I roto i nga tuhinga e whai ake nei ka mahia e matou i nga wa katoa.
No reira noho tonu (, , , ), .
Source: will.com