Elastic Stack ืืื ืึท ืืึทืืืืกื ืืขืฆืืึทื ืืื ืื SIEM ืกืืกืืขืืขื ืืึทืจืง (ืึทืงืฉืื, ื ืื ืืืืื ืืื). ืขืก ืงืขื ืขื ืงืืืึทืื ืึท ืคึผืืึทืฅ ืคืื ืคืึทืจืฉืืืขื ืข-ืกืืืื ืืึทืื, ืืืืืข ืฉืคึผืืจืขืืืืืง ืืื ื ืืฉื ืืืืขืจ ืฉืคึผืืจืขืืืืืง. ืขืก ืืื ื ืืฉื ืืึธืจ ืจืืืืืง ืืืื ืึทืงืกืขืก ืฆื ืื Elastic Stack ืขืืขืืขื ืื ืืื ืืื ื ืืฉื ืคึผืจืึธืืขืงืืขื. ืืืจื ืคืขืืืงืืึทื, ืึทืืข ืขืืึทืกืืืง ืืืืก-ืคืื-ืืขื-ืงืขืกืื ืขืืขืืขื ืื (Elasticsearch, Logstash, Kibana ืืื Beats ืงืึทืืขืงืืขืจื) ืืืืคื ืืืืฃ ืึธืคึฟื ืคึผืจืึธืืึธืงืึธืืก. ืืื ืืื Kibana ืืื, ืึธืืขื ืืึทืงืืืฉืึทื ืืื ืคืึทืจืงืจืืคึผืื. ืึทืืข ืื ืื ืืขืจืึทืงืฉืึทื ื ืงืขื ืขื ืืืื ืกืืงืืืจื ืืื ืืื ืืขื ืึทืจืืืงื ืืืจ ืืืขื ืืึธืื ืืืจ ืืื ืฆื ืืึธื ืืึธืก. ืคึฟืึทืจ ืงืึทื ืืืื ืืึทื ืก, ืืืจ ืฆืขืืืืื ืื ืืขืจืฆืืืืื ื ืืื 3 ืกืขืืึทื ืืืง ืืืึทืงืก:
- ืจืึธืืข-ืืืืืจื ืืึทืื ืึทืงืกืขืก ืืึธืืขื
- ืืึทืืึท ืืืืขืจืืืื ืืื ืึทื Elasticsearch ืงื ืืื
- ืกืืงืืืจืื ื ืืึทืื ืึทืจืืืก ืคืื ืึทื Elasticsearch ืงื ืืื
ืืขืืึทืืืก ืืื ืืขืจ ืื ืฉื ืืึทืื.
ืจืึธืืข-ืืืืืจื ืืึทืื ืึทืงืกืขืก ืืึธืืขื
ืืืื ืืืจ ืื ืกืืึทืืืจื Elasticsearch ืืื ืืึธื ื ืื ืกืืจืืืขืจื ืขืก ืืื ืงืืื ืืืขื, ืึทืงืกืขืก ืฆื ืึทืืข ืื ืืขืงืกืื ืืืขื ืืืื ืึธืคื ืคึฟืึทืจ ืึทืืขืืขื. ื ื, ืึธืืขืจ ืื ืืืืก ืงืขื ืขื ื ืืฆื ืงืขืจื. ืฆื ืืืกืืืืื ืืขื, Elasticsearch ืืื ืึท ืจืึธืืข ืืึธืืขื ืืืึธืก ืืื ืืืจืขืืืืื ืกืืึทืจืืื ื ืืื ืึท ืืึทืกืืง ืึทืืึธื ืขืืขื ื (ืืืึธืก ืืื ืคืจืื). ืกืืขืืึทืืืฉ ืขืก ืงืืงื ืขืคึผืขืก ืืื ืืึธืก:
ืืืึธืก ืก ืืื ืื ืืืื
- ืืืืขืจื ืืขื ืขื ืึทืืขืืขื ืืืืก ืงืขื ืขื ืงืืึธืฅ ืืื ืืื ืืืืขืจ ืงืจืึทืืขื ืืฉืึทืื.
- ื ืจืึธืืข ืืื ืึท ืกืืื ืคืื ืจืขืื.
- ืจืขืื ืืขื ืขื ืึท ืกืืื ืคืื ืคึผืจืืืืืืึทืืืฉืึทื.
