Kumanqaku adlulileyo, siye saqhelana kancinci nesitaki se-elk kunye nokuseta ifayile yoqwalaselo yeLogstash yoluhlu lwelog.Kweli nqaku, siza kuqhubela phambili siye kweyona nto ibalulekileyo kwimbono yohlalutyo, into ofuna ukuyenza. bona ukusuka kwinkqubo kwaye yonke into yayidalelwe ntoni - ezi ziigrafu kunye neetafile ezidityanisiweyo zibe iideshibhodi. Namhlanje siza kuqwalasela ngakumbi inkqubo yokujonga IKibana, siza kujonga indlela yokwenza iigrafu kunye neetafile, kwaye ngenxa yoko siya kwakha ideshibhodi elula esekelwe kwiilogi ezivela kwi-Firewall Check Point.
Isinyathelo sokuqala ekusebenzeni kunye nekibana kukudala ipateni yesalathiso, ngokwengqiqo, esi sisiseko sezalathisi ezidityanisiweyo ngokomgaqo othile. Ewe kunjalo, esi sisilungiselelo nje sokwenza i-Kibana ikhangele ngokulula ngakumbi ulwazi kuzo zonke izalathisi ngaxeshanye. Isetwa ngokuthelekisa umtya, yithi "checkpoint-*" kunye negama lesalathiso. Umzekelo, i-"checkpoint-2019.12.05" ingalingana nepateni, kodwa ngokulula "indawo yokukhangela" ayisekho. Kufanelekile ukukhankanya ngokwahlukeneyo ukuba kukhangelo akunakwenzeka ukukhangela ulwazi kwiipateni ezahlukeneyo zesalathiso ngaxeshanye; kancinane kamva kumanqaku alandelayo siza kubona ukuba izicelo ze-API zenziwe nokuba ligama lesalathiso, okanye nje ngelinye. Umgca wepateni, umfanekiso uyacofa:
Emva koku, sijonga kwimenyu yokuFumana ukuba zonke iilog zifakwe kwisalathiso kwaye isahluli esichanekileyo siqwalaselwe. Ukuba kukho nakuphi na ukungahambelani kufunyenwe, umzekelo, ukutshintsha uhlobo lwedatha ukusuka kumtya ukuya kwinani elipheleleyo, kufuneka uhlele ifayile yokucwangcisa iLogstash, ngenxa yoko, iilogi ezintsha ziya kubhalwa ngokuchanekileyo. Ukuze iilogi ezindala zithathe ifom efunwayo ngaphambi kokutshintsha, kuphela inkqubo yokubuyisela i-reindexing inceda; kumanqaku alandelayo lo msebenzi uya kuxutyushwa ngokubanzi. Masiqinisekise ukuba yonke into ilungile, umfanekiso uyacofa:
Izigodo zikhona, nto leyo ethetha ukuba singaqalisa ukwakha iidashboard. Ngokusekelwe kwi-analytics yeedeshibhodi ezivela kwiimveliso zokhuseleko, unokuqonda imeko yokhuseleko lolwazi kwintlangano, ubone ngokucacileyo ubuthathaka kumgaqo-nkqubo wangoku, kwaye emva koko uphuhlise iindlela zokuziphelisa. Masenze ideshbhodi encinci sisebenzisa izixhobo zokubonwayo ezininzi. Ideshibhodi iya kuba namacandelo ama-5:
- itheyibhile yokubala inani elipheleleyo leelog ngamagqabi
- itheyibhile kwiisignitsha ezibalulekileyo ze-IPS
- ipayi kwitshathi yeziganeko zoThintelo lweNgozi
- itshathi yeendawo ezityelelwe kakhulu
- itshathi ekusetyenzisweni kwezicelo eziyingozi kakhulu
Ukwenza amanani okubonwayo, kufuneka uye kwimenyu Ngcamango, kwaye ukhethe umfanekiso ofunekayo esifuna ukuwakha! Masihambe ngocwangco.
Itheyibhile yokubala inani elipheleleyo leelogs ngeblade
Ukwenza oku, khetha umfanekiso Itheyibhile yeDatha, siwela kwisixhobo sokudala iigrafu, ngakwesobunxele yimimiselo yomfanekiso, ngakwesokudla yindlela eya kubonakala ngayo kwimimiselo yangoku. Okokuqala, ndiza kubonisa ukuba itafile egqityiweyo iya kujongeka njani, emva koko siya kudlula useto, umfanekiso uyacofa:
Iisetingi ezineenkcukacha zomfanekiso, umfanekiso unokucofa:
Makhe sijonge iisetingi.
