Pomaliza
Maphunzirowa sakuphimba kuyika kwa ELK stack, popeza pali zolemba zambiri pamutuwu; tikambirana za kasinthidwe.
Tiyeni tipange dongosolo lakusintha kwa Logstash:
- Kuyang'ana kuti elasticsearch ivomereza zipika (kuyang'ana magwiridwe antchito ndi kutseguka kwa doko).
- Timaganizira momwe tingatumizire zochitika ku Logstash, sankhani njira, ndikuyigwiritsa ntchito.
- Timakonza Zolowetsa mu fayilo yosintha ya Logstash.
- Timakonza Zotuluka mu fayilo yosinthira ya Logstash mumayendedwe owongolera kuti timvetsetse momwe uthenga wa chipika umawonekera.
- Kukhazikitsa Zosefera.
- Kukhazikitsa Zotulutsa zolondola mu ElasticSearch.
- Logstash imayamba.
- Kuwona zipika ku Kibana.
Tiyeni tiwone mfundo iliyonse mwatsatanetsatane:
Kuyang'ana kuti elasticsearch ivomereza zipika
Kuti muchite izi, mutha kugwiritsa ntchito curl lamulo kuti muwone mwayi wa Elasticsearch kuchokera pamakina omwe Logstash imayikidwa. Ngati muli ndi chitsimikiziro chokhazikitsidwa, ndiye kuti timasamutsanso wogwiritsa / mawu achinsinsi kudzera pa curl, kutchula doko 9200 ngati simunasinthe. Ngati mulandira yankho lofanana ndi lomwe lili pansipa, ndiye kuti zonse zili bwino.
[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
"name" : "elastic-1",
"cluster_name" : "project",
"cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
"version" : {
"number" : "7.4.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
"build_date" : "2019-10-22T17:16:35.176724Z",
"build_snapshot" : false,
"lucene_version" : "8.2.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$
Ngati yankho silinalandire, ndiye kuti pangakhale zolakwika zingapo: ndondomeko ya elasticsearch sikuyenda, doko lolakwika limatchulidwa, kapena doko latsekedwa ndi firewall pa seva kumene elasticsearch imayikidwa.
Tiyeni tiwone momwe mungatumizire zipika ku Logstash kuchokera pa cheke chozimitsa moto
Kuchokera pa seva yoyang'anira Check Point mutha kutumiza zipika ku Logstash kudzera pa syslog pogwiritsa ntchito log_exporter utility, mutha kuwerenga zambiri za izi apa.
cp_log_export onjezani dzina check_point_syslog target-server < > target-port 5555 protocol tcp format generic read-mode semi-unified
< > - adiresi ya seva yomwe Logstash imayendetsa, doko la target 5555 - doko lomwe tidzatumizako zipika, kutumiza zipika kudzera pa tcp kumatha kukweza seva, kotero nthawi zina ndizolondola kugwiritsa ntchito udp.
Kukhazikitsa INPUT mu fayilo yosintha ya Logstash
Mwachikhazikitso, fayilo yosinthira ili mu /etc/logstash/conf.d/ directory. Fayilo yosinthira ili ndi magawo atatu ofunikira: INPUT, FILTER, OUTPUT. MU Muzifunsa tikuwonetsa komwe dongosololi lidzatengere mitengo kuchokera, mu FILTER fotokozani chipika - khazikitsani momwe mungagawire uthengawo m'magawo ndi zofunikira, mu linanena bungwe timakonza mtsinje wotuluka - kumene zipika zogawanika zidzatumizidwa.
Choyamba, tiyeni tikonze INPUT, taganizirani mitundu ina yomwe ingakhale - fayilo, tcp ndi exe.
Tcp:
input {
tcp {
port => 5555
host => β10.10.1.205β
type => "checkpoint"
mode => "server"
}
}
mode => "seva"
Zikuwonetsa kuti Logstash ikuvomereza kulumikizana.
doko => 5555
host => "10.10.1.205"
Timavomereza kulumikizidwa kudzera pa adilesi ya IP 10.10.1.205 (Logstash), port 5555 - doko liyenera kuloledwa ndi ndondomeko ya firewall.
type => "choyang'ana"
Timalemba chikalatacho, chosavuta ngati muli ndi zolumikizira zingapo zomwe zikubwera. Pambuyo pake, pa kulumikizana kulikonse mutha kulemba fyuluta yanu pogwiritsa ntchito zomveka ngati kumanga.
Foni:
input {
file {
path => "/var/log/openvas_report/*"
type => "openvas"
start_position => "beginning"
}
}
Kufotokozera za zokonda:
njira => "/var/log/openvas_report/*"
Tikuwonetsa chikwatu chomwe mafayilo ayenera kuwerengedwa.
type => "openvas"
Mtundu wa chochitika.
start_position => "chiyambi"
Mukasintha fayilo, imawerenga fayilo yonse; ngati muyika "mapeto", dongosolo limadikirira kuti zolemba zatsopano ziwoneke kumapeto kwa fayilo.
