Pakupedzisira takasangana ELK stack, ndezvipi zvigadzirwa zvesoftware zvazvinosanganisira. Uye basa rekutanga rinotarisana nainjiniya kana uchishanda neiyo ELK stack iri kutumira matanda ekuchengetedza mu elasticsearch yekuzoongorora kunotevera. Nekudaro, iyi ingori sevhisi yemuromo, elasticsearch inochengetedza matanda muchimiro chemagwaro ane mamwe minda uye kukosha, zvinoreva kuti injinjiniya inofanirwa kushandisa maturusi akasiyana siyana kuburitsa meseji inotumirwa kubva kumagumo masisitimu. Izvi zvinogona kuitwa nenzira dzakati wandei - nyora chirongwa iwe pachako chinozowedzera zvinyorwa kune dhatabhesi uchishandisa API, kana kushandisa yakagadzirira-yakagadzirwa mhinduro. Muchidzidzo chino tichaona mhinduro logstash, inova chikamu cheiyo ELK stack. Tichatarisa kuti tingatumira sei matanda kubva kumagumo ekupedzisira kuenda kuLogstash, uye tobva tamisa faira rekugadzirisa kuti titarise uye kuendesa kune Elasticsearch dhatabhesi. Kuti tiite izvi, tinotora matanda kubva kuCheck Point firewall seyo inouya system.
Iyo kosi haifukidze kuisirwa ELK stack, sezvo paine huwandu hukuru hwezvinyorwa pane iyi nyaya; isu tichafunga nezve gadziriso chikamu.
Ngatitorei chirongwa chekuita cheLogstash kumisikidzwa:
- Kutarisa kuti elasticsearch ichagamuchira matanda (kutarisa kushanda uye kuvhurika kwechiteshi).
- Isu tinofunga kuti tingatumira sei zviitiko kuLogstash, sarudza nzira, uye kuishandisa.
- Isu tinogadzirisa Input muLogstash configuration file.
- Isu tinogadzirisa Kubuda muLogstash yekumisikidza faira mune debug mode kuitira kuti tinzwisise kuti irogi meseji rinotaridzika sei.
- Kugadzira Sefa.
- Kugadzira iyo chaiyo Output muElasticSearch.
- Logstash inotanga.
- Kutarisa matanda muKibana.
Ngatitarisei pane imwe neimwe pfungwa zvakadzama:
Kutarisa kuti elasticsearch ichagamuchira matanda
Kuti uite izvi, unogona kushandisa iyo curl command kutarisa kuwana Elasticsearch kubva kune iyo system iyo Logstash inoiswa. Kana iwe uine huchokwadi hwakagadziridzwa, saka isu tinotamisawo mushandisi/password kuburikidza ne curl, tichitsanangura port 9200 kana usina kuichinja. Kana iwe ukagamuchira mhinduro yakafanana neiyi pazasi, saka zvese zviri mugwara.
[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
"name" : "elastic-1",
"cluster_name" : "project",
"cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
"version" : {
"number" : "7.4.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
"build_date" : "2019-10-22T17:16:35.176724Z",
"build_snapshot" : false,
"lucene_version" : "8.2.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$
Kana mhinduro isingagamuchirwi, ipapo panogona kuva nemhando dzakawanda dzezvikanganiso: iyo elasticsearch process haisi kushanda, chiteshi chisina kunaka chinotsanangurwa, kana chiteshi chakavharwa nefirewall pane server iyo elasticsearch yakaiswa.
Ngatitarisei kuti ungatumira sei matanda kuLogstash kubva pacheki point firewall
Kubva kuCheck Point management server unogona kutumira matanda kuLogstash kuburikidza nesyslog uchishandisa log_exporter utility, unogona kuverenga zvakawanda nezvazvo pano. , pano tichasiya chete murairo unogadzira rukova:
cp_log_export wedzera zita check_point_syslog target-server < > target-port 5555 protocol tcp format generic kuverenga-mode semi-yakabatana
< > - kero yevhavha iyo Logstash inomhanya, chinangwa-chiteshi 5555 - chiteshi kwatinozotumira matanda, kutumira matanda kuburikidza netcp kunogona kurodha sevha, saka mune dzimwe nguva zvakanyanya kunaka kushandisa udp.
Kumisikidza INPUT mune iyo Logstash yekumisikidza faira
Nokusingaperi, iyo faira yekumisikidza iri mu /etc/logstash/conf.d/ directory. Iyo faira yekumisikidza ine zvikamu zvitatu zvine musoro: INPUT, FILTER, OUTPUT. IN chiyamuro isu tinoratidza kuti system yacho ichatora kupi matanda kubva, mukati FILTER parse irogi - gadzira nzira yekugovanisa meseji muminda uye kukosha, mukati goho isu tinogadzirisa rwizi rwunobuda - uko matanda akapatsanurwa achatumirwa.
Kutanga, ngatigadzirise INPUT, funga mamwe emhando dzinogona kuva - faira, tcp uye exe.
Tcp:
input {
tcp {
port => 5555
host => β10.10.1.205β
type => "checkpoint"
mode => "server"
}
}
mode => "server"
Inoratidza kuti Logstash iri kugamuchira zvinongedzo.
port => 5555
host => "10.10.1.205"
Tinobvuma kubatanidza kuburikidza neIP kero 10.10.1.205 (Logstash), port 5555 - chiteshi chinofanira kubvumirwa nemutemo wefirewall.
type => "checkpoint"
Isu tinomaka gwaro, rakanyanya nyore kana uine akati wandei anouya. Zvadaro, pakubatanidza kwega kwega iwe unogona kunyora yako sefa uchishandisa zvine musoro kana kuvaka.