Iqwalaselwe ekuqaleni iimetriki, eli lixabiso apho yonke imihlaba iyakudityaniswa. Iimetriki zibalwa ngokusekwe kumaxabiso acatshulwe ngendlela enye okanye enye kumaxwebhu. Amaxabiso adla ngokutsalwa kuwo amasimi uxwebhu, kodwa lunokuveliswa kusetyenziswa izikripthi. Kule meko sifaka Ukudibanisa: Bala (inani lilonke lelogi).
Emva koko, sahlula itafile ibe ngamacandelo (imimandla) apho i-metric iya kubalwa ngayo. Lo msebenzi wenziwa ngokusetwa kweBhakethi, yona iqulathe iinketho ezimbini zokuseta:
- imigca eyahlulayo - ukongeza iikholamu kwaye emva koko wahlule itafile ibe yimiqolo
- itafile yokwahlula-hlula kwiitafile ezininzi ezisekwe kumaxabiso ommandla othile.
В iibhakethi ungadibanisa izahlulo ezininzi ukwenza imihlathi emininzi okanye iitafile, izithintelo apha zisengqiqweni. Kwi-aggregation, unokukhetha ukuba yeyiphi indlela eya kusetyenziswa ukwahlula ngokwamacandelo: uluhlu lwe-ipv4, uluhlu lomhla, iMigqaliselo, njl. Olona khetho lunomdla luchanekile ngokwemiqathango и Imigaqo ebalulekileyo, ulwahlulo lube ngamacandelo luqhutywa ngokwamaxabiso entsimi ethile yesalathiso, umahluko phakathi kwawo ulele kwinani lamaxabiso abuyisiweyo, kunye nomboniso wawo. Kuba sifuna ukwahlula itafile ngegama leeblades, sikhetha intsimi - imveliso.igama elingundoqo kwaye usete ubungakanani kumaxabiso abuyisiweyo angama-25.
Endaweni yeentambo, elasticsearch isebenzisa iintlobo ezi-2 zedatha - umbhalo и elingundoqo. Ukuba ufuna ukwenza uphando olupheleleyo, kufuneka usebenzise uhlobo lombhalo, into elula kakhulu xa ubhala inkonzo yakho yokukhangela, umzekelo, ukukhangela ukukhankanywa kwegama kwixabiso elithile lendawo (umbhalo). Ukuba ufuna kuphela umdlalo ochanekileyo, kufuneka usebenzise uhlobo lwegama elingundoqo. Kwakhona, uhlobo lwedatha yegama elingundoqo kufuneka lusetyenziswe kwiinkalo ezifuna ukulungiswa okanye ukuhlanganiswa, oko kukuthi, kwimeko yethu.
Ngenxa yoko, i-Elasticsearch ibala inani leelog ngexesha elithile, lidityaniswe lixabiso kwintsimi yemveliso. KwiLebula yeSiko, sibeka igama lekholomu eliza kuboniswa kwitafile, sibeke ixesha esiqokelela ngalo izingodo, siqale ukunikezela - i-Kibana ithumela isicelo kwi-elasticsearch, ilindele impendulo kwaye ibonise idatha efunyenweyo. Itafile ilungile!
Itshati yephayi yemisitho yoThintelo lweNgozi
Eyona nto inomdla kakhulu lulwazi malunga nokuba zingaphi iimpendulo ezikhoyo njengepesenti ukufumana и Thintela ngeziganeko zokhuseleko lolwazi kumgaqo-nkqubo okhoyo wokhuseleko. Itshathi yephayi isebenza kakuhle kule meko. Khetha kumboniso - Itshathi yephayi. Kwakhona kwi-metric sibeka i-aggregation ngenani leelogi. Kwiibhakethi sibeka Imigaqo => isenzo.
