I le mulimuli sa matou feiloai ELK faaputuga, o a mea fa'akomepiuta e aofia ai. Ma o le galuega muamua o loʻo feagai ma se inisinia pe a galue ma le ELK stack o loʻo tuʻuina atu ogalaau mo le teuina i suʻesuʻega suʻesuʻe mo suʻesuʻega mulimuli ane. Ae ui i lea, e naʻo le laugutu, elasticsearch faleoloa ogalaau i foliga o pepa faʻatasi ma nisi fanua ma tulaga taua, o lona uiga e tatau i le inisinia ona faʻaogaina meafaigaluega eseese e faʻasalalau ai le feʻau e auina mai i le pito i tua. E mafai ona faia lenei mea i le tele o auala - tusi se polokalama oe lava e faʻaopoopoina faʻamaumauga i le database e faʻaaoga ai le API, poʻo le faʻaogaina o fofo ua saunia. I lenei vasega o le a tatou iloiloina le fofo Lologa, o se vaega o le faaputuga ELK. O le a matou vaʻavaʻai pe faʻafefea ona matou lafoina ogalaau mai le endpoint system i Logstash, ona matou setiina lea o se faila faʻapipiʻi e faʻasalalau ma toe faʻafeiloaʻi i le Elasticsearch database. Ina ia faia lenei mea, matou te ave ogalaau mai le Check Point firewall e fai ma faiga o loʻo sau.
O le vasega e le aofia ai le faʻapipiʻiina o le ELK stack, talu ai o loʻo i ai le tele o tala i luga o lenei autu; o le a matou mafaufau i le vaega faʻatulagaina.
Sei o tatou tusia se fuafuaga fa'atino mo le fa'atulagaina o Logstash:
- O le siakiina o le elasticsearch o le a talia ogalaau (siaki le gaioiga ma le tatala o le taulaga).
- Matou te mafaufau pe faʻapefea ona matou lafoina mea na tutupu i Logstash, filifili se metotia, ma faʻatino.
- Matou te faʻapipiʻiina le Input i le faila faʻapipiʻi Logstash.
- Matou te faʻapipiʻiina le Faʻasologa i totonu o le faila faʻapipiʻi Logstash i le faʻaogaina o le debug ina ia malamalama i foliga o le savali ogalaau.
- Fa'atonu le Filter.
- Fa'atulaga sa'o le Sa'o i le ElasticSearch.
- Logstash fa'alauiloa.
- Siaki ogalaau i Kibana.
Se'i o tatou va'ava'ai atili i vaega ta'itasi:
O le siakiina ole elasticsearch ole a talia ogalaau
Ina ia faia lenei mea, e mafai ona e faʻaogaina le curl command e siaki ai le avanoa i Elasticsearch mai le faiga o loʻo faʻapipiʻiina ai Logstash. Afai e iai sau faʻamaoniga faʻamaonia, matou te faʻafeiloaʻi foi le tagata faʻaoga / upu faʻaoga e ala i curl, faʻamaonia le taulaga 9200 pe afai e te leʻi suia. Afai e te mauaina se tali e pei o le tali o loʻo i lalo, o lona uiga o loʻo lelei mea uma.
[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
"name" : "elastic-1",
"cluster_name" : "project",
"cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
"version" : {
"number" : "7.4.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
"build_date" : "2019-10-22T17:16:35.176724Z",
"build_snapshot" : false,
"lucene_version" : "8.2.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$
Afai e le maua le tali, atonu e tele ituaiga o mea sese: o le elasticsearch process e le o taʻavale, o le mea sese ua faʻamaonia, pe o le taulaga ua poloka e se pa puipui i luga o le server lea e faʻapipiʻi ai elasticsearch.
Se'i o tatou va'ai pe fa'apefea ona e lafo atu ogalaau i Logstash mai se pa puipui puipui
Mai le Check Point server server e mafai ona e lafoina ogalaau i Logstash e ala i le syslog e faʻaaoga ai le log_exporter aoga, e mafai ona e faitau atili i ai iinei , o iinei o le a tatou tuua ai na o le poloaiga e fatuina ai le vaitafe:
cp_log_export faaopoopo le igoa check_point_syslog target-server < > taula'iga-taulaga 5555 protocol tcp fa'asologa lautele faitau-mode semi-unified
< > - tuatusi o le 'auʻaunaga o loʻo tamoʻe ai Logstash, taulaʻi-taulaga 5555 - taulaga lea o le a matou lafoina ogalaau, auina atu ogalaau e ala i le tcp e mafai ona utaina le 'auʻaunaga, o lea i nisi tulaga e sili atu ona saʻo le faʻaogaina o le udp.
