Ezihlokweni ezedlule, siye sajwayelana nesitaki se-elk futhi simisa ifayela lokucushwa le-Logstash lomhlaziyi welogi. Kulesi sihloko, sizodlulela entweni ebaluleke kakhulu ngokubuka kokuhlaziya, lokho ofuna ukukusho. bheka ohlelweni nokuthi yonke into yadalelwani - lawa amagrafu namathebula ahlanganiswe abe amadeshibhodi. Namuhla sizobhekisisa uhlelo lokubona ngeso lengqondo Kibana, sizobheka ukuthi siwakha kanjani amagrafu namatafula, futhi ngenxa yalokho sizokwakha ideshibhodi elula esekelwe kulogi kusuka ku-firewall ye-Check Point.
Isinyathelo sokuqala ekusebenzeni ne-kibana ukudala iphethini yenkomba, ngokunengqondo, lesi yisisekelo sezinkomba ezihlangene ngokuvumelana nesimiso esithile. Impela, lesi isilungiselelo nje sokwenza i-Kibana iseshe kalula ulwazi kuzo zonke izinkomba ngesikhathi esisodwa. Isethwa ngokufanisa iyunithi yezinhlamvu, ithi “iphoyinti lokuhlola-*” kanye negama lenkomba. Isibonelo, i-“checkpoint-2019.12.05” ingalingana nephethini, kodwa “iphoyinti lokuhlola” alisekho. Kuyafaneleka ukubalula ngokwehlukana ukuthi ekusesheni akwenzeki ukucinga ulwazi ngamaphethini enkomba ahlukene ngesikhathi esisodwa; kamuva kancane ezihlokweni ezilandelayo sizobona ukuthi izicelo ze-API zenziwa ngegama lenkomba, noma nje ngelinye. umugqa wephethini, isithombe siyachofozeka:
Ngemva kwalokhu, sihlola kumenyu ethi Thola ukuthi wonke amalogi anezikhombo futhi umhlahleli olungile umisiwe. Uma noma yikuphi ukungqubuzana kutholakala, isibonelo, ukushintsha uhlobo lwedatha kusuka kuyunithi yezinhlamvu kuya kunombolo ephelele, udinga ukuhlela ifayela lokumisa le-Logstash, ngenxa yalokho, amalogi amasha azobhalwa ngendlela efanele. Ukuze amalogi amadala athathe ifomu elifiswayo ngaphambi koshintsho, yinqubo yokubuyisela kabusha kuphela esiza; ezihlokweni ezilandelayo lokhu kusebenza kuzoxoxwa ngakho kabanzi. Masiqinisekise ukuthi konke kuhamba ngohlelo, isithombe siyachofozeka:
Izingodo sezimi ngomumo, okusho ukuthi sesingaqala ukwakha amadeshibhodi. Ngokusekelwe ekuhlaziyeni kwamadeshibhodi avela emikhiqizweni yezokuphepha, ungaqonda isimo solwazi lokuvikeleka enhlanganweni, ubone ngokucacile ubungozi kunqubomgomo yamanje, bese uthuthukisa izindlela zokubuqeda. Asakhe ideshibhodi encane sisebenzisa amathuluzi okubona ngeso. Ideshibhodi izoqukatha izingxenye ezi-5:
- ithebula lokubala inani eliphelele lamalogi ngamablade
- ithebula kumasiginesha abalulekile e-IPS
- Ishadi likaphayi lemicimbi Yokuvimbela Usongo
- ishadi lezingosi ezivakashelwa kakhulu
- ishadi ekusetshenzisweni kwezinhlelo zokusebenza eziyingozi kakhulu
Ukuze udale izibalo zokubuka, udinga ukuya kumenyu Buka ngeso lengqondo, bese ukhetha isibalo esifunayo esifuna ukusakha! Asihambe ngohlelo.
Ithebula lokubala inani eliphelele lamalogi ngensingo
Ukuze wenze lokhu, khetha isibalo Ithebula Lemininingwane, siwela kumishini yokudala amagrafu, ngakwesobunxele yizilungiselelo zesibalo, ngakwesokudla ukuthi izobukeka kanjani kuzilungiselelo zamanje. Okokuqala, ngizokhombisa ukuthi itafula eliqediwe lizobukeka kanjani, ngemuva kwalokho sizodlula kuzilungiselelo, isithombe siyachofozeka:
Izilungiselelo ezinemininingwane eminingi yesithombe, isithombe siyachofozeka:
Ake sibheke izilungiselelo.