Yonke into ibonakala ichanekile, kodwa isiphumo sibonisa amaxabiso azo zonke iiblades; kufuneka ucofe kuphela ezo blades zisebenza ngaphakathi kwesakhelo soThintelo loMsongelo. Ke ngoko, siyimise ngokuqinisekileyo isihluzi ukuze ukhangele ulwazi kuphela kwiincakuba ezinoxanduva lweziganeko zokhuseleko lolwazi - imveliso: (“Anti-Bot” OKANYE “I-Anti-Virus eNtsha” OKANYE “Umkhuseli weDDoS” OKANYE “I-SmartDefense” OKANYE “I-Threat Emulation”). Umfanekiso uyacofa:
Kwaye useto oluneenkcukacha ngakumbi, umfanekiso uyacofa:
Itheyibhile yoMnyhadala we-IPS
Okulandelayo, kubaluleke kakhulu kwimbono yokhuseleko lolwazi kukujonga kunye nokujonga iziganeko kwi-blade. IPS и Ukulinganisa Usoyikiso, которые azithintelwanga umgaqo-nkqubo wangoku, ukuze emva koko utshintshe utyikityo ukunqanda, okanye ukuba itrafikhi iyasebenza, musa ukukhangela utyikityo. Senza itafile ngendlela efanayo nomzekelo wokuqala, kunye nokwahlukana kuphela esikwenzayo iikholomu ezininzi: ukukhusela.igama elingundoqo, ubunzima. Qiniseka ukuba useta isihluzi ukuze ukhangele ulwazi kuphela kwiincakuba ezinoxanduva lweziganeko zokhuseleko lolwazi - imveliso: (“SmartDefense” OKANYE “Ukulinganisa uThreat”). Umfanekiso uyacofa:
Useto oluneenkcukacha ezininzi, umfanekiso uyacofa:
Iitshathi zezona ndawo zidumileyo ezityelelwayo
Ukwenza oku, yenza umfanekiso - Ibha ethe nkqo. Sikwasebenzisa ukubala (i-Y axis) njenge-metric, kwaye kwi-X axis siya kusebenzisa igama leendawo ezityelelwe njengamaxabiso - "appi_name". Kukho iqhinga elincinci apha: ukuba uqhuba useto kwinguqulelo yangoku, ke zonke iisayithi ziya kumakishwa kwitshathi ngombala ofanayo, ukuze uzenze zibe nemibala emininzi sisebenzisa useto olongezelelweyo - "uluhlu lokwahlula", ekuvumela ukuba wahlule umqolo osele ulungile kumaxabiso amaninzi, ngokuxhomekeke kumhlaba okhethiweyo! Olu lwahlulo lunokusetyenziswa njengomhlathi omnye onemibala emininzi ngokwamaxabiso kwimo eqokelelweyo, okanye kwimo yesiqhelo ukuze wenze iikholamu ezininzi ngokwexabiso elithile kwi-axis X. Kule meko, apha sisebenzisa i Ixabiso elifanayo njengakwi-X ye-axis, oku kwenza kube nokwenzeka ukwenza zonke iikholamu zibe nemibala emininzi ziyakuboniswa ngemibala phezulu ekunene. Kwicebo lokucoca esikusetayo - imveliso: "Uhluzo lwe-URL" ukuze ubone ulwazi kuphela kwiindawo ezityelelweyo, umfanekiso uyacofa:
Useto:
Umzobo wokusetyenziswa kwezona zicelo ziyingozi kakhulu
Ukwenza oku, yenza umzobo-Ibha ethe nkqo. Sikwasebenzisa count (Y axis) njengemetric, kwaye kwi-X axis siya kusebenzisa igama lezicelo ezisetyenzisiweyo - “appi_name” njengamaxabiso. Eyona nto ibalulekileyo lulungiselelo lokucoca - imveliso: “Ulawulo lwesicelo” KUNYE ne-app_risk: (4 OKANYE 5 OKANYE 3 ) KUNYE nesenzo: “yamkela”. Sihluza iilogi nge-Application blade yolawulo, sithatha kuphela ezo ndawo zihlelwe njenge-Critical, High, Medium risk sites kwaye kuphela ukuba ukufikelela kwezi ndawo kuvunyelwe. Umfanekiso uyacofa:
Iisetingi, zicofa:
Dashboard
Ukujonga kunye nokwenza iidashbhodi kuluhlu lwemenyu eyahlukileyo - Dashboard. Yonke into ilula apha, ideshibhodi entsha yenziwe, imbonakalo yongezwa kuyo, ibekwe endaweni yayo kwaye yiyo loo nto!
Senza ideshibhodi apho unokuqonda khona imeko esisiseko yemeko yokhuseleko lolwazi kwintlangano, ngokuqinisekileyo, kuphela kwinqanaba lokuHlola, umfanekiso ucofa:
Ngokusekelwe kwezi grafu, sinokuqonda ukuba yeyiphi imisayino ebalulekileyo engavaliweyo kwi-firewall, apho abasebenzisi baya khona, kwaye zeziphi iinkqubo eziyingozi kakhulu abazisebenzisayo.
isiphelo
Sijonge ubuchule bokubonwa kwesiseko kwi-Kibana kwaye sakha ideshibhodi, kodwa le nxalenye encinci. Ukuqhubela phambili kwikhosi siza kujonga ngokwahlukeneyo ekusekweni kweemephu, ukusebenza ngenkqubo ye-elasticsearch, ukuqhelana nezicelo ze-API, i-automation kunye nokunye okuninzi!
Ngoko hlala ubukele (, , , ), .
umthombo: www.habr.com