🥇2. Elastic stack: kusanthula zipika zachitetezo. Logstash

Pomaliza nkhani tinakumana Mtengo wa ELK, zomwe zimapangidwa ndi mapulogalamu ake. Ndipo ntchito yoyamba yomwe injiniya amakumana nayo akamagwira ntchito ndi ELK stack ndikutumiza zipika kuti zisungidwe mu elasticsearch kuti ziwunikenso. Komabe, iyi ndi milomo chabe, elasticsearch imasunga zipika ngati zikalata zokhala ndi magawo ndi mfundo zina, zomwe zikutanthauza kuti injiniya ayenera kugwiritsa ntchito zida zosiyanasiyana kuti afotokozere uthenga womwe umatumizidwa kuchokera kumachitidwe omaliza. Izi zitha kuchitika m'njira zingapo - lembani pulogalamu nokha yomwe ingawonjezere zolemba ku database pogwiritsa ntchito API, kapena gwiritsani ntchito mayankho okonzeka. M’phunziroli tiona yankho lake Logstash, yomwe ili gawo la stack ya ELK. Tiwona momwe tingatumizire zipika kuchokera ku ma endpoint system kupita ku Logstash, ndiyeno tidzakhazikitsa fayilo yosinthira kuti tidutse ndikuwongolera ku database ya Elasticsearch. Kuti tichite izi, timatenga zipika kuchokera ku Check Point firewall ngati njira yomwe ikubwera.

Maphunzirowa sakuphimba kuyika kwa ELK stack, popeza pali zolemba zambiri pamutuwu; tikambirana za kasinthidwe.

Tiyeni tipange dongosolo lakusintha kwa Logstash:

Kuyang'ana kuti elasticsearch ivomereza zipika (kuyang'ana magwiridwe antchito ndi kutseguka kwa doko).
Timaganizira momwe tingatumizire zochitika ku Logstash, sankhani njira, ndikuyigwiritsa ntchito.
Timakonza Zolowetsa mu fayilo yosintha ya Logstash.
Timakonza Zotuluka mu fayilo yosinthira ya Logstash mumayendedwe owongolera kuti timvetsetse momwe uthenga wa chipika umawonekera.
Kukhazikitsa Zosefera.
Kukhazikitsa Zotulutsa zolondola mu ElasticSearch.
Logstash imayamba.
Kuwona zipika ku Kibana.

Tiyeni tiwone mfundo iliyonse mwatsatanetsatane:

Kuyang'ana kuti elasticsearch ivomereza zipika

Kuti muchite izi, mutha kugwiritsa ntchito curl lamulo kuti muwone mwayi wa Elasticsearch kuchokera pamakina omwe Logstash imayikidwa. Ngati muli ndi chitsimikiziro chokhazikitsidwa, ndiye kuti timasamutsanso wogwiritsa / mawu achinsinsi kudzera pa curl, kutchula doko 9200 ngati simunasinthe. Ngati mulandira yankho lofanana ndi lomwe lili pansipa, ndiye kuti zonse zili bwino.

[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
  "name" : "elastic-1",
  "cluster_name" : "project",
  "cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
  "version" : {
    "number" : "7.4.1",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
    "build_date" : "2019-10-22T17:16:35.176724Z",
    "build_snapshot" : false,
    "lucene_version" : "8.2.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$

Ngati yankho silinalandire, ndiye kuti pangakhale zolakwika zingapo: ndondomeko ya elasticsearch sikuyenda, doko lolakwika limatchulidwa, kapena doko latsekedwa ndi firewall pa seva kumene elasticsearch imayikidwa.

Tiyeni tiwone momwe mungatumizire zipika ku Logstash kuchokera pa cheke chozimitsa moto

Kuchokera pa seva yoyang'anira Check Point mutha kutumiza zipika ku Logstash kudzera pa syslog pogwiritsa ntchito log_exporter utility, mutha kuwerenga zambiri za izi apa. nkhani, apa tisiya lamulo lokha lomwe limapanga mtsinje:

cp_log_export onjezani dzina check_point_syslog target-server < > target-port 5555 protocol tcp format generic read-mode semi-unified

< > - adiresi ya seva yomwe Logstash imayendetsa, doko la target 5555 - doko lomwe tidzatumizako zipika, kutumiza zipika kudzera pa tcp kumatha kukweza seva, kotero nthawi zina ndizolondola kugwiritsa ntchito udp.

