Qetellong ra kopana Setšoantšo sa ELK, e na le lihlahisoa life tsa software. 'Me mosebetsi oa pele oo moenjiniere a tobaneng le oona ha a sebetsa le ELK stack ke ho romela li-logs bakeng sa polokelo ho elasticsearch bakeng sa tlhahlobo e latelang. Leha ho le joalo, ena ke tšebeletso ea molomo feela, elasticsearch e boloka li-logs ka mokhoa oa litokomane tse nang le masimo le litekanyetso tse itseng, ho bolelang hore moenjiniere o tlameha ho sebelisa lisebelisoa tse fapaneng ho fetisa molaetsa o rometsoeng ho tloha lits'ebetsong tsa ho qetela. Sena se ka etsoa ka litsela tse 'maloa - ngola lenaneo ka bouena le tla eketsa litokomane ho database ho sebelisa API, kapa sebelisa litharollo tse seng li entsoe. Thutong ena re tla hlahloba tharollo Logstash, e leng karolo ea ELK stack. Re tla sheba hore na re ka romella lits'oants'o joang ho tloha lits'ebetsong tsa ho qetela ho ea ho Logstash, ebe re theha faele ea tlhophiso ho e hlalosa le ho e fetisetsa sebakeng sa polokelo ea Elasticsearch. Ho etsa sena, re nka lits'oants'o ho tsoa ho Check Point firewall e le sistimi e kenang.
Thupelo ha e akaretse ho kenya stack ea ELK, kaha ho na le lingoloa tse ngata tse mabapi le sehlooho sena; re tla nahana ka karolo ea tlhophiso.
Ha re etse moralo oa ts'ebetso bakeng sa tlhophiso ea Logstash:
- Ho hlahloba hore elasticsearch e tla amohela lits'oants'o (ho hlahloba ts'ebetso le ho buleha ha boema-kepe).
- Re nahana ka hore na re ka romella liketsahalo joang ho Logstash, khetha mokhoa, 'me re o sebelise.
- Re lokisa Input ho faele ea tlhophiso ea Logstash.
- Re lokisa Output faeleng ea tlhophiso ea Logstash ka mokhoa oa debug e le ho utloisisa hore na molaetsa oa log o shebahala joang.
- Ho seta Sefe.
- Ho theha Output e nepahetseng ho ElasticSearch.
- Logstash e qala.
- Ho hlahloba lifate tsa Kibana.
Ha re shebe ntlha e 'ngoe le e 'ngoe ka botlalo:
Ho hlahloba hore elasticsearch e tla amohela li-log
Ho etsa sena, o ka sebelisa taelo ea curl ho hlahloba phihlello ea Elasticsearch ho tsoa ho sistimi eo Logstash e sebelisoang ho eona. Haeba u na le tlhophiso ea netefatso, re boetse re fetisetsa mosebelisi / phasewete ka curl, re totobatsa port 9200 haeba u sa e fetola. Haeba u fumana karabo e tšoanang le e ka tlase, joale tsohle li lokile.
[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
"name" : "elastic-1",
"cluster_name" : "project",
"cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
"version" : {
"number" : "7.4.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
"build_date" : "2019-10-22T17:16:35.176724Z",
"build_snapshot" : false,
"lucene_version" : "8.2.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$
Haeba karabelo e sa amoheloe, joale ho ka 'na ha e-ba le mefuta e mengata ea liphoso: mokhoa oa elasticsearch ha o sebetse, sekepe se fosahetseng se boleloa, kapa sekepe se koetsoe ke firewall ho seva moo elasticsearch e kenngoa teng.
