M'nkhani zam'mbuyomu, tidadziwa pang'ono za elk stack ndikukhazikitsa fayilo yosinthira ya Logstash kwa wolemba logi.M'nkhaniyi, tipitilira ku chinthu chofunikira kwambiri kuchokera pakuwunika, zomwe mukufuna onani kuchokera pamakina ndi zomwe zonse zidapangidwira - awa ndi ma graph ndi matebulo ophatikizidwa dashboards. Lero tiwona mwatsatanetsatane dongosolo lowonera Kibana, tiwona momwe tingapangire ma grafu ndi matebulo, ndipo chifukwa chake tidzamanga dashboard yosavuta pogwiritsa ntchito zipika zochokera ku Check Point firewall.
Gawo loyamba logwira ntchito ndi kibana ndikulenga index index, momveka, ichi ndi maziko a indexes ogwirizana malinga ndi mfundo inayake. Zachidziwikire, izi ndizomwe zimapangitsa kuti Kibana azisakasaka mosavuta m'ma index onse nthawi imodzi. Imayikidwa pofananiza chingwe, nenani "checkpoint-*" ndi dzina la index. Mwachitsanzo, "checkpoint-2019.12.05" ingagwirizane ndi ndondomekoyi, koma "checkpoint" kulibenso. Ndikoyenera kutchula padera kuti pakufufuza sikungatheke kufufuza zambiri zamitundu yosiyanasiyana nthawi imodzi; mtsogolo pang'ono m'nkhani zotsatila tiwona kuti zopempha za API zimapangidwa ndi dzina la index, kapena ndi chimodzi chokha. mzere wa chitsanzo, chithunzicho ndi chodukiza:
Pambuyo pake, timayang'ana mumenyu ya Discover kuti zipika zonse zalembedwa ndipo chowongolera cholondola chakonzedwa. Ngati kusagwirizana kulikonse kumapezeka, mwachitsanzo, kusintha mtundu wa deta kuchokera ku chingwe kupita ku chiwerengero, muyenera kusintha fayilo ya Logstash yokonzekera, chifukwa chake, zipika zatsopano zidzalembedwa molondola. Kuti zipika zakale zitenge mawonekedwe ofunikira musanasinthe, njira yokhayo yosinthira imathandizira; m'nkhani zotsatila ntchitoyi idzakambidwa mwatsatanetsatane. Tiyeni tiwonetsetse kuti zonse zili m'dongosolo, chithunzicho ndi chosavuta:
Zipika zili m'malo, zomwe zikutanthauza kuti tikhoza kuyamba kupanga dashboards. Kutengera kusanthula kwa ma dashboards kuchokera kuzinthu zachitetezo, mutha kumvetsetsa momwe chitetezo chazidziwitso m'bungwe chilili, kuwona zofooka mundondomeko yamakono, kenako ndikupanga njira zowathetsera. Tiyeni tipange dashboard yaying'ono pogwiritsa ntchito zida zingapo zowonera. Dashboard idzakhala ndi zigawo 5:
- tebulo lowerengera kuchuluka kwa zipika ndi masamba
- tebulo pamasainidwe ovuta a IPS
- tchati cha zochitika za Kupewa Zowopsa
- tchati chamasamba odziwika kwambiri omwe adayendera
- tchati chogwiritsa ntchito zowopsa kwambiri
Kuti mupange ziwerengero zowonera, muyenera kupita ku menyu Yang'anirani, ndikusankha chithunzi chomwe tikufuna kupanga! Tiyeni tipite mwadongosolo.
Table yowerengera kuchuluka kwa zipika ndi tsamba
Kuti muchite izi, sankhani chithunzi Tebulo la Zambiri, timagwera mu zipangizo zopangira ma grafu, kumanzere ndi makonzedwe a chiwerengerocho, kumanja ndi momwe zidzawonekere muzosintha zamakono. Choyamba, ndikuwonetsa momwe tebulo lomalizidwa lidzawonekere, pambuyo pake tidzadutsa makonda, chithunzicho ndi chosavuta:
Zokonda zambiri zachithunzichi, chithunzicho chimangodina:
Tiyeni tione zoikamo.