Kukhazikitsa INPUT mu fayilo yosintha ya Logstash

Mwachikhazikitso, fayilo yosinthira ili mu /etc/logstash/conf.d/ directory. Fayilo yosinthira ili ndi magawo atatu ofunikira: INPUT, FILTER, OUTPUT. MU Muzifunsa tikuwonetsa komwe dongosololi lidzatengere mitengo kuchokera, mu FILTER fotokozani chipika - khazikitsani momwe mungagawire uthengawo m'magawo ndi zofunikira, mu linanena bungwe timakonza mtsinje wotuluka - kumene zipika zogawanika zidzatumizidwa.

Choyamba, tiyeni tikonze INPUT, taganizirani mitundu ina yomwe ingakhale - fayilo, tcp ndi exe.

Tcp:

input {
tcp {
    port => 5555
    host => “10.10.1.205”
    type => "checkpoint"
    mode => "server"
}
}

mode => "seva"
Zikuwonetsa kuti Logstash ikuvomereza kulumikizana.

doko => 5555
host => "10.10.1.205"
Timavomereza kulumikizidwa kudzera pa adilesi ya IP 10.10.1.205 (Logstash), port 5555 - doko liyenera kuloledwa ndi ndondomeko ya firewall.

type => "choyang'ana"
Timalemba chikalatacho, chosavuta ngati muli ndi zolumikizira zingapo zomwe zikubwera. Pambuyo pake, pa kulumikizana kulikonse mutha kulemba fyuluta yanu pogwiritsa ntchito zomveka ngati kumanga.

Foni:

input {
  file {
    path => "/var/log/openvas_report/*"
    type => "openvas"
    start_position => "beginning"
    }
}

Kufotokozera za zokonda:
njira => "/var/log/openvas_report/*"
Tikuwonetsa chikwatu chomwe mafayilo ayenera kuwerengedwa.

type => "openvas"
Mtundu wa chochitika.

start_position => "chiyambi"
Mukasintha fayilo, imawerenga fayilo yonse; ngati muyika "mapeto", dongosolo limadikirira kuti zolemba zatsopano ziwoneke kumapeto kwa fayilo.

Exec:

input {
  exec {
    command => "ls -alh"
    interval => 30
  }
}

Pogwiritsa ntchito cholowetsa ichi, lamulo (lokha!) la chipolopolo limayambitsidwa ndipo zotuluka zake zimasinthidwa kukhala uthenga wa chipika.

lamulo => "ls -alh"
Lamulo lomwe zotsatira zake timakonda.

nthawi => 30
Lamulani nthawi yopempha mumasekondi.

Kuti tilandire zipika kuchokera pa firewall, timalembetsa fyuluta tcp kapena udp, kutengera momwe zipika zimatumizidwa ku Logstash.

Timakonza Zotuluka mu fayilo yosinthira ya Logstash mumayendedwe owongolera kuti timvetsetse momwe uthenga wa chipika umawonekera.

Titakonza INPUT, tiyenera kumvetsetsa momwe uthenga wa chipika udzawoneka komanso njira zomwe ziyenera kugwiritsidwa ntchito pokonza fyuluta ya log (parser).

Kuti tichite izi, tidzagwiritsa ntchito fyuluta yomwe imatulutsa zotsatira zake kuti stdout kuti tiwone uthenga woyambirira; fayilo yonse yosinthira pakadali pano ikuwoneka motere:

input 
{
         tcp 
         {
                port => 5555
  	  	type => "checkpoint"
    		mode => "server"
                host => “10.10.1.205”
   	 }
}

output 
{
	if [type] == "checkpoint" 
       {
		stdout { codec=> json }
	}
}

Yendetsani lamulo kuti muwone:
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
Tikuwona zotsatira zake, chithunzicho ndi chosavuta:

Mukachikopera zikhala motere:

action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,

Kuyang'ana mauthenga awa, timamvetsetsa kuti zipika zimawoneka ngati: munda = mtengo kapena key = mtengo, zomwe zikutanthauza kuti fyuluta yotchedwa kv ndiyoyenera. Kuti musankhe fyuluta yoyenera pazochitika zilizonse, zingakhale bwino kuti mudziwe bwino nawo muzolemba zamakono, kapena funsani mnzanu.

