Elastic Stack ke sesebelisoa se tsebahalang 'marakeng oa sistimi ea SIEM (ha e le hantle, eseng bona feela). E ka bokella lintlha tse ngata tsa boholo bo fapaneng, tse nang le kutloelo-bohloko ebile ha li na kutloelo-bohloko haholo. Ha hoa nepahala ka botlalo haeba phihlello ea likarolo tsa Elastic Stack ka botsona e sa sireletseha. Ka mokhoa o ikhethileng, likarolo tsohle tsa Elastic tse kantle ho lebokose (Elasticsearch, Logstash, Kibana, le babokelli ba Beats) li tsamaisana le liprothokholo tse bulehileng. Mme ho Kibana ka boeona, netefatso e koetsoe. Litšebelisano tsena kaofela li ka sireletsoa 'me sehloohong sena re tla u bolella mokhoa oa ho etsa sena. Bakeng sa boiketlo, re arolelitse pale ka li-blocks tse 3 tsa semantic:
- Mokhoa oa phihlello ea data o thehiloeng ho karolo
- Tšireletso ea data ka har'a sehlopha sa Elasticsearch
- Ho boloka data ka ntle ho sehlopha sa Elasticsearch
Lintlha tlas'a sehiloeng.
Mokhoa oa phihlello ea data o thehiloeng ho karolo
Haeba u kenya Elasticsearch 'me u sa e hlophise ka tsela efe kapa efe, phihlello ea li-index tsohle e tla buleloa motho e mong le e mong. Hantle, kapa ba ka sebelisang curl. Ho qoba sena, Elasticsearch e na le mohlala o fumanehang ho qala ka peeletso ea Motheo (e sa lefelloeng). Ka moralo o shebahala tjena:
Se setšoantšong
- Basebelisi ke bohle ba ka kenang ba sebelisa mangolo a bona a boithuto.
- Karolo ke sehlopha sa litokelo.
- Litokelo ke sehlopha sa litokelo.
- Litokelo ke tumello ea ho ngola, ho bala, ho hlakola, joalo-joalo. ()
- Lisebelisoa ke li-index, litokomane, masimo, basebelisi, le mekhatlo e meng ea polokelo (mohlala oa lisebelisoa tse ling o fumaneha feela ka lipeeletso tse lefelloang).
Ka kamehla Elasticsearch e na le , tseo li khomaretsoeng ho tsona . Hang ha u nolofalletsa litlhophiso tsa ts'ireletso, u ka qala ho li sebelisa hang-hang.
Ho nolofalletsa ts'ireletso ho litlhophiso tsa Elasticsearch, o hloka ho e kenyelletsa faeleng ea tlhophiso (ka ho iketsa sena ke elasticsearch/config/elasticsearch.yml) mola o mocha:
xpack.security.enabled: trueKamora ho fetola faele ea tlhophiso, qala kapa qala bocha Elasticsearch hore liphetoho li tle li sebetse. Mohato o latelang ke ho fana ka li-password ho basebelisi ba lebokose. Ha re etseng sena ka kopanelo re sebelisa taelo e ka tlase:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Re hlahloba:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
U ka itšoarella ka morao - litlhophiso tse lehlakoreng la Elasticsearch li phethiloe. Joale ke nako ea ho lokisa Kibana. Haeba u e matha hona joale, liphoso li tla hlaha, kahoo ke habohlokoa ho theha lebenkele la bohlokoa. Sena se etsoa ka litaelo tse peli (user kibana le phasewete e kentsoeng mohatong oa ho etsa phasewete ho Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordHaeba tsohle li nepahetse, Kibana o tla qala ho kopa ho kena le password. Ngoliso ea Motheo e kenyelletsa mohlala o thehiloeng ho basebelisi ba ka hare. Ho qala ka Khauta, o ka hokela lits'ebetso tsa netefatso ea kantle - LDAP, PKI, Active Directory le sistimi ea ho saena e le 'ngoe.