Zokonzedwa poyamba metrics, uwu ndi mtengo womwe minda yonse idzaphatikizidwa. Ma metrics amawerengedwa kutengera mtengo womwe watengedwa m'njira imodzi kapena ina kuchokera pazolembedwa. Makhalidwe nthawi zambiri amachotsedwa minda document, koma ikhoza kupangidwanso pogwiritsa ntchito malemba. Mu nkhani iyi tiyikamo Kuphatikiza: Kuwerengera (chiwerengero chonse cha zipika).
Pambuyo pake, timagawaniza tebulo m'magawo (minda) yomwe metric idzawerengedwe. Ntchitoyi imachitidwa ndi makonda a Buckets, omwe amakhala ndi zosankha ziwiri:
- kugawa mizere - kuwonjezera mizati kenako ndikugawa tebulo m'mizere
- kugawa tebulo - kugawikana m'magome angapo kutengera zomwe zili mugawo linalake.
В zidebe mutha kuwonjezera magawo angapo kuti mupange mizati kapena matebulo angapo, zoletsa apa ndizomveka. Pakuphatikiza, mutha kusankha njira yomwe idzagwiritsidwe ntchito kugawa magawo: ipv4 range, deti, Terms, etc. Chisankho chosangalatsa kwambiri ndicholondola Terms и Mawu Ofunika, kugawidwa m'magawo kumachitika molingana ndi mfundo za gawo linalake lolozera, kusiyana pakati pawo kuli mu kuchuluka kwa zikhalidwe zomwe zabwezedwa, ndikuwonetsa kwawo. Popeza tikufuna kugawa tebulo ndi dzina la masamba, timasankha munda - product.keyword ndikukhazikitsa kukula kwa 25 zomwe zabwezedwa.
M'malo mwa zingwe, elasticsearch imagwiritsa ntchito mitundu iwiri ya data - lemba и nfundo yaikhulu. Ngati mukufuna kufufuza zolemba zonse, muyenera kugwiritsa ntchito mtundu wa malemba, chinthu chosavuta kwambiri polemba ntchito yanu yofufuzira, mwachitsanzo, kuyang'ana kutchulidwa kwa mawu mumtengo wamtengo wapatali (zolemba). Ngati mukufuna kungofanana ndendende, muyenera kugwiritsa ntchito mtundu wa mawu osakira. Komanso, mtundu wamtundu wa data uyenera kugwiritsidwa ntchito m'magawo omwe amafunikira kusanja kapena kuphatikiza, ndiye kuti, ife.
Zotsatira zake, Elasticsearch imawerengera kuchuluka kwa zipika kwa nthawi inayake, kuphatikizidwa ndi mtengo wagawo lazogulitsa. Mu Custom Label, timayika dzina la mzere womwe udzawonetsedwe patebulo, tiyike nthawi yomwe timasonkhanitsa zipika, tiyambe kupereka - Kibana amatumiza pempho ku elasticsearch, amadikirira kuyankha ndiyeno akuwona zomwe adalandira. Gome lakonzeka!
Tchati cha zochitika za Kupewa Zowopsa
Chochititsa chidwi kwambiri ndi chidziwitso cha kuchuluka kwa machitidwe omwe alipo monga peresenti dziwani и thandizani pazochitika zachitetezo chazidziwitso mundondomeko yamakono yachitetezo. Tchati cha chitumbuwa chimagwira ntchito bwino pankhaniyi. Sankhani m'masomphenya - Chati. Komanso mu metric timayika kuphatikizika ndi kuchuluka kwa zipika. Mu ndowa timayika Terms => zochita.