Ilungiselelwe ekuqaleni amamethrikhi, leli yinani zonke izinkambu ezizohlanganiswa ngalo. Amamethrikhi abalwa ngokusekelwe kumanani akhishwe ngendlela eyodwa noma enye kumadokhumenti. Amanani avame ukukhishwa kuwo amasimu idokhumenti, kodwa futhi ingakhiqizwa kusetshenziswa imibhalo. Kulokhu sifaka Ukuhlanganisa: Bala (inani eliphelele lamalogi).
Ngemva kwalokhu, sihlukanisa ithebula libe amasegimenti (izinkambu) okuzobalwa ngazo imethrikhi. Lo msebenzi wenziwa yi-Buckets setting, yona equkethe izinketho zezilungiselelo ezi-2:
- ukuhlukanisa imigqa - ukwengeza amakholomu bese uhlukanisa ithebula libe imigqa
- itafula lokuhlukanisa - ukuhlukaniswa ngamathebula amaningana ngokusekelwe kumanani enkambu ethile.
В amabhakede ungangeza ukuhlukaniswa okuningana ukuze udale amakholomu amaningana noma amatafula, imikhawulo lapha inengqondo. Ekuhlanganiseni, ungakhetha ukuthi iyiphi indlela ezosetshenziswa ukuze uhlukanise ibe amasegimenti: ububanzi be-ipv4, ibanga ledethi, Imigomo, njll. Ukukhetha okuthakazelisa kakhulu kunembile Imigomo и Imigomo ebalulekile, ukuhlukaniswa ngezigaba kwenziwa ngokuvumelana namanani enkambu yenkomba ethize, umehluko phakathi kwawo usenani lamanani abuyisiwe, kanye nokuboniswa kwawo. Njengoba sifuna ukuhlukanisa itafula ngamagama ama-blades, sikhetha inkambu - igama elingukhiye futhi usethe usayizi kumanani angu-25 abuyisiwe.
Esikhundleni sezintambo, i-elasticsearch isebenzisa izinhlobo zedatha ezi-2 - umbhalo и eliyisihluthulelo. Uma ufuna ukwenza usesho lombhalo ogcwele, kufanele usebenzise uhlobo lombhalo, into elula kakhulu lapho ubhala isevisi yakho yosesho, isibonelo, ubheka ukukhulunywa kwegama ngenani lensimu ethile (umbhalo). Uma ufuna kuphela okufanayo okuqondile, kufanele usebenzise uhlobo lwegama elingukhiye. Futhi, uhlobo lwedatha yegama elingukhiye kufanele lusetshenziselwe izinkambu ezidinga ukuhlunga noma ukuhlanganisa, okungukuthi, kithi.
Njengomphumela, i-Elasticsearch ibala inani lamalogi ngesikhathi esithile, lihlanganiswe ivelu emkhakheni womkhiqizo. Kulebula Yangokwezifiso, sibeka igama lekholomu elizoboniswa etafuleni, setha isikhathi esiqoqa ngaso izingodo, siqale ukunikeza - U-Kibana uthumela isicelo ku-elasticsearch, ulinde impendulo bese ubona ngeso lengqondo idatha etholiwe. Itafula selilungile!
Ishadi likaphayi lemicimbi Yokuvimbela Usongo
Okuthakazelisa kakhulu ulwazi mayelana nokuthi kungakanani ukusabela okukhona njengephesenti thola и ukuvimbela ngezigameko zokuphepha kolwazi kunqubomgomo yezokuphepha yamanje. Ishadi likaphayi lisebenza kahle kulesi simo. Khetha kokuthi Bona ngeso lengqondo - Ishadi likaphayi. Futhi kumethrikhi sibeka ukuhlanganisa ngenani lamalogi. Emabhakedeni sibeka Imigomo => isenzo.