- ืคึผืจืืืืืืึทืืืฉืึทื ืืขื ืขื ืคึผืขืจืืืฉืึทื ื ืฆื ืฉืจืืึทืื, ืืืืขื ืขื, ืืืกืืขืงื, ืืื"ื ื. ()
- ืจืขืกืึธืืจืกืขืก ืืขื ืขื ืื ืืขืงืกืื, ืืึธืงืืืขื ืื, ืคืขืืืขืจ, ื ืืฆืขืจืก ืืื ืื ืืขืจืข ืกืืึธืจืืืืฉ ืขื ืืืืื (ืื ืจืึธืืข ืืึธืืขื ืคึฟืึทืจ ืขืืืขืืข ืจืขืกืืจืกื ืืื ืืืืื ืื ืืืฆื ืืื ืืึทืฆืึธืื ืกืึทืืกืงืจืืคึผืฉืึทื ื).
ืืืจื ืคืขืืืงืืึทื Elasticsearch ืืื , ืฆ ื ืฐืขืื ืข ื ืฒ ืืฒื ืข ื ืฆืืืขืืื ืื . ืึทืืึธื ืืืจ ืืขืื ืืืืขืจืืืื ืกืขืืืื ืืก, ืืืจ ืงืขื ืขื ืึธื ืืืืื ื ืืฆื ืืื ืืื.
ืฆื ืืขืื ืืืืขืจืืืื ืืื Elasticsearch ืกืขืืืื ืืก, ืืืจ ืืึทืจืคึฟื ืฆื ืืืืื ืขืก ืฆื ืื ืงืึทื ืคืืืืขืจืืืฉืึทื ืืขืงืข (ืืืจื ืคืขืืืงืืึทื ืืึธืก ืืื elasticsearch/config/elasticsearch.yml) ื ืืึทืข ืฉืืจื:
xpack.security.enabled: trueื ืึธื ืืฉืึทื ืืื ื ืื ืงืึทื ืคืืืืขืจืืืฉืึทื ืืขืงืข, ืงืึทืืขืจ ืึธืืขืจ ืจืืกืืึทืจื Elasticsearch ืคึฟืึทืจ ืื ืขื ืืขืจืื ืืขื ืฆื ื ืขืืขื ืืืืจืงืื ื. ืืขืจ ืืืืึทืืขืจ ืฉืจืื ืืื ืึทืกืืื ืื ื ืคึผืึทืกืืืขืจืื ืฆื ืงืขืกืื ื ืืฆืขืจืก. ืืึธืืืจ ืืึธื ืืึธืก ืื ืืขืจืึทืงืืืืืื ื ืืฆื ืื ืืึทืคึฟืขื ืืื ืื:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
ืืืจ ืงืึธื ืืจืึธืืืจื:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
ืืืจ ืงืขื ืขื ืคึผืึทืืฉื ืืื ืืืืฃ ืื ืฆืืจืืง - ืื ืกืขืืืื ืืก ืืืืฃ ืื Elasticsearch ืืืึทื ืืขื ืขื ืืขืขื ืืืงื. ืืืฆื ืขืก ืืื ืฆืืื ืฆื ืงืึทื ืคืืืืขืจ ืงืืืึทื ืึท. ืืืื ืืืจ ืืืืคื ืขืก ืืืฆื, ืขืจืจืึธืจืก ืืืขื ืืขืจืฉืืึทื ืขื, ืึทืืื ืขืก ืืื ืืืืืืืง ืฆื ืฉืึทืคึฟื ืึท ืฉืืืกื ืงืจืึธื. ืืึธืก ืืื ืืขืืื ืืื ืฆืืืื ืงืึทืืึทื ืื (ืืึทื ืืฆืขืจ kibana ืืื ืื ืคึผืึทืจืึธื ืืจืืื ืืื ืื ืฉืึทืคืื ื ืคืื ืคึผืึทืจืึธื ืืื Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordืืืื ืึทืืฅ ืืื ืจืืืืืง, Kibana ืืืขื ืึธื ืืืืื ืึทืกืงืื ื ืคึฟืึทืจ ืึท ืืึธืืื ืืื ืคึผืึทืจืึธื. ืื ืืึทืกืืง ืึทืืึธื ืขืืขื ื ืืืื ืึท ืจืึธืืข ืืึธืืขื ืืืืืจื ืืืืฃ ืื ืขืจืืขื ื ืืฆืขืจืก. ืกืืึทืจืืื ื ืืื ืืึธืื, ืืืจ ืงืขื ืขื ืคืึทืจืืื ืื ืคืื ืืจืืืกื ืืืง ืึธืืขื ืืึทืงืืืฉืึทื ืกืืกืืขืืขื - LDAP, PKI, Active Directory ืืื ืืืื ืฆืืืื-ืืืืฃ ืกืืกืืขืืขื.
