Ekugcineni sahlangana Idatha ye-ELK, iqukethe imiphi imikhiqizo yesofthiwe. Futhi umsebenzi wokuqala unjiniyela abhekana nawo lapho esebenza nesitaki se-ELK ukuthumela izingodo ukuze zigcinwe ku-elasticsearch ukuze zihlaziywe okulandelayo. Kodwa-ke, lena isevisi yezindebe nje, i-elasticsearch igcina izingodo ngendlela yamadokhumenti anezinkambu namagugu athile, okusho ukuthi unjiniyela kufanele asebenzise amathuluzi ahlukahlukene ukuze adlulise umlayezo othunyelwa kusukela kuzinhlelo zokugcina. Lokhu kungenziwa ngezindlela eziningana - bhala uhlelo ngokwakho oluzofaka imibhalo kusizindalwazi usebenzisa i-API, noma usebenzise izixazululo esezilungile. Kulesi sifundo sizocubungula isixazululo Logstash, okuyingxenye yesitaki se-ELK. Sizobheka ukuthi singawathumela kanjani amalogi ukusuka kumasistimu we-endpoint kuya ku-Logstash, bese sizomisa ifayela lokucushwa ukuze lihlaziywe futhi liqondise kabusha kusizindalwazi se-Elasticsearch. Ukwenza lokhu, sithatha amalogi ku-Firewall ye-Check Point njengohlelo olungenayo.
Isifundo asibandakanyi ukufakwa kwesitaki se-ELK, njengoba kunenani elikhulu lama-athikili ngalesi sihloko; sizocubungula ingxenye yokumisa.
Ake sakhe uhlelo lokusebenza lokucushwa kwe-Logstash:
- Ihlola ukuthi i-elasticsearch izokwamukela izingodo (ihlola ukusebenza nokuvuleka kwembobo).
- Sicabanga ukuthi singayithumela kanjani imicimbi ku-Logstash, sikhethe indlela, futhi siyisebenzise.
- Silungiselela Okokufaka kufayela lokucushwa le-Logstash.
- Настраиваем Output в конфигурационном файле Logstash в режиме дебага, для того чтобы понять как выглядит лог сообщение.
- Isetha Isihlungi.
- Isetha okukhiphayo okulungile ku-ElasticSearch.
- I-logstash iqala.
- Ihlola izingodo e-Kibana.
Ake sibheke iphuzu ngalinye ngokuningiliziwe:
Ukuhlola ukuthi i-elasticsearch izokwamukela izingodo
Ukwenza lokhu, ungasebenzisa umyalo we-curl ukuhlola ukufinyelela ku-Elasticsearch ohlelweni lapho i-Logstash isetshenziswa khona. Uma ubuqiniso bulungisiwe, sizobe sesidlulisela umsebenzisi/iphasiwedi nge-curl, sicacisa imbobo engu-9200 uma ungayishintshanga. Uma uthola impendulo efana nale engezansi, khona-ke konke kuhamba ngohlelo.
[elastic@elasticsearch ~]$ curl -u <<user_name>> : <<password>> -sS -XGET "<<ip_address_elasticsearch>>:9200"
{
"name" : "elastic-1",
"cluster_name" : "project",
"cluster_uuid" : "sQzjTTuCR8q4ZO6DrEis0A",
"version" : {
"number" : "7.4.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fc0eeb6e2c25915d63d871d344e3d0b45ea0ea1e",
"build_date" : "2019-10-22T17:16:35.176724Z",
"build_snapshot" : false,
"lucene_version" : "8.2.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[elastic@elasticsearch ~]$
Uma impendulo ingatholakali, khona-ke kungase kube nezinhlobo eziningana zamaphutha: inqubo ye-elasticsearch ayisebenzi, imbobo engalungile icacisiwe, noma ichweba livinjwe i-firewall kuseva lapho i-elasticsearch ifakiwe.
Ake sibheke ukuthi ungawathumela kanjani amalogi ku-Logstash usuka endaweni yokuhlola i-firewall
Kusuka kuseva yokuphatha ye-Check Point ungathumela izingodo ku-Logstash nge-syslog usebenzisa i-log_exporter utility, ungafunda kabanzi ngakho lapha. , lapha sizoshiya kuphela umyalo odala ukusakaza:
cp_log_export add name check_point_syslog target-server < > target-port 5555 protocol tcp format generic read-mode semi-unified
< > - Ikheli leseva lapho i-Logstash isebenza khona, i-target-port 5555 - ichweba lapho sizothumela khona izingodo, ukuthumela izingodo nge-tcp kungalayisha iseva, ngakho kwezinye izimo kulungile kakhulu ukusebenzisa i-udp.