Yonke into ibonakala ilungile, kodwa umphumela ubonisa amanani awo wonke ama-blade; udinga ukuhlunga kuphela ngalawo ma-blade asebenza ngaphakathi kohlaka Lokuvimbela Usongo. Ngakho-ke, ngokuqinisekile siyimise i-strainer ukuze useshe ulwazi kuphela kuma-blades anesibopho sezehlakalo zokuphepha kolwazi - umkhiqizo: (“I-Anti-Bot” NOMA “I-Anti-Virus Entsha” NOMA “Umvikeli we-DDoS” NOMA “I-SmartDefense” NOMA “Ukulingisa Okusongelayo”). Isithombe siyachofozeka:
Futhi izilungiselelo ezinemininingwane eyengeziwe, isithombe siyachofozeka:
Ithebula Lomcimbi we-IPS
Okulandelayo, okubaluleke kakhulu endaweni yokubuka yokuphepha kolwazi ukubuka nokuhlola imicimbi ku-blade. I-IPS и Ukulingisa Usongo, которые azivinjelwe inqubomgomo yamanje, ukuze ngokulandelayo uguqule isiginesha ukuze uvimbele, noma uma ithrafikhi ivumelekile, ungahloli isiginesha. Sakha ithebula ngendlela efanayo neyesibonelo sokuqala, ngomehluko kuphela esidala amakholomu amaningana: protections.keyword, severity.keyword, product.keyword, originsicname.keyword. Qiniseka ukuthi usetha isihlungi ukuze useshe ulwazi kuma-blade anesibopho sezehlakalo zokuphepha kolwazi kuphela - umkhiqizo: (“SmartDefense” NOMA “Ukulingisa Okusongelayo”). Isithombe siyachofozeka:
Izilungiselelo ezinemininingwane eyengeziwe, isithombe siyachofozeka:
Amashadi wamasayithi avakashelwa kakhulu
Ukuze wenze lokhu, yakha umfanekiso - Ibha Eme mpo. Siphinde sisebenzisa i-count (Y axis) njengemethrikhi, futhi ku-X eksisi sizosebenzisa igama lamasayithi avakashelwe njengamavelu – “appi_name”. Kukhona iqhinga elincane lapha: uma usebenzisa izilungiselelo kunguqulo yamanje, khona-ke wonke amasayithi azomakwa kugrafu ngombala ofanayo, ukuze siwenze abe nemibala eminingi sisebenzisa isilungiselelo esengeziwe - "uchungechunge lokuhlukanisa", okukuvumela ukuthi uhlukanise ikholomu esenziwe ngomumo ibe ngamavelu amaningana, kuye ngenkambu ekhethiwe vele! Lokhu kuhlukaniswa kungasetshenziswa njengekholomu eyodwa enemibala eminingi ngokwamanani kwimodi estakiwe, noma kumodi evamile ukuze kwakhe amakholomu amaningana ngokwenani elithile ku-eksisi X. Kulokhu, lapha sisebenzisa i- inani elifanayo nanjenge-X eksisi, lokhu kwenza kube nokwenzeka ukwenza wonke amakholomu abe nemibala eminingi; azoboniswa ngemibala phezulu kwesokudla. Esihlungini esisethayo - umkhiqizo: "Ukuhlunga kwe-URL" ukuze ubone imininingwane kumasayithi avakashelwe kuphela, isithombe siyachofozeka:
Izilungiselelo:
Umdwebo wokusetshenziswa kwezinhlelo zokusebenza eziyingozi kakhulu
Ukuze wenze lokhu, yakha isibalo - Ibha Eqondile. Siphinde sisebenzisa i-count (Y axis) njengemethrikhi, futhi eksisi X sizosebenzisa igama lezinhlelo zokusebenza ezisetshenzisiwe - "appi_name" njengamavelu. Okubaluleke kakhulu ukulungiselelwa kokuhlunga - umkhiqizo: “Ukulawula Uhlelo Lokusebenza” KANYE ne-app_risk: (4 NOMA 5 NOMA 3 ) KANYE nesenzo: “yamukela”. Sihlunga amalogi nge-blade yokulawula yohlelo lokusebenza, sithatha kuphela lawo masayithi ahlukaniswe ngokuthi Amasayithi Ayingozi, Aphakeme, Amaphakathi futhi kuphela uma ukufinyelela kulawa masayithi kuvunyelwe. Isithombe siyachofozeka:
Izilungiselelo, ezichofozekayo:
Ideshibhodi
Ukubuka nokudala amadeshibhodi kuyingxenye yemenyu ehlukile - Dashboard. Konke kulula lapha, ideshibhodi entsha iyakhiwa, ukubona ngeso lengqondo kwengezwa kuyo, ibekwe endaweni yayo futhi yikho!
Sakha ideshibhodi ongakwazi ngayo ukuqonda isimo esiyisisekelo sesimo sokuphepha kolwazi enhlanganweni, yebo, ezingeni le-Check Point kuphela, isithombe siyachofozeka:
Ngokusekelwe kulawa magrafu, singaqonda ukuthi yimaphi amasiginesha abalulekile angavinjelwe ku-firewall, lapho abasebenzisi baya khona, nokuthi yiziphi izinhlelo zokusebenza eziyingozi kakhulu abazisebenzisayo.
isiphetho
Sibheke amakhono okubuka okuyisisekelo e-Kibana futhi sakha ideshibhodi, kodwa lokhu kuyingxenye encane kuphela. Ngokuqhubekayo esifundweni sizobheka ngokwehlukana ukusetha amamephu, ukusebenza ngohlelo lwe-elasticsearch, ukujwayelana nezicelo ze-API, i-automation nokunye okuningi!
Ngakho hlala ubukele (, , , ), .
Source: www.habr.com