ืึทืงืกืขืก ืจืขืื ืฆื ืึทืืืืฉืขืงืฅ ืืื Elasticsearch ืงืขื ืขื ืืืื ืืืื ืืืืืืขื. ืึธืืขืจ, ืฆื ืืึธื ืื ืืขืืืข ืคึฟืึทืจ ืืึธืงืืืขื ืื ืึธืืขืจ ืคืขืืืขืจ, ืืืจ ืืึทืจืคึฟื ืึท ืืึทืฆืึธืื ืึทืืึธื ืขืืขื ื (ืืขื ืืืงืกืืก ืกืืึทืจืฅ ืืื ืคึผืืึทืืื ืื ืืืจืื). ืื ืกืขืืืื ืืก ืืขื ืขื ืืืจืขืืืืื ืืื ืื Kibana ืฆืืืื ื ืึธืืขืจ ืืืจื . ืืืจ ืงืขื ืขื ืงืึธื ืืจืึธืืืจื ืืืจื ืื ืฉืืื ืืึทืงืึทื ื ืืขืื ืืืฉืืจืื ืืขื ืื:
ืฉืืคื ืึท ืจืึธืืข
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}ืฉืืคื ืึท ืืึทื ืืฆืขืจ
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}ืืึทืืึท ืืืืขืจืืืื ืืื ืึทื Elasticsearch ืงื ืืื
ืืืขื Elasticsearch ืืืืคื ืืื ืึท ืงื ืืื (ืืืึธืก ืืื ืคึผืจืึธืกื), ืืืืขืจืืืื ืกืขืืืื ืืก ืืื ืืขื ืงื ืืื ืืืขืจื ืืืืืืืง. ืคึฟืึทืจ ืืืืขืจ ืงืึธืืื ืืงืึทืฆืืข ืฆืืืืฉื ื ืึธืืื, Elasticsearch ื ืืฆื ืื TLS ืคึผืจืึธืืึธืงืึธื. ืฆื ืฉืืขืื ืืืืขืจ ืื ืืขืจืึทืงืฉืึทื ืฆืืืืฉื ืืื, ืืืจ ืืึทืจืคึฟื ืึท ืืึทืืืืึทืื. ืืืจ ืืืฉืขื ืขืจืืื ืึท ืืึทืืืืึทืื ืืื ืคึผืจืืืืึทื ืฉืืืกื ืืื PEM ืคึฟืึธืจืืึทื:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemื ืึธื ืขืงืกืึทืงืืืืื ื ืื ืืึทืคึฟืขื ืืืืื, ืืื ืื ืืืขืืืืืึทืืขืจ /../elasticsearch ืึทืจืงืืืื ืืืขื ืืขืจืฉืืึทื ืขื elastic-stack-ca.zip. ืื ืขืก ืืืจ ืืืขื ืืขืคึฟืื ืขื ืึท ืืึทืืืืึทืื ืืื ืึท ืคึผืจืืืืึทื ืฉืืืกื ืืื ืืงืกืืขื ืฉืึทื ื crt ะธ ืฉืืืกื ืจืืกืคึผืขืงืืืืืื. ืขืก ืืื ืงืขืืืึทืืง ืฆื ืฉืืขืื ืืื ืืืืฃ ืึท ืฉืขืจื ืืืื, ืืืึธืก ืืึธื ืืืื ืฆืืืจืืืืขื ืคึฟืื ืึทืืข ื ืึธืืื ืืื ืืขื ืงื ืืื.