Isetha i-INPUT kufayela lokucushwa le-Logstash
Ngokuzenzakalelayo, ifayela lokumisa litholakala kusiqondisi /etc/logstash/conf.d/. Ifayela lokumisa liqukethe izingxenye ezi-3 ezibalulekile: INPUT, FILTER, OUTPUT. IN INPUT sikhomba lapho uhlelo luzothatha khona amalogi, ngo FILTER hlaziya ilogi - setha indlela yokuhlukanisa umlayezo ngezinkambu namanani, ku UHLELO silungiselela ukusakaza okukhiphayo - lapho amalogi ahlukanisiwe azothunyelwa khona.
Okokuqala, ake silungiselele INPUT, sicabangele ezinye zezinhlobo ezingaba - ifayela, i-tcp ne-exe.
I-Tcp:
input {
tcp {
port => 5555
host => “10.10.1.205”
type => "checkpoint"
mode => "server"
}
}
imodi => "iseva"
Ibonisa ukuthi i-Logstash yamukela ukuxhumana.
ichweba => 5555
umsingathi => “10.10.1.205”
Samukela ukuxhumeka ngekheli le-IP elingu-10.10.1.205 (Logstash), imbobo 5555 - imbobo kufanele ivunyelwe inqubomgomo yohlelo lokuvikela.
type => "indawo yokuhlola"
Simaka idokhumenti, ilula kakhulu uma unokuxhumana okumbalwa okungenayo. Ngokulandelayo, ekuxhumekeni ngakunye ungabhala isihlungi sakho usebenzisa okunengqondo uma kwakha.
Ifayela:
input {
file {
path => "/var/log/openvas_report/*"
type => "openvas"
start_position => "beginning"
}
}
Incazelo yezilungiselelo:
indlela => "/var/log/openvas_report/*"
Sibonisa uhla lwemibhalo lapho amafayela adinga ukufundwa khona.
type => "openvas"
Uhlobo lomcimbi.
start_position => "ukuqala"
Lapho ushintsha ifayela, lifunda lonke ifayela; uma usetha "ukuphela", uhlelo lulinda ukuthi amarekhodi amasha avele ekugcineni kwefayela.
I-Exec:
input {
exec {
command => "ls -alh"
interval => 30
}
}
Ngokusebenzisa lokhu okokufaka, umyalo wegobolondo (kuphela!) wethulwa futhi okukhiphayo kuguqulwa kube umlayezo welogi.
umyalo => "ls -alh"
Umyalo esinentshisekelo kukho okukhiphayo.
isikhawu => 30
Yala isikhathi sokuncenga ngemizuzwana.
Ukuze sithole amalogi ku-firewall, sibhalisa isihlungi tcp noma udp, kuye ngokuthi amalogi athunyelwa kanjani ku-Logstash.
Silungiselela okukhiphayo kufayela lokumisa le-Logstash kumodi yokususa iphutha ukuze siqonde ukuthi umlayezo welogi ubukeka kanjani
Ngemva kokuba sesilungiselele i-INPUT, sidinga ukuqonda ukuthi umlayezo welogi uzobukeka kanjani nokuthi iziphi izindlela okudingeka zisetshenziswe ukuze kumiswe isihlungi selogi (umhlanganisi).
Ukwenza lokhu, sizosebenzisa isihlungi esikhipha umphumela ku-stdout ukuze sibuke umlayezo wokuqala; ifayela eliphelele lokumisa okwamanje lizobukeka kanje:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
output
{
if [type] == "checkpoint"
{
stdout { codec=> json }
}
}
Qalisa umyalo ukuze uhlole:
sudo /usr/share/logstash/bin//logstash -f /etc/logstash/conf.d/checkpoint.conf
Sibona umphumela, isithombe siyachofozeka:
Uma uyikopisha izobukeka kanje:
action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,0x5,0xfe0a0a0a,0xc0000000}" origin="10.10.10.254" originsicname="CN=ts-spb-cpgw-01,O=cp-spb-mgmt-01.tssolution.local.kncafb" sequencenum="8" time="1576766483" version="5" context_num="1" dst="10.10.10.10" dst_machine_name="[email protected]" layer_name="TSS-Standard Security" layer_name="TSS-Standard Application" layer_uuid="dae7f01c-4c98-4c3a-a643-bfbb8fcf40f0" layer_uuid="dbee3718-cf2f-4de0-8681-529cb75be9a6" match_id="8" match_id="33554431" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Implicit Cleanup" rule_uid="6dc2396f-9644-4546-8f32-95d98a3344e6" product="VPN-1 & FireWall-1" proto="17" s_port="37317" service="53" service_id="domain-udp" src="10.10.1.180" ","type":"qqqqq","host":"10.10.10.250","@version":"1","port":50620}{"@timestamp":"2019-12-19T14:50:12.153Z","message":"time="1576766483" action="Accept" conn_direction="Internal" contextnum="1" ifdir="outbound" ifname="bond1.101" logid="0" loguid="{0x5dfb8c13,
Uma sibheka le milayezo, siyaqonda ukuthi izingodo zibukeka kanje: field = value or key = value, okusho ukuthi isihlungi esibizwa ngokuthi i-kv sifanelekile. Ukuze ukhethe isihlungi esifanele esimweni ngasinye, kungaba umqondo omuhle ukuzijwayeza kumadokhumenti okusebenza, noma ubuze umngane.