Exec:
input {
exec {
command => "ls -alh"
interval => 30
}
}
Pogwiritsa ntchito cholowetsa ichi, lamulo (lokha!) la chipolopolo limayambitsidwa ndipo zotuluka zake zimasinthidwa kukhala uthenga wa chipika.
lamulo => "ls -alh"
Lamulo lomwe zotsatira zake timakonda.
nthawi => 30
Lamulani nthawi yopempha mumasekondi.
Kuti tilandire zipika kuchokera pa firewall, timalembetsa fyuluta tcp kapena udp, kutengera momwe zipika zimatumizidwa ku Logstash.
Timakonza Zotuluka mu fayilo yosinthira ya Logstash mumayendedwe owongolera kuti timvetsetse momwe uthenga wa chipika umawonekera.
Titakonza INPUT, tiyenera kumvetsetsa momwe uthenga wa chipika udzawoneka komanso njira zomwe ziyenera kugwiritsidwa ntchito pokonza fyuluta ya log (parser).
Kuti tichite izi, tidzagwiritsa ntchito fyuluta yomwe imatulutsa zotsatira zake kuti stdout kuti tiwone uthenga woyambirira; fayilo yonse yosinthira pakadali pano ikuwoneka motere:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => β10.10.1.205β
}
}
output
{
if [type] == "checkpoint"
{
stdout { codec=> json }
}
}
Yendetsani lamulo kuti muwone:
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
Tikuwona zotsatira zake, chithunzicho ndi chosavuta:
Mukachikopera zikhala motere:
action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,
Kuyang'ana mauthenga awa, timamvetsetsa kuti zipika zimawoneka ngati: munda = mtengo kapena key = mtengo, zomwe zikutanthauza kuti fyuluta yotchedwa kv ndiyoyenera. Kuti musankhe fyuluta yoyenera pazochitika zilizonse, zingakhale bwino kuti mudziwe bwino nawo muzolemba zamakono, kapena funsani mnzanu.
Kukhazikitsa Zosefera
Pa gawo lomaliza lomwe tidasankha kv, kasinthidwe ka fyuluta iyi ikuwonetsedwa pansipa:
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
Timasankha chizindikiro chomwe tidzagawanitsa munda ndi mtengo - "="". Ngati tili ndi zolemba zofanana mu chipika, timasunga chitsanzo chimodzi chokha mu nkhokwe, apo ayi mudzakhala ndi mndandanda wazinthu zofanana, ndiye kuti, ngati tili ndi uthenga "foo = some foo = some" timalemba foo. = ena.
Kukhazikitsa Zotulutsa zolondola mu ElasticSearch
Fyuluta ikakonzedwa, mutha kuyika zipika ku database elasticsearch:
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Ngati chikalatacho chasainidwa ndi mtundu wa cheke, timasunga chochitikacho ku database ya elasticsearch, yomwe imavomereza kulumikizana pa 10.10.1.200 pa port 9200 mwachisawawa. Chikalata chilichonse chimasungidwa ku index inayake, pamenepa timasunga ku index "checkpoint-" + tsiku lapano. Mlozera uliwonse ukhoza kukhala ndi magawo enaake, kapena umapangidwa zokha pamene gawo latsopano likuwonekera mu uthenga; zoikamo za m'munda ndi mtundu wawo ukhoza kuwonedwa mumapu.
Ngati muli ndi chitsimikiziro chokhazikitsidwa (tidzayang'ana pambuyo pake), ziyeneretso zolembera ku index yodziwika ziyenera kufotokozedwa, mu chitsanzo ichi ndi "tssolution" ndi mawu achinsinsi "cool". Mutha kusiyanitsa ufulu wa ogwiritsa ntchito kulemba zipika ku index yeniyeni osatinso.
Tsegulani Logstash.
Fayilo yosintha ya Logstash:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => β10.10.1.205β
}
}
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Timayang'ana fayilo yosinthira kuti ndiyolondola:
/usr/share/logstash/bin//logstash -f checkpoint.conf
Yambitsani ndondomeko ya Logstash:
sudo systemctl ayambe logstash
Tikuwona kuti ndondomekoyi yayamba:
sudo systemctl status logstash
Tiyeni tiwone ngati socket ili pamwamba:
netstat -nat |grep 5555
Kuwona zipika ku Kibana.
Chilichonse chikatha, pitani ku Kibana - Dziwani, onetsetsani kuti zonse zakonzedwa bwino, chithunzicho ndi chotheka!
Zipika zonse zili m'malo ndipo titha kuwona minda yonse ndi malingaliro awo!
Pomaliza
Tinayang'ana momwe tingalembere fayilo ya kasinthidwe ka Logstash, ndipo chifukwa chake tidapeza gawo la magawo onse ndi zikhalidwe. Tsopano titha kugwira ntchito pofufuza ndi kukonza magawo enaake. Kenako m'maphunzirowa tiwona zowonera ku Kibana ndikupanga dashboard yosavuta. Ndikoyenera kutchula kuti fayilo ya kasinthidwe ya Logstash iyenera kusinthidwa nthawi zonse muzochitika zina, mwachitsanzo, pamene tikufuna kusintha mtengo wamunda kuchokera pa nambala kupita ku mawu. Mβnkhani zotsatila tidzachita zimenezi mosalekeza.
Ndiye khalani maso (
Source: www.habr.com