Kukhazikitsa Zosefera

Pa gawo lomaliza lomwe tidasankha kv, kasinthidwe ka fyuluta iyi ikuwonetsedwa pansipa:

filter {
if [type] == "checkpoint"{
	kv {
		value_split => "="
		allow_duplicate_values => false
	}
}
}

Timasankha chizindikiro chomwe tidzagawanitsa munda ndi mtengo - "="". Ngati tili ndi zolemba zofanana mu chipika, timasunga chitsanzo chimodzi chokha mu nkhokwe, apo ayi mudzakhala ndi mndandanda wazinthu zofanana, ndiye kuti, ngati tili ndi uthenga "foo = some foo = some" timalemba foo. = ena.

Kukhazikitsa Zotulutsa zolondola mu ElasticSearch

Fyuluta ikakonzedwa, mutha kuyika zipika ku database elasticsearch:

output 
{
if [type] == "checkpoint"
{
 	elasticsearch 
        {
		hosts => ["10.10.1.200:9200"]
		index => "checkpoint-%{+YYYY.MM.dd}"
    		user => "tssolution"
    		password => "cool"
  	}
}
}

Ngati chikalatacho chasainidwa ndi mtundu wa cheke, timasunga chochitikacho ku database ya elasticsearch, yomwe imavomereza kulumikizana pa 10.10.1.200 pa port 9200 mwachisawawa. Chikalata chilichonse chimasungidwa ku index inayake, pamenepa timasunga ku index "checkpoint-" + tsiku lapano. Mlozera uliwonse ukhoza kukhala ndi magawo enaake, kapena umapangidwa zokha pamene gawo latsopano likuwonekera mu uthenga; zoikamo za m'munda ndi mtundu wawo ukhoza kuwonedwa mumapu.

Ngati muli ndi chitsimikiziro chokhazikitsidwa (tidzayang'ana pambuyo pake), ziyeneretso zolembera ku index yodziwika ziyenera kufotokozedwa, mu chitsanzo ichi ndi "tssolution" ndi mawu achinsinsi "cool". Mutha kusiyanitsa ufulu wa ogwiritsa ntchito kulemba zipika ku index yeniyeni osatinso.

Tsegulani Logstash.

Fayilo yosintha ya Logstash:

input 
{
         tcp 
         {
                port => 5555
  	  	type => "checkpoint"
    		mode => "server"
                host => “10.10.1.205”
   	 }
}

filter {
        if [type] == "checkpoint"{
	kv {
		value_split => "="
		allow_duplicate_values => false
	}
        }
}

output 
{
if [type] == "checkpoint"
{
 	elasticsearch 
        {
		hosts => ["10.10.1.200:9200"]
		index => "checkpoint-%{+YYYY.MM.dd}"
    		user => "tssolution"
    		password => "cool"
  	}
}
}

Timayang'ana fayilo yosinthira kuti ndiyolondola:
/usr/share/logstash/bin//logstash -f checkpoint.conf

Yambitsani ndondomeko ya Logstash:
sudo systemctl ayambe logstash

Tikuwona kuti ndondomekoyi yayamba:
sudo systemctl status logstash

Tiyeni tiwone ngati socket ili pamwamba:
netstat -nat |grep 5555

Kuwona zipika ku Kibana.

Chilichonse chikatha, pitani ku Kibana - Dziwani, onetsetsani kuti zonse zakonzedwa bwino, chithunzicho ndi chotheka!

Zipika zonse zili m'malo ndipo titha kuwona minda yonse ndi malingaliro awo!

Pomaliza

Tinayang'ana momwe tingalembere fayilo ya kasinthidwe ka Logstash, ndipo chifukwa chake tidapeza gawo la magawo onse ndi zikhalidwe. Tsopano titha kugwira ntchito pofufuza ndi kukonza magawo enaake. Kenako m'maphunzirowa tiwona zowonera ku Kibana ndikupanga dashboard yosavuta. Ndikoyenera kutchula kuti fayilo ya kasinthidwe ya Logstash iyenera kusinthidwa nthawi zonse muzochitika zina, mwachitsanzo, pamene tikufuna kusintha mtengo wamunda kuchokera pa nambala kupita ku mawu. M’nkhani zotsatila tidzachita zimenezi mosalekeza.

Ndiye khalani maso (uthengawo, Facebook, VK, TS Solution Blog), Yandex.Zen.

Source: www.habr.com

2. Elastic stack: kusanthula zipika zachitetezo. Logstash