Litokelo tsa phihlello ea lintho tse ka hare ho Elasticsearch le tsona li ka fokotsoa. Leha ho le joalo, ho etsa se tšoanang bakeng sa litokomane kapa masimo, o tla hloka peeletso e lefuoang (mabono ana a qala ka boemo ba Platinum). Litlhophiso tsena li fumaneha ka sebopeho sa Kibana kapa ka . U ka sheba ka har'a menu e seng e tloaelehile ea Lisebelisoa tsa Dev:
Ho theha karolo
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Ho theha mosebelisi
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Tšireletso ea data ka har'a sehlopha sa Elasticsearch
Ha Elasticsearch e sebetsa ka har'a sehlopha (e leng se tloaelehileng), litlhophiso tsa ts'ireletso ka har'a sehlopha li fetoha tsa bohlokoa. Bakeng sa puisano e sireletsehileng lipakeng tsa li-node, Elasticsearch e sebelisa protocol ea TLS. Ho theha tšebelisano e sireletsehileng pakeng tsa bona, o hloka setifikeiti. Re hlahisa setifikeiti le senotlolo sa lekunutu ka sebopeho sa PEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemKa mor'a ho phetha taelo e ka holimo, bukeng ea /../elasticsearch polokelo e tla hlaha elastic-stack-ca.zip. Ka hare ho eona u tla fumana setifikeiti le senotlolo sa poraefete se nang le likeketso crt и senotlolo ka ho latellana. Ho eletsoa ho li beha mohloling o arolelanoang, o lokelang ho fumaneha ho tsoa ho li-node tsohle sehlopheng.
Node e 'ngoe le e' ngoe joale e hloka litifikeiti tsa eona le linotlolo tsa poraefete tse ipapisitseng le tse bukeng e arolelanoang. Ha o etsa taelo, o tla kopuoa ho seta phasewete. O ka eketsa likhetho tse ling -ip le -dns bakeng sa netefatso e felletseng ea li-node tse sebelisanang.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyKa lebaka la ho phethahatsa taelo, re tla fumana setifikeiti le senotlolo sa poraefete ka sebopeho sa PKCS#12, se sirelelitsoeng ka password. Sohle se setseng ke ho tsamaisa faele e hlahisitsoeng p12 ho directory ea tlhophiso:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configKenya phasewete setifikeiting ka sebopeho p12 ka har'a keystore le truststore sebakeng se seng le se seng:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordE se e tsejoa elasticsearch.yml Ho setseng ke ho kenyelletsa mela e nang le data ea setifikeiti:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Re qala li-node tsohle tsa Elasticsearch ebe rea li sebelisa sekonopo. Haeba ntho e 'ngoe le e' ngoe e entsoe ka nepo, karabo e nang le li-node tse 'maloa e tla khutlisoa:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Ho na le khetho e 'ngoe ea ts'ireletso - ho sefa aterese ea IP (e fumanehang ka lipeeletso ho tloha boemong ba Khauta). E u lumella ho etsa manane a masoeu a liaterese tsa IP tseo ho tsona u lumelloang ho fumana li-node.
Ho boloka data ka ntle ho sehlopha sa Elasticsearch
Ka ntle ho sehlopha ho bolela ho hokahanya lisebelisoa tsa ka ntle: Kibana, Logstash, Beats kapa bareki ba bang ba ka ntle.
Ho hlophisa tšehetso bakeng sa https (sebakeng sa http), eketsa mela e mecha ho elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12Hobane Setifikeiti se sirelelitsoe ka password, se kenye ka har'a keystore le truststore sebakeng se seng le se seng:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordKamora ho kenyelletsa linotlolo, li-node tsa Elasticsearch li se li loketse ho hokahana ka https. Joale li ka qalisoa.
Mohato o latelang ke ho theha senotlolo sa ho hokahanya Kibana le ho e eketsa ho setupong. Ho ipapisitsoe le setifikeiti se seng se ntse se le bukeng e arolelanoang, re tla hlahisa setifikeiti ka sebopeho sa PEM (PKCS#12 Kibana, Logstash le Beats ha li so tšehetse):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemSohle se setseng ke ho notlolla linotlolo tse entsoeng foldareng ka tlhophiso ea Kibana:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configLinotlolo li teng, kahoo se setseng ke ho fetola tlhophiso ea Kibana hore e qale ho e sebelisa. Ho faele ea tlhophiso ea kibana.yml, fetola http ho https mme u kenye mela e nang le litlhophiso tsa khokahano ea SSL. Mela e meraro ea ho qetela e hlophisa puisano e sireletsehileng pakeng tsa sebatli sa mosebelisi le Kibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtKahoo, litlhophiso li phethiloe mme phihlello ea data ho sehlopha sa Elasticsearch e patiloe.
Haeba u na le lipotso mabapi le bokhoni ba Elastic Stack mabapi le lipeeletso tsa mahala kapa tse lefelloang, ho beha leihlo mesebetsi kapa ho theha sistimi ea SIEM, tlohela kopo ho webosaeteng ea rona.
Tse ling tsa lingoliloeng tsa rona mabapi le Elastic Stack ho Habré:
Source: www.habr.com