Faʻatulagaina le INPUT i le faila faʻapipiʻi Logstash
Ona o le faaletonu, o le faila faatulagaina o loʻo i totonu o le /etc/logstash/conf.d/ directory. O le faila faila e aofia ai vaega taua e 3: INPUT, FILTER, OUTPUT. IN INPUT matou te faʻaalia le mea o le a ave ai e le faiga ogalaau mai, i totonu faʻamamā vase le ogalaau - seti pe faapefea ona vaevae le savali i fanua ma tau, i OUTPUT matou te faʻapipiʻiina le tafega - lea o le a lafoina ai ogalaau faʻasalalau.
Muamua, seʻi o tatou faʻatulagaina INPUT, mafaufau i nisi o ituaiga e mafai ona fai - faila, tcp ma exe.
Tcp:
input {
tcp {
port => 5555
host => “10.10.1.205”
type => "checkpoint"
mode => "server"
}
}
mode => "server"
Fa'ailoa mai o lo'o talia e Logstash feso'ota'iga.
taulaga => 5555
talimalo => “10.10.1.205”
Matou te talia fesoʻotaʻiga e ala i tuatusi IP 10.10.1.205 (Logstash), port 5555 - e tatau ona faʻatagaina le taulaga e le faiga faʻavae afi.
type => "mea siaki"
Matou te makaina le pepa, e faigofie tele pe afai e tele au fesoʻotaʻiga o loʻo oʻo mai. Mulimuli ane, mo fesoʻotaʻiga taʻitasi e mafai ona e tusia lau lava faamama e faʻaaoga ai le faʻaoga talafeagai pe a fai.
File:
input {
file {
path => "/var/log/openvas_report/*"
type => "openvas"
start_position => "beginning"
}
}
Fa'amatalaga o tulaga:
ala => "/var/log/openvas_report/*"
Matou te faʻaalia le lisi e manaʻomia ona faitau ai faila.
type => "openvas"
Ituaiga mea na tupu.
start_position => "amataga"
Pe a suia se faila, e faitau le faila atoa; afai e te setiina le "mutai", o loʻo faʻatali le faiga mo faʻamaumauga fou e faʻaalia i le pito o le faila.
Fa'atonu:
input {
exec {
command => "ls -alh"
interval => 30
}
}
I le fa'aogaina o lenei fa'aoga, e fa'alauiloa ai se fa'atonuga (na'o!) atigi ma fa'aliliuina lona fa'atinoga i se fe'au ogalaau.
poloaiga => "ls -alh"
O le fa'atonuga o lo'o tatou fiafia iai.
vaeluaga => 30
Fa'atonu le va o talosaga ile sekone.
Ina ia maua mai ogalaau mai le firewall, matou te resitalaina se faamama tcp poʻo udp, faʻalagolago ile auala e lafo ai ogalaau ile Logstash.
Matou te faʻapipiʻiina le Faʻasologa i le Logstash configuration file i le debug mode ina ia malamalama pe faʻapefea le savali ogalaau
A maeʻa ona matou faʻapipiʻiina le INPUT, e tatau ona tatou malamalama pe o le a le foliga o le savali o le ogalaau ma pe o a metotia e manaʻomia e faʻaoga e faʻapipiʻi ai le faamama ogalaau (parser).
