I le fesoʻotaʻiga ma le faʻaiʻuga o faʻatauga i Rusia o le Splunk logging and analytics system, na tulaʻi mai ai le fesili: o le a le mea e mafai ona suitulaga i lenei fofo? Ina ua uma le faʻaaluina o le taimi e faamasani ai aʻu lava i fofo eseese, na ou faʻamautu i se fofo mo se tamaloa moni - "ELK faaputuga". O lenei faiga e manaʻomia le taimi e faʻatutu ai, ae o se taunuuga e mafai ona e maua se faiga sili ona mamana mo le suʻeina o le tulaga ma vave tali atu i faʻamatalaga saogalemu faʻalavelave i totonu o le faʻalapotopotoga. I lenei faasologa o tala, o le a tatou vaʻavaʻai i le faʻavae (pe leai) gafatia o le ELK stack, mafaufau pe faʻapefea ona e faʻavasegaina ogalaau, auala e fausia ai kalafi ma dashboards, ma o a galuega manaia e mafai ona faia e faʻaaoga ai le faʻataʻitaʻiga o ogalaau mai o le Siaki Point firewall po'o le OpenVas security scanner. Muamua, seʻi o tatou vaʻavaʻai i le mea - o le ELK stack, ma o a vaega e aofia ai.
"ELK faaputuga" ose fa'apu'upu'u mo poloketi tatala fa'apogai e tolu: Elasticsearch, Lologa и kibana. Atina'e e Elastic fa'atasi ai ma galuega fa'atatau uma. Elasticsearch o le totonugalemu lea o le faiga atoa, lea e tuʻufaʻatasia ai galuega a se faʻamaumauga, suʻesuʻega ma suʻesuʻega. O le Logstash o se laina faʻapipiʻi faʻamatalaga faʻamaumauga e maua mai faʻamatalaga mai le tele o punaoa i le taimi e tasi, faʻasalalau le ogalaau, ona tuʻuina atu lea i se Elasticsearch database. Kibana e mafai ai e tagata faʻaoga ona vaʻaia faʻamatalaga e faʻaaoga ai siata ma kalafi i Elasticsearch. E mafai fo'i ona e fa'atautaia le fa'amaumauga e ala i Kibana. O le isi, o le a tatou iloiloina taʻitasi faiga eseese i nisi auiliiliga.
Lologa
Logstash o se aoga mo le faʻaogaina o faʻamaumauga o mea tutupu mai punaoa eseese, lea e mafai ai ona e filifilia fanua ma o latou tau i totonu o se feʻau, ma e mafai foi ona e faʻapipiʻi faʻamaumauga ma faʻasaʻo. A maeʻa togafiti uma, e toe faʻafeiloaʻi e Logstash mea na tutupu i le faleoloa faʻamaumauga mulimuli. O le aoga e faʻapipiʻiina e ala i faila faʻatulagaina.
O se fa'asologa masani o le logstash o se faila (s) e aofia ai le tele o vaitafe o lo'o sau o fa'amatalaga (fa'auiga), tele filiga mo lenei fa'amatalaga (filter) ma le tele o vaitafe e alu atu (output). E foliga mai o se tasi pe sili atu faila faila, lea i le faiga sili ona faigofie (e leai se mea) e pei o lenei:
input {
}
filter {
}
output {
}
I le INPUT matou te fa'atulagaina po'o fea le taulaga o le a lafo atu i ai ma ala mai ai le protocol, po'o le fea faila e faitau ai faila fou pe fa'afouina pea. I le FILTER matou te faʻapipiʻi le log parser: faʻavasega fanua, faʻasaʻo tulaga taua, faʻaopoopo mea fou poʻo le tapeina. FILTER o se fanua mo le puleaina o le feʻau e oʻo mai i Logstash ma le tele o filifiliga teuteu. I le gaosiga matou te faʻatulagaina le mea matou te lafoina ai le ogalaau ua uma ona faʻasalalau, i le tulaga o le elasticsearch e tuʻuina atu se talosaga a le JSON lea e lafoina ai fanua ma tau, pe o se vaega o le debug e mafai ona tuʻuina atu i le stdout pe tusia i se faila.
ElasticSearch
I le taimi muamua, o le Elasticsearch o se fofo mo le suʻesuʻeina o tusitusiga atoa, ae faʻatasi ai ma isi mea faʻapitoa e pei o le faʻaogaina faigofie, faʻasologa ma isi mea, lea na faʻafaigofie ai le oloa ma se fofo lelei mo galuega faʻapipiʻi maualuga ma le tele o faʻamaumauga. O le Elasticsearch o se faleoloa pepa a le JSON e le feso'ota'i (NoSQL) ma su'esu'ega e fa'avae i luga ole su'esu'ega o tusitusiga a Lucene. O le masini faʻapipiʻi o le Java Virtual Machine, o lea e manaʻomia ai e le faiga le tele o le gaosiga ma le RAM punaoa e faʻatino ai.
O fe'au ta'itasi uma e o'o mai, pe fa'atasi ma Logstash po'o le fa'aogaina ole API ole fesili, o lo'o fa'asinoina e pei o se "pepa" - fa'atusa i se laulau i feso'ota'iga SQL. O fa'amaumauga uma o lo'o teuina i totonu o se fa'ailoga - o se fa'atusa o se fa'amaumauga i SQL.
Fa'ata'ita'iga o se pepa i totonu o fa'amaumauga:
{
"_index": "checkpoint-2019.10.10",
"_type": "_doc",
"_id": "yvNZcWwBygXz5W1aycBy",
"_version": 1,
"_score": null,
"_source": {
"layer_uuid": [
"dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0",
"dbee3718-cf2f-4de0-8681-529cb75be9a6"
],
"outzone": "External",
"layer_name": [
"TSS-Standard Security",
"TSS-Standard Application"
],
"time": "1565269565",
"dst": "103.5.198.210",
"parent_rule": "0",
"host": "10.10.10.250",
"ifname": "eth6",
]
}
O galuega uma ma le database e faʻavae i luga o talosaga a le JSON e faʻaaoga ai le REST API, lea e tuʻuina atu ai faʻamaumauga e ala i faʻamaumauga poʻo nisi faʻamaumauga i le faatulagaga: fesili - tali. Ina ia mafai ona vaʻaia tali uma i talosaga, na tusia Kibana, o se 'upega tafaʻilagi.
kibana
Kibana e faʻatagaina oe e suʻe, toe aumai faʻamaumauga ma faʻamatalaga fuainumera mai le elasticsearch database, ae tele kalafi matagofie ma dashboards e fausia e faʻavae i luga o tali. O loʻo iai foʻi i le faiga elasticsearch database administration functionality; i tala mulimuli ane o le a tatou vaʻavaʻai atili i lenei auaunaga. Sei o tatou faʻaalia se faʻataʻitaʻiga o dashboards mo le Check Point firewall ma le OpenVas vulnerability scanner e mafai ona fausia.
O se faʻataʻitaʻiga o se dashboard mo Check Point, o le ata e mafai ona kiliki:
O se faʻataʻitaʻiga o se dashboard mo OpenVas, o le ata e mafai ona kiliki:
iʻuga
Sa matou tilotilo i mea e aofia ai ELK faaputuga, matou te masani lava i oloa autu, mulimuli ane i le vasega o le a matou vaʻavaʻai eseese e tusi se faila faʻapipiʻi Logstash, faʻatutuina dashboards i Kibana, faʻamasani i talosaga API, masini ma sili atu!
O lea ia mataala pea, , , ), .
puna: www.habr.com