ืืขืืขืจ ื ืึธืืข ืืึทืจืฃ ืืืฆื ืืืื ืืืืืขื ืข ืกืขืจืืืคืืงืึทืฅ ืืื ืคึผืจืืืืึทื ืฉืืืกืืขื ืืืืืจื ืืืืฃ ืืขื ืข ืืื ืื ืฉืขืจื ืืืขืืืืืึทืืขืจ. ืืืขื ืขืงืกืึทืงืืืืื ื ืื ืืึทืคึฟืขื, ืืืจ ืืืขื ืืืื ืืขืืขืื ืฆื ืฉืืขืื ืึท ืคึผืึทืจืึธื. ืืืจ ืงืขื ืขื ืืืืื ื ืึธื ืึธืคึผืฆืืขืก -ip ืืื -dns ืคึฟืึทืจ ืืึทื ืฅ ืืืขืจืึทืคืึทืงืืืฉืึทื ืคืื ืื ืืขืจืึทืงืืื ื ื ืึธืืื.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyืืื ืึท ืจืขืืืืืึทื ืคืื ืขืงืกืึทืงืืืืื ื ืื ืืึทืคึฟืขื, ืืืจ ืืืขืื ืืึทืงืืืขื ืึท ืืึทืืืืึทืื ืืื ืึท ืคึผืจืืืืึทื ืฉืืืกื ืืื PKCS #12 ืคึฟืึธืจืืึทื, ืคึผืจืึธืืขืงืืขื ืืืจื ืึท ืคึผืึทืจืึธื. ืึทืืข ืืืึธืก ืืืืืื ืืื ืฆื ืืึทื ืื ืืืฉืขื ืขืจืืืืึทื ืืขืงืข ืคึผืงืกื ืืืงืก ืฆื ืื ืงืึทื ืคืืืืขืจืืืฉืึทื ืืืขืืืืืึทืืขืจ:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configืืืื ืึท ืคึผืึทืจืึธื ืฆื ืื ืืึทืืืืึทืื ืืื ืืขื ืคึฟืึธืจืืึทื ืคึผืงืกื ืืืงืก ืืื ืงืืืกืืึธืจืข ืืื ืืจืึทืกืืกืืึธืจืข ืืืืฃ ืืขืืขืจ ื ืึธืืข:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordืฉืืื ืืืงืื ื elasticsearch.yml ืึทืืข ืืืึธืก ืืืืืื ืืื ืฆื ืืืืื ืฉืืจืืช ืืื ืืึทืืืืึทืื ืืึทืื:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12ืืืจ ืงืึทืืขืจ ืึทืืข Elasticsearch ื ืึธืืื ืืื ืืืกืคืืจื ืืจืืึทืื. ืืืื ืึทืืฅ ืืื ืืขืืื ืจืืืืืง, ืึท ืขื ืืคืขืจ ืืื ืขืืืขืืข ื ืึธืืื ืืืขื ืืืื ืืืืืขืงืขืจื:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1ืขืก ืืื ืื ืื ืืขืจ ืืืืขืจืืืึทื ืึธืคึผืฆืืข - IP ืึทืืจืขืก ืคึฟืืืืจืืจืื ื (ืื ืืืฆื ืืื ืกืึทืืกืงืจืืคึผืฉืึทื ื ืคืื ืื ืืึธืื ืืืจืื). ืึทืืึทืื ืืืจ ืฆื ืฉืึทืคึฟื ืืืืึทืก ืจืฉืืืืช ืคืื IP ืึทืืจืขืกืขืก ืคืื ืืืึธืก ืืืจ ืืขื ืขื ืขืจืืืืื ืฆื ืึทืงืกืขืก ื ืึธืืื.
ืกืืงืืืจืื ื ืืึทืื ืึทืจืืืก ืคืื ืึทื Elasticsearch ืงื ืืื
ืึทืจืืืก ืืขื ืงื ืืื ืืืื ืงืึทื ืขืงืืื ื ืคืื ืืจืืืกื ืืืง ืืืฉืืจืื: Kibana, Logstash, Beats ืึธืืขืจ ืื ืืขืจืข ืคืื ืืจืืืกื ืืืง ืงืืืืึทื ืฅ.