Faira:
input {
file {
path => "/var/log/openvas_report/*"
type => "openvas"
start_position => "beginning"
}
}
Tsanangudzo yezvirongwa:
nzira => "/var/log/openvas_report/*"
Isu tinoratidza dhairekitori umo mafaera anoda kuverengerwa.
type => "openvas"
Chiitiko mhando.
start_position => "kutanga"
Paunenge uchishandura faira, inoverenga faira yose; kana iwe ukaisa "kuguma", iyo inomirira kuti zvinyorwa zvitsva zvionekwe pamagumo efaira.
Exec:
input {
exec {
command => "ls -alh"
interval => 30
}
}
Uchishandisa iyi yekupinza, (chete!) murairo wegoko unotangwa uye kubuda kwayo kunoshandurwa kuita meseji yegi.
raira => "ls -alh"
Murairo watinofarira zvakabuda.
nguva => 30
Raira invocation interval mumasekonzi.
Kuti tigamuchire matanda kubva kune firewall, tinonyoresa sefa tcp kana udp, zvichienderana nekuti matanda anotumirwa sei kuLogstash.
Isu tinogadzirisa Output muLogstash yekumisikidza faira mune debug mode kuti tinzwisise kuti irogi meseji rinotaridzika sei.
Mushure mekunge tagadzirisa INPUT, tinoda kunzwisisa kuti meseji yegiyo ichataridzika sei uye kuti ndedzipi nzira dzinoda kushandiswa kugadzirisa iyo log filter (parser).
Kuti tiite izvi, isu tichashandisa sefa inoburitsa mhedzisiro kuti stdout kuti uone iyo yekutanga meseji; iyo yakazara yekumisikidza faira panguva ino ichaita seizvi:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => β10.10.1.205β
}
}
output
{
if [type] == "checkpoint"
{
stdout { codec=> json }
}
}
Mhanya murairo kutarisa:
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
Isu tinoona mhedzisiro, mufananidzo unodzvanywa:
Kana ukaikopa ichaita seizvi:
action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,
Tichitarisa aya mameseji, tinonzwisisa kuti matanda anoita se: munda = kukosha kana kiyi = kukosha, zvinoreva sefa inonzi kv yakakodzera. Kuti usarudze sefa yakakodzera kune yega yega kesi, ingave iri zano rakanaka kuti uzvijaire navo mune zvinyorwa zvehunyanzvi, kana kubvunza shamwari.
Kugadzira Sefa
Padanho rekupedzisira takasarudza kv, kumisikidzwa kweiyi sefa inoratidzwa pazasi:
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
Isu tinosarudza chiratidzo chatichagovanisa munda uye kukosha - "=". Kana isu tiine zvakafanana mapindiro mugiyo, isu tinongo chengetedza chiitiko chimwe chete mudhatabhesi, zvikasadaro iwe unozopedzisira uine ruzhinji rwetsika dzakafanana, kureva, kana isu tiine meseji "foo = vamwe foo = vamwe" tinonyora chete foo. = zvimwe.
Kugadzira iyo chaiyo Output muElasticSearch
Kana Firita yagadziriswa, unogona kuisa matanda kune database elasticsearch:
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Kana gwaro rakasainwa nemhando yekutarisa, tinochengetedza chiitiko kune elasticsearch dhatabhesi, iyo inogamuchira zvinongedzo pa10.10.1.200 pachiteshi 9200 nekukasira. Gwaro rega rega rinochengetwa kune imwe indekisi, mune ino kesi tinochengetedza kune index "checkpoint-" + ikozvino nguva yemazuva. Imwe neimwe indekisi inogona kuve neyakati seti yeminda, kana inogadzirwa otomatiki kana munda mutsva ukabuda mumeseji; marongero emunda uye mhando yavo inogona kutariswa mumapu.
Kana uine huchokwadi hwakagadziridzwa (tichazvitarisa gare gare), magwaro ekunyora kune imwe index inofanira kutsanangurwa, mumuenzaniso uyu "tssolution" nezwi rekuti "cool". Iwe unogona kusiyanisa kodzero dzevashandisi kunyora matanda chete kune yakatarwa index uye kwete zvakare.
Tanga Logstash.
Logstash yekumisikidza faira:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => β10.10.1.205β
}
}
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Isu tinotarisa iyo faira yekumisikidza kuti ndeyechokwadi:
/usr/share/logstash/bin//logstash -f checkpoint.conf
Tanga iyo Logstash process:
sudo systemctl kutanga logstash
Isu tinotarisa kuti maitiro atanga:
sudo systemctl mamiriro logstash
Ngatitarisei kana soketi yakakwira:
netstat -nat |grep 5555
Kutarisa matanda muKibana.
Mushure mekunge zvese zvave kushanda, enda kuKibhana - Tsvaga, ita shuwa kuti zvese zvakagadziriswa nemazvo, mufananidzo unodzvanya!
Ese matanda ari munzvimbo uye isu tinogona kuona ese minda uye kukosha kwawo!
mhedziso
Takatarisa maitiro ekunyora Logstash faira yekumisikidza, uye semhedzisiro takawana parser yeese minda uye kukosha. Iye zvino tinogona kushanda nekutsvaga uye kuronga kune chaiwo minda. Tevere mukosi isu tichatarisa kuona muKibana uye kugadzira iri nyore dashboard. Zvakakodzera kutaura kuti Logstash configuration file inoda kugara ichivandudzwa mune mamwe mamiriro ezvinhu, semuenzaniso, patinoda kutsiva kukosha kwemunda kubva kune nhamba kusvika kune izwi. Muzvinyorwa zvinotevera tichaita izvi nguva dzose.
Saka gara wakatarisa (, , , ), .
Source: www.habr.com