Chilichonse chikuwoneka kuti ndi cholondola, koma zotsatira zake zikuwonetsa zofunikira pamasamba onse; muyenera kusefa ndi masamba omwe amagwira ntchito mkati mwa Kupewa Zowopsa. Choncho, ife ndithudi tinayikhazikitsa Zosefera kuti mufufuze zambiri pamasamba omwe amayang'anira zochitika zachitetezo pazidziwitso - mankhwala: (“Anti-Bot” KAPENA “New Anti-Virus” KAPENA “DDoS Protector” KAPENA “SmartDefense” KAPENA “Kutsanzira Zowopsa”). Chithunzicho ndi chodina:
Ndipo makonda atsatanetsatane, chithunzicho chimangodina:
IPS Chochitika Table
Chotsatira, chofunikira kwambiri kuchokera kumalo otetezera chidziwitso ndikuwonera ndikuyang'ana zochitika pa tsamba. IPS и Zowopseza Emulation, которые sanatsekeredwa ndondomeko yamakono, kuti pambuyo pake musinthe siginecha kuti mupewe, kapena ngati magalimoto ali olondola, musayang'ane siginecha. Timapanga tebulo mofanana ndi chitsanzo choyamba, ndi kusiyana kokha komwe timapanga mizati ingapo: chitetezo.keyword, severity.keyword, product.keyword, originsicname.keyword. Onetsetsani kuti mwakhazikitsa zosefera kuti mufufuze zidziwitso pamasamba okhawo omwe amayang'anira zochitika zokhudzana ndi chitetezo - mankhwala: ("SmartDefense" KAPENA "Kuyesa Zowopsa"). Chithunzicho ndi chodina:
Zokonda zambiri, chithunzicho chimangodina:
Ma chart amasamba otchuka omwe adachezera
Kuti muchite izi, pangani chithunzi - Chotsatira cha Bar. Timagwiritsanso ntchito count (Y axis) ngati metric, ndipo pa X axis tidzagwiritsa ntchito dzina lamasamba omwe adawachezera monga ma values - "appi_name". Pali chinyengo chaching'ono apa: ngati mutayendetsa zoikamo mumtundu wamakono, ndiye kuti masamba onse adzalembedwa pa tchati ndi mtundu womwewo, kuti apange mitundu yambirimbiri timagwiritsa ntchito zina zowonjezera - "split series", zomwe zimakulolani kugawaniza ndime yokonzedwa kale muzinthu zingapo, kutengera gawo lomwe mwasankha! Gawo lomweli litha kugwiritsidwa ntchito ngati ndime imodzi yamitundu yambiri molingana ndi milingo yokhazikika, kapena mwanjira yabwinobwino kuti mupange mizati ingapo molingana ndi mtengo wake pa X axis. mtengo wofanana ndi wa X axis, izi zimapangitsa kuti zipilala zonse zikhale zamitundu yambiri; zidzawonetsedwa ndi mitundu kumanja kumtunda. Mu fyuluta yomwe timayika - mankhwala: "Kusefa kwa URL" kuti muwone zambiri pamasamba omwe adawachezera, chithunzicho chimangodina:
Zikhazikiko:
Chithunzi chogwiritsa ntchito zowopsa kwambiri
Kuti muchite izi, pangani chithunzi - Vertical Bar. Timagwiritsanso ntchito count (Y axis) ngati metric, ndipo pa X axis tidzagwiritsa ntchito dzina la mapulogalamu omwe amagwiritsidwa ntchito - "appi_name" monga mtengo. Chofunika kwambiri ndi kusefera - mankhwala: "Application Control" NDI app_risk: (4 OR 5 KAPENA 3 ) NDI zochita: "kuvomereza". Timasefa zipikazo ndi tsamba loyang'anira Ntchito, ndikungotenga masamba omwe ali m'magulu Ovuta Kwambiri, Apamwamba, Apakati komanso omwe ali pachiwopsezo chapakatikati ndipo pokhapokha ngati mwayi wopezeka patsambali ukuloledwa. Chithunzicho ndi chodina:
Zokonda, zodina:
Dashboard
Kuwona ndi kupanga ma dashboards kuli mumndandanda wazosankha - lakutsogolo. Chilichonse ndi chosavuta pano, dashboard yatsopano imapangidwa, zowonera zimawonjezeredwa, zimayikidwa m'malo mwake ndipo ndi momwemo!
Tikupanga dashboard momwe mungamvetsetse momwe zilili zachitetezo chazidziwitso m'bungwe, zowona, pokhapokha pamlingo wa Check Point, chithunzicho chimangodina:
Kutengera ma graph awa, titha kumvetsetsa kuti ndi ma signature ati ofunikira omwe sanatsekedwe pa firewall, komwe ogwiritsa ntchito amapita, komanso ntchito zowopsa zomwe amagwiritsa ntchito.
Pomaliza
Tidayang'ana kuthekera kowonera koyambira ku Kibana ndikumanga dashboard, koma iyi ndi gawo laling'ono chabe. Kupitilira apo, tidzayang'ana payokha kukhazikitsa mamapu, kugwira ntchito ndi elasticsearch system, kudziwa zopempha za API, automation ndi zina zambiri!
Ndiye khalani maso (, , , ), .
Source: www.habr.com