ืฆื ืงืึทื ืคืืืืขืจ ืฉืืืฆื ืคึฟืึทืจ https (ืึทื ืฉืืึธื ืคืื ืืืืคึผ), ืืืืื ื ืืึทืข ืฉืืจืืช ืฆื elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12ืืืืึทื ืื ืืึทืืืืึทืื ืืื ืคึผืึทืจืึธื ืคึผืจืึธืืขืงืืขื, ืืืื ืขืก ืฆื ืื ืงืืืกืืึธืจืข ืืื ืืจืึทืกืืกืืึธืจืข ืืืืฃ ืืขืืขืจ ื ืึธืืข:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordื ืึธื ืึทืืื ื ืื ืฉืืืกืืขื, Elasticsearch ื ืึธืืื ืืขื ืขื ืืจืืื ืฆื ืคืึทืจืืื ืื ืืืจื https. ืืืฆื ืืื ืงืขื ืขื ืืืื ืืึธื ืืฉื.
ืืขืจ ืืืืึทืืขืจ ืฉืจืื ืืื ืฆื ืฉืึทืคึฟื ืึท ืฉืืืกื ืฆื ืคืึทืจืืื ืื ืงืืืึทื ืึท ืืื ืืืืื ืขืก ืฆื ืื ืงืึทื ืคืืืืขืจืืืฉืึทื. ืืึทืืืจื ืืืืฃ ืื ืืึทืืืืึทืื ืืืึธืก ืืื ืฉืืื ืืืื ืืื ืื ืฉืขืจื ืืืขืืืืืึทืืขืจ, ืืืจ ืืืขื ืืืฉืขื ืขืจืืื ืึท ืืึทืืืืึทืื ืืื PEM ืคึฟืึธืจืืึทื (PKCS #12 Kibana, Logstash ืืื Beats ืืึธื ื ืื ื ืึธื ืฉืืืฆื):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemืึทืืข ืืืึธืก ืืืืืื ืืื ืฆื ืึทื ืคึผืึทืง ืื ืืืฉืืคื ืฉืืืกืืขื ืืื ืืขืจ ืืขืงืข ืืื ืื ืงืืืึทื ืึท ืงืึทื ืคืืืืขืจืืืฉืึทื:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configืื ืฉืืืกืืขื ืืขื ืขื ืืึธืจื, ืึทืืื ืึทืืข ืืืึธืก ืืืืืื ืืื ืฆื ืืืืฉื ืื ืงืืืึทื ืึท ืงืึทื ืคืืืืขืจืืืฉืึทื ืึทืืื ืึทื ืขืก ืกืืึทืจืฅ ื ืืฆื ืืื. ืืื ืื kibana.yml ืงืึทื ืคืืืืขืจืืืฉืึทื ืืขืงืข, ืืืืฉื ืืืืคึผ ืฆื https ืืื ืืืืื ืฉืืจืืช ืืื SSL ืงืึทื ืขืงืฉืึทื ืกืขืืืื ืืก. ืื ืืขืฆืืข ืืจืื ืฉืืจืืช ืงืึทื ืคืืืืขืจ ืืืืขืจ ืงืึธืืื ืืงืึทืฆืืข ืฆืืืืฉื ืืขื ืืึทื ืืฆืขืจ 'ืก ืืืขืืขืจืขืจ ืืื ืงืืืึทื ืึท.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtืืืื, ืื ืกืขืืืื ืืก ืืขื ืขื ืืขืขื ืืืงื ืืื ืึทืงืกืขืก ืฆื ืืึทืื ืืื ืื Elasticsearch ืงื ืืื ืืื ืื ืงืจืืคึผืืื.
ืืืื ืืืจ ืืึธื ืคึฟืจืืื ืืืขืื ืื ืงืืืคึผืึทืืืืึทืืื ืคืื Elastic Stack ืืืืฃ ืคืจืื ืึธืืขืจ ืืึทืฆืึธืื ืกืึทืืกืงืจืืคึผืฉืึทื ื, ืืึธื ืืืึธืจืื ื ืืึทืกืงืก ืึธืืขืจ ืงืจืืืืืื ื ืึท SIEM ืกืืกืืขื, ืืึธืื ืึท ืืงืฉื ืฆื ืืืืฃ ืืื ืืืขืจ ืืืขืืืืืื.
ืืขืจ ืคืื ืืื ืืืขืจ ืึทืจืืืงืืขื ืืืขืื Elastic Stack ืืืืฃ Habrรฉ:
ืืงืืจ: www.habr.com