Isetha Isihlungi
Esigabeni sokugcina sikhethe i-kv, ukucushwa kwalesi sihlungi kuvezwe ngezansi:
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
Sikhetha uphawu esizohlukanisa ngalo insimu kanye nenani - "="". Uma sinokufakiwe okufanayo kulogi, sigcina isenzakalo esisodwa kuphela kusizindalwazi, ngaphandle kwalokho uzogcina usunamanani afanayo afanayo, okungukuthi, uma sinomlayezo othi “foo = some foo=some” sibhala kuphela foo. = abanye.
Isetha okukhiphayo okulungile ku-ElasticSearch
Uma Isihlungi sesilungisiwe, ungalayisha izingodo kusizindalwazi umabhebhana:
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Uma idokhumenti isayinwe ngohlobo lwephoyinti lokuhlola, sigcina umcimbi kusizindalwazi se-elasticsearch, esamukela uxhumo ku-10.10.1.200 ku-port 9200 ngokuzenzakalelayo. Idokhumenti ngayinye igcinwa enkombeni ethile, kulokhu silondoloza enkombeni ethi “checkpoint-” + idethi yesikhathi samanje. Inkomba ngayinye ingaba nesethi yezinkambu ezithile, noma idalwe ngokuzenzakalelayo lapho inkambu entsha ivela kumlayezo, izilungiselelo zenkambu kanye nohlobo lwazo zingabukwa kumamephu.
Uma ubuqiniso bulungisiwe (sizokubheka kamuva), imininingwane yokubhalela inkomba ethile kufanele icaciswe, kulesi sibonelo ithi “tssolution” negama eliyimfihlo elithi “cool”. Ungakwazi ukuhlukanisa amalungelo omsebenzisi okubhala amalogi kunkomba ethile kuphela futhi ungabe usaphinda.
Yethula i-Logstash.
Ifayela lokucushwa le-logstash:
input
{
tcp
{
port => 5555
type => "checkpoint"
mode => "server"
host => “10.10.1.205”
}
}
filter {
if [type] == "checkpoint"{
kv {
value_split => "="
allow_duplicate_values => false
}
}
}
output
{
if [type] == "checkpoint"
{
elasticsearch
{
hosts => ["10.10.1.200:9200"]
index => "checkpoint-%{+YYYY.MM.dd}"
user => "tssolution"
password => "cool"
}
}
}
Sihlola ifayela lokucushwa ngokunemba:
/usr/share/logstash/bin//logstash -f checkpoint.conf
Qala inqubo ye-Logstash:
sudo systemctl qala i-logstash
Sihlola ukuthi inqubo isiqalile:
Isimo se-sudo systemctl logstash
Ake sihlole ukuthi isokhethi iphezulu yini:
netstat -nat |grep 5555
Ihlola izingodo e-Kibana.
Ngemuva kokuthi konke sekusebenza, hamba ku-Kibana - Thola, qiniseka ukuthi yonke into ilungiselelwe kahle, isithombe siyachofozeka!
Zonke izingodo zisendaweni futhi singabona zonke izinkambu namanani azo!
isiphetho
Sibheke indlela yokubhala ifayela lokumisa le-Logstash, futhi ngenxa yalokho sithole umhlaseli wazo zonke izinkambu namanani. Manje singasebenza ngokucinga nokuhlela izinkambu ezithile. Okulandelayo esifundweni sizobheka ukubuka ngeso ku-Kibana futhi sakhe ideshibhodi elula. Kuyafaneleka ukusho ukuthi ifayela lokumisa le-Logstash lidinga ukubuyekezwa njalo ezimweni ezithile, isibonelo, lapho sifuna ukufaka esikhundleni senani lenkambu ukusuka kunombolo kuye egameni. Ezihlokweni ezilandelayo sizokwenza njalo lokhu.
Ngakho hlala ubukele (, , , ), .
Source: www.habr.com