Ina ia faia lenei mea, o le a matou faʻaogaina se faamama e maua ai le taunuʻuga i le stdout ina ia mafai ai ona vaʻai i le uluai savali; o le faila faʻatulagaina atoa i le taimi nei o le a pei o lenei:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
output
{
if [type] == "checkpoint"
{
stdout { codec=> json }
}
}
Fa'atonu le fa'atonuga e siaki ai:
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
Matou te vaʻai i le iʻuga, o le ata e mafai ona kiliki:
Afai e te kopiina e pei o lenei:
action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,
A tilotilo i nei feʻau, matou te malamalama o ogalaau e pei o: fanua = tau poʻo ki = tau, o lona uiga o se faamama e taʻua o le kv e talafeagai. Ina ia mafai ona filifili le faamama saʻo mo mataupu faʻapitoa taʻitasi, o se manatu lelei le faʻamasani oe lava ia i latou i faʻamaumauga faʻapitoa, pe fesili i se uo.
Fa'atonu le Filter
I le laasaga mulimuli na matou filifilia kv, o le faʻatulagaina o lenei faamama o loʻo tuʻuina atu i lalo:
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
Matou te filifilia le faʻailoga lea o le a matou vaevaeina ai le fanua ma le tau - "=". Afai ei ai a matou faʻamatalaga tutusa i totonu o le ogalaau, matou te faʻasaoina na o le tasi le faʻataʻitaʻiga i totonu o faʻamaumauga, a leai o le ae faʻamaeʻaina i le tele o tulaga tutusa, o lona uiga, afai e iai le matou feʻau "foo = nisi foo = nisi" matou te tusia naʻo foo = nisi.
Fa'atulaga sa'o le Sa'o i le ElasticSearch
A mae'a ona fa'atulaga le Filter, e mafai ona e tu'uina atu ogalaau ile fa'amaumauga elastikearch:
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Afai e sainia le pepa ma le ituaiga siaki, matou te faʻasaoina le mea na tupu i le elasticsearch database, lea e talia fesoʻotaʻiga ile 10.10.1.200 ile port 9200 e ala ile faaletonu. O pepa taʻitasi e faʻasaoina i se faʻamatalaga patino, i lenei tulaga matou te faʻasaoina i le faʻailoga "checkpoint-" + taimi nei aso. E mafai ona iai fa'asinomaga ta'itasi se seti fa'apitoa o fanua, po'o le fa'atupu otometi pe a fa'aalia se fanua fou i se fe'au; fa'atulagaina fanua ma latou ituaiga e mafai ona va'aia i fa'afanua.
Afai e iai sau faʻamaoniga faʻamaonia (o le a matou vaʻavaʻai i ai mulimuli ane), e tatau ona faʻamaonia faʻamaoniga mo le tusitusi i se faʻamatalaga patino, i lenei faʻataʻitaʻiga o le "tssolution" ma le upu "malulu". E mafai ona e fa'avasegaina aia tatau a tagata fa'aoga e tusi ai na'o se fa'asinomaga fa'apitoa ae leai se isi mea.
Tatala Logstash.
Logstash faila faatulagaina:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Matou te siakiina le faila faʻatulagaina mo le saʻo:
/usr/share/logstash/bin//logstash -f checkpoint.conf
Amata le faagasologa o Logstash:
sudo systemctl amata logstash
Matou te siaki ua amata le faagasologa:
sudo systemctl tulaga logstash
Sei o tatou siaki pe ua i luga le socket:
netstat -nat |grep 5555
Siaki ogalaau i Kibana.
A maeʻa mea uma, alu i Kibana - Discover, ia mautinoa o loʻo faʻapipiʻi saʻo mea uma, o le ata e mafai ona kiliki!
O ogalaau uma o loʻo i ai ma e mafai ona tatou vaʻai i fanua uma ma o latou taua!
iʻuga
Na matou vaʻavaʻai i le auala e tusi ai se faila faʻapipiʻi Logstash, ma o se taunuuga na matou maua ai se parser o fanua uma ma tau. Ole taimi nei e mafai ona tatou galulue faʻatasi ma le suʻeina ma le faʻatulagaina o fanua faʻapitoa. O le isi i le vasega o le a tatou vaʻavaʻai i le vaʻaia i Kibana ma fatuina se lisi faigofie. E taua le taʻua o le Logstash configuration file e manaʻomia ona faʻafouina i taimi uma i nisi tulaga, mo se faʻataʻitaʻiga, pe a tatou manaʻo e sui le tau o se fanua mai se numera i se upu. I tala mulimuli ane o le a tatou faia lenei mea i taimi uma.
O lea ia mataala pea, , , ), .
puna: www.habr.com