CentOS + ELK 7.9.2

# CentOS + ELK 7.9.2 CentOS-7-x86_64-DVD-2003 ELK = Elasticsearch + Logstash + Kibana --- 基本 Linux 環境設定 1. ip 192.168.120.121/24 2. hostnamectl set-hostname elk01 3. 設定nameserver 140.110.16.1 和 140.110.4.1 vi /etc/resolv.conf 4. yum install net-tools 、 traceroute 、 unzip 、 iptables-services 5. 停用 NetworkManager systemctl disable NetworkManager systemctl stop NetworkManager 6. 停用 Firewall systemctl disable firewalld systemctl stop firewalld 7. chkconfig network on systemctl restart network 8. 啟用 ip-tables systemctl enable iptables 9. 設定基本防火牆規則 vi /etc/sysconfig/iptables systemctl restart iptables 10. 停用SELINUX (SELINUX=disabled) vi /etc/selinux/config 11. stgmon2 免密碼登入 elk01 ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.120.121 12. 設定/etc/ssh/sshd_config AllowUsers root@192.168.120.* --- ![](https://i.imgur.com/3y8xPkW.png) 使用RPM方式安裝 import PGP key 指令： rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch --- ![](https://i.imgur.com/p3yuVnX.png) 檔案內容： [elasticsearch] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 # 1為啟用 autorefresh=1 type=rpm-md --- 安裝 Java JDK 指令：yum install java jdk 指令：java -version ![](https://i.imgur.com/99JKqDB.png) 安裝 Elasticsearch 指令：yum install elasticsearch ![](https://i.imgur.com/sRed8Ua.png) 安裝 Kibana 指令：yum install kibana ![](https://i.imgur.com/D6egWgE.png) 安裝 Logstash 指令：yum install logstash ![](https://i.imgur.com/MrKJTtl.png) 安裝 Filebeat 指令：yum install filebeat ![](https://i.imgur.com/NvLSrgA.png) 自發憑證 ![](https://i.imgur.com/Iq11GdA.png) 指令：/usr/share/elasticsearch/bin/elasticsearch-certutil cert --keep-ca-key --pem --in /home/instance.yml --out /home/mycerts.zip ![](https://i.imgur.com/SZsU8L1.png) ![](https://i.imgur.com/RlxrNyu.png) 設定 Elasticsearch (預設9200port) vi \etc\elasticsearch.yml 加入下方設定 discovery.type: single-node #單一主機，無多台node network.host: 192.168.120.121 #主機IP xpack.license.self_generated.type: basic #設定License版本 xpack.security.enabled: true #啟用安全性會詢問Web登入帳密 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /etc/elasticsearch/ElasticKey/elastic.key xpack.security.http.ssl.certificate: /etc/elasticsearch/ElasticKey/elastic.crt xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/ElasticKey/ca.crt 產生預設帳號及密碼 (密碼不得低於六個字元) /usr/share/elasticsearch/bin/elasticsearch-setup-passwords (auto/interactive) ![](https://i.imgur.com/9k44hjY.png) Changed password for user apm_system PASSWORD apm_system = pJwX9JheGCmZbhxJwNKS Changed password for user kibana_system PASSWORD kibana_system = VrORTATcBwlYmSN9giFv Changed password for user kibana PASSWORD kibana = VrORTATcBwlYmSN9giFv Changed password for user logstash_system PASSWORD logstash_system = JcDyJcN0Is3pzCJ2RjYt Changed password for user beats_system PASSWORD beats_system = PRM2AMXPvjONzucWYOGQ Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = CXGV3KdnaMSATDUvVNH2 Changed password for user elastic PASSWORD elastic = t2MkeMXiqsk2xfKhM42F ![](https://i.imgur.com/NBN9hh2.png) 開機即啟用服務，現在即