Ha re shebeng hore na u ka romella li-log ho Logstash joang ho tsoa ho firewall ea cheke
Ho tloha ho seva sa tsamaiso ea Check Point u ka romela li-log ho Logstash ka syslog u sebelisa log_exporter utility, u ka bala ho eketsehileng ka eona mona. , mona re tla siea feela taelo e hlahisang molapo:
cp_log_export eketsa lebitso check_point_syslog target-server < > target-port 5555 protocol tcp format generic read-mode semi-uniified
< > - aterese ea seva eo Logstash e tsamaeang ho eona, sepheo-port 5555 - koung eo re tla romela li-logs ho eona, ho romela li-logs ka tcp ho ka laela seva, kahoo maemong a mang ho nepahetse ho sebelisa udp.
Ho theha INPUT faeleng ea tlhophiso ea Logstash
Ka ho feletseng, faele ea tlhophiso e fumaneha ho /etc/logstash/conf.d/ directory. Faele ea tlhophiso e na le likarolo tse 3 tsa bohlokoa: INPUT, FILTER, OUTPUT. IN INPUT re bonts'a hore na sistimi e tla nka li-log ho tsoa hokae, ka sefa Hlalosa log - theha mokhoa oa ho arola molaetsa ka likarolo le litekanyetso, ho PULELO re hlophisa phallo ea phallo - moo li-log tse arotsoeng li tla romelloa teng.
Taba ea pele, a re lokiseng INPUT, re nahane ka mefuta e meng e ka bang - faele, tcp le exe.
Tcp:
input {
tcp {
port => 5555
host => “10.10.1.205”
type => "checkpoint"
mode => "server"
}
}
mode => "server"
E bontša hore Logstash e amohela likhokahano.
boema-kepe => 5555
moamoheli => "10.10.1.205"
Re amohela likhokahano ka IP address 10.10.1.205 (Logstash), port 5555 - kou e tlameha ho lumelloa ke leano la firewall.
mofuta => "checkpoint"
Re tšoaea tokomane, e bonolo haholo haeba u na le likhokahano tse 'maloa tse tlang. Kamora moo, bakeng sa khokahano e 'ngoe le e' ngoe u ka ngola filthara ea hau u sebelisa e utloahalang haeba e hahiloe.
Faele:
input {
file {
path => "/var/log/openvas_report/*"
type => "openvas"
start_position => "beginning"
}
}
Tlhaloso ea litlhophiso:
tsela => "/var/log/openvas_report/*"
Re bontša bukana eo lifaele li lokelang ho baloa ho eona.
mofuta => "openvas"
Mofuta oa ketsahalo.
start_position => "qalo"
Ha u fetola faele, e bala faele eohle; haeba u beha "qetello", tsamaiso e emela hore litlaleho tse ncha li hlahe qetellong ea faele.
Phetha:
input {
exec {
command => "ls -alh"
interval => 30
}
}
Ho sebelisoa kenyeletso ena, taelo ea (feela!) ea khetla ea qalisoa 'me tlhahiso ea eona e fetoloa molaetsa oa log.
taelo => "ls -alh"
Taelo eo re khahlisoang ke tlhahiso ea eona.
nako => 30
Laela nako ea kopo ka metsotsoana.
E le hore re fumane li-logs ho tloha firewall, re ngolisa filthara tcp kapa udp, ho itšetlehile ka hore na li-log li romeloa joang ho Logstash.
Re lokisa Output faeleng ea tokiso ea Logstash ka mokhoa oa debug e le ho utloisisa hore na molaetsa oa log o shebahala joang.
Ka mor'a hore re lokise INPUT, re hloka ho utloisisa hore na molaetsa oa log o tla shebahala joang le hore na ke mekhoa efe e lokelang ho sebelisoa ho lokisa "log filter" (parser).
Ho etsa sena, re tla sebelisa filthara e hlahisang sephetho ho stdout ho bona molaetsa oa mantlha; faele e felletseng ea tlhophiso hajoale e tla shebahala tjena:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
output
{
if [type] == "checkpoint"
{
stdout { codec=> json }
}
}
Etsa taelo ho hlahloba:
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
Re bona sephetho, setšoantšo se ka tobetsa:
Haeba u e kopitsa e tla shebahala tjena:
action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,
Ha re sheba melaetsa ena, rea utloisisa hore lifate li shebahala joaloka: tšimo = boleng kapa senotlolo = boleng, e bolelang hore sefahla se bitsoang kv se loketse. E le hore u khethe sefe se nepahetseng bakeng sa nyeoe e 'ngoe le e' ngoe e itseng, e ka ba khopolo e ntle ho tloaelana le bona litokomaneng tsa tekheniki, kapa u botse motsoalle.
Ho seta Sefe
Boemong ba ho qetela re khethile kv, tlhophiso ea filthara ena e hlahisoa ka tlase:
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
Re khetha letšoao leo ka lona re tla arola tšimo le boleng - "=". Haeba re e-na le litlhaloso tse tšoanang ho log, re boloka mohlala o le mong feela sebakeng sa polokelo ea litaba, ho seng joalo u tla qetella u e-na le letoto la litekanyetso tse tšoanang, ke hore, haeba re na le molaetsa "foo = some foo = some" re ngola feela foo. = tse ling.
Ho theha Output e nepahetseng ho ElasticSearch
Ka mor'a hore Filter e lokisoe, u ka kenya li-log ho database lebotho:
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Haeba tokomane e saennoe ka mofuta oa tlhahlobo, re boloka ketsahalo ho database ea elasticsearch, e amohelang likhokahano ho 10.10.1.200 ho port 9200 ka ho sa feleng. Tokomane e 'ngoe le e' ngoe e bolokiloe ho index e itseng, tabeng ena re boloka ho index "checkpoint-" + letsatsi la nako ea hona joale. Lenane le leng le le leng le ka ba le likarolo tse itseng, kapa le iketselitse ha tšimo e ncha e hlaha molaetsa; litlhophiso tsa tšimo le mofuta oa tsona li ka bonoa ho limmapa.
Haeba u na le netefatso e hlophisitsoeng (re tla e sheba hamorao), lintlha tsa ho ngolla indexing e itseng li tlameha ho hlalosoa, mohlaleng ona ke "tssolution" le password "cool". O ka khetholla litokelo tsa mosebelisi ho ngola li-log feela ho index e itseng mme ha ho sa le joalo.
Qala Logstash.
Logstash faele ea tlhophiso:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Re hlahloba faele ea tlhophiso bakeng sa ho nepahala:
/usr/share/logstash/bin//logstash -f checkpoint.conf
Qala ts'ebetso ea Logstash:
sudo systemctl qala logstash
Re netefatsa hore ts'ebetso e qalile:
sudo systemctl boemo ba logstash
Ha re hlahlobeng hore na sokete e holimo:
netstat -nat |grep 5555
Ho hlahloba lifate tsa Kibana.
Ka mor'a hore ntho e 'ngoe le e' ngoe e sebetse, e-ea Kibana - Fumana, etsa bonnete ba hore ntho e 'ngoe le e' ngoe e hlophisitsoe ka nepo, setšoantšo se khona ho tobetsa!
Lifate tsohle li teng 'me re ka bona masimo ohle le litekanyetso tsa ona!
fihlela qeto e
Re shebile mokhoa oa ho ngola faele ea tlhophiso ea Logstash, 'me ka lebaka leo re fumane mohlahlobi oa likarolo tsohle le litekanyetso. Hona joale re ka sebetsa ka ho batla le ho rala masimo a itseng. E latelang thupelong re tla sheba pono ea Kibana mme re thehe dashboard e bonolo. Ho bohlokoa ho bolela hore faele ea tlhophiso ea Logstash e hloka ho ntlafatsoa khafetsa maemong a itseng, mohlala, ha re batla ho khutlisa boleng ba tšimo ho tloha palo ho ea ho lentsoe. Lihloohong tse latelang re tla etsa sena kamehla.
Kahoo lula u mametse (, , , ), .
Source: www.habr.com