Elastic Stack ndi chida chodziwika bwino pamsika wamakina a SIEM (kwenikweni, osati iwo okha). Ikhoza kusonkhanitsa deta yambiri yosiyana-siyana, yomwe imakhala yovuta komanso yosamvetsetseka. Sizolondola kwenikweni ngati kupeza zinthu za Elastic Stack sikutetezedwa. Mwachikhazikitso, zinthu zonse za Elastic-of-the-box (Elasticsearch, Logstash, Kibana, ndi osonkhanitsa a Beats) amayendetsa ma protocol otseguka. Ndipo ku Kibana komweko, kutsimikizika kwayimitsidwa. Zochita zonsezi zitha kutetezedwa ndipo m'nkhaniyi tikuuzani momwe mungachitire izi. Kuti zitheke, tidagawa nkhaniyo m'magawo atatu a semantic:
- Njira yofikira deta yotengera ntchito
- Chitetezo cha data mkati mwa gulu la Elasticsearch
- Kuteteza deta kunja kwa gulu la Elasticsearch
Tsatanetsatane pansi pa odulidwa.
Njira yofikira deta yotengera ntchito
Mukayika Elasticsearch ndipo osayisintha mwanjira ina iliyonse, mwayi wopeza ma index onse udzatsegulidwa kwa aliyense. Chabwino, kapena omwe angagwiritse ntchito kupindika. Kuti mupewe izi, Elasticsearch ili ndi chitsanzo chomwe chilipo kuyambira ndikulembetsa kwa Basic (komwe kuli kwaulere). Mwadongosolo zikuwoneka motere:
Zomwe zili pachithunzichi
- Ogwiritsa ndi onse omwe angalowemo pogwiritsa ntchito zidziwitso zawo.
- Udindo ndi gulu la maufulu.
- Ufulu ndi mndandanda wamwayi.
- Mwayi ndi zilolezo zolembera, kuwerenga, kufufuta, ndi zina. ()
- Zothandizira ndi zolemba, zolemba, minda, ogwiritsa ntchito, ndi mabungwe ena osungira (chitsanzo chazinthu zina chimapezeka kokha ndi olembetsa omwe amalipidwa).
Mwachikhazikitso Elasticsearch ili , kumene amamangiriridwa . Mukatsegula zoikamo zachitetezo, mutha kuyamba kugwiritsa ntchito nthawi yomweyo.
Kuti mutsegule makonda a Elasticsearch, muyenera kuwonjezera pa fayilo yosinthira (mwachisawawa izi ndi elasticsearch/config/elasticsearch.yml) mzere watsopano:
xpack.security.enabled: trueMukasintha fayilo yosinthira, yambitsani kapena yambitsaninso Elasticsearch kuti zosinthazo zichitike. Chotsatira ndikugawa mawu achinsinsi kwa ogwiritsa ntchito bokosi. Tiyeni tichite izi molumikizana pogwiritsa ntchito lamulo ili pansipa:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Kufufuza:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Mutha kudzisisita kumbuyo - zokonda kumbali ya Elasticsearch zamalizidwa. Tsopano ndi nthawi yokonza Kibana. Ngati mutayendetsa tsopano, zolakwika zidzawonekera, choncho ndikofunikira kupanga sitolo yaikulu. Izi zimachitika mu malamulo awiri (user chibana ndi mawu achinsinsi omwe adalowa pagawo lopanga mawu achinsinsi mu Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordNgati zonse zili zolondola, Kibana ayamba kufunsa lolowera ndi mawu achinsinsi. Kulembetsa kwa Basic kumaphatikizapo chitsanzo chotengera ogwiritsa ntchito mkati. Kuyambira ndi Golide, mutha kulumikiza makina otsimikizira akunja - LDAP, PKI, Active Directory ndi makina osayina amodzi.
Ufulu wopeza zinthu mkati mwa Elasticsearch uthanso kukhala ndi malire. Komabe, kuti muchite zomwezo pazolemba kapena minda, mudzafunika kulembetsa kolipiridwa (kwapamwamba uku kumayamba ndi mulingo wa Platinum). Zokonda izi zimapezeka mu mawonekedwe a Kibana kapena kudzera . Mutha kuyang'ana pamenyu ya Dev Tools yodziwika kale:
Kupanga gawo
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Kupanga wosuta
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Chitetezo cha data mkati mwa gulu la Elasticsearch
Pamene Elasticsearch ikuyenda mgulu (lomwe ndilofala), zosintha zachitetezo mkati mwa tsango zimakhala zofunika. Pakulumikizana kotetezeka pakati pa node, Elasticsearch imagwiritsa ntchito protocol ya TLS. Kuti mukhazikitse mgwirizano wotetezeka pakati pawo, mukufunikira satifiketi. Timapanga satifiketi ndi kiyi yachinsinsi mu mtundu wa PEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemPambuyo pochita lamulo pamwambapa, mu bukhuli /../elasticsearch archive idzawoneka elastic-stack-ca.zip. Mkati mwake mupeza satifiketi ndi kiyi yachinsinsi yokhala ndi zowonjezera crt ΠΈ chinsinsi motsatana. Ndikoyenera kuziyika pazigawo zogawana, zomwe ziyenera kupezeka kuchokera kumagulu onse amagulu.
Node iliyonse tsopano ikufunika ziphaso zake ndi makiyi achinsinsi kutengera zomwe zili mu bukhu logawidwa. Mukamaliza kulamula, mudzafunsidwa kuti muyike mawu achinsinsi. Mutha kuwonjezera zina -ip ndi -dns kuti mutsimikizire kwathunthu ma node olumikizana.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyChifukwa chotsatira lamuloli, tidzalandira satifiketi ndi kiyi yachinsinsi mumtundu wa PKCS#12, wotetezedwa ndi mawu achinsinsi. Chotsalira ndikusuntha fayilo yopangidwa p12 ku chikwatu chosinthira:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configOnjezani mawu achinsinsi ku satifiketi mumtundu wake p12 mu keystore ndi truststore pa node iliyonse:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordZodziwika kale elasticsearch.yml Zomwe zatsala ndikuwonjezera mizere yokhala ndi satifiketi:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Timakhazikitsa node zonse za Elasticsearch ndikuchita kupiringa. Ngati zonse zidachitika molondola, yankho lomwe lili ndi mfundo zingapo lidzabwezedwa:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Palinso njira ina yachitetezo - kusefa adilesi ya IP (yopezeka polembetsa kuchokera pamlingo wa Golide). Imakulolani kuti mupange mindandanda yoyera ya ma adilesi a IP omwe mumaloledwa kupeza ma node.
Kuteteza deta kunja kwa gulu la Elasticsearch
Kunja kwa tsango kumatanthauza kulumikiza zida zakunja: Kibana, Logstash, Beats kapena makasitomala ena akunja.
Kukonza chithandizo cha https (m'malo mwa http), onjezani mizere yatsopano ku elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12Chifukwa Satifiketi imatetezedwa ndi mawu achinsinsi, onjezani ku keystore ndi truststore pa node iliyonse:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordMukawonjezera makiyi, ma Elasticsearch node ali okonzeka kulumikizidwa kudzera pa https. Tsopano iwo akhoza kuyambitsidwa.
Chotsatira ndicho kupanga chinsinsi chogwirizanitsa Kibana ndikuchiwonjezera pakukonzekera. Kutengera satifiketi yomwe ili kale m'ndandanda yogawana nawo, tipanga satifiketi mumtundu wa PEM (PKCS#12 Kibana, Logstash ndi Beats sizikuthandizabe):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemZomwe zatsala ndikutsegula makiyi opangidwa mufoda ndi kasinthidwe ka Kibana:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configMakiyi alipo, kotero chomwe chatsala ndikusintha kasinthidwe ka Kibana kuti ayambe kuzigwiritsa ntchito. Mu kibana.yml kasinthidwe fayilo, sinthani http kukhala https ndikuwonjezera mizere yokhala ndi zoikamo za SSL. Mizere itatu yomaliza imapanga kulumikizana kotetezeka pakati pa msakatuli wa wosuta ndi Kibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtChifukwa chake, zosintha zimamalizidwa ndipo mwayi wopeza zambiri mugulu la Elasticsearch umasungidwa.
Ngati muli ndi mafunso okhudzana ndi kuthekera kwa Elastic Stack pa zolembetsa zaulere kapena zolipiridwa, kuyang'anira ntchito kapena kupanga dongosolo la SIEM, siyani pempho kwa patsamba lathu.
Zambiri mwazolemba zathu za Elastic Stack pa HabrΓ©:
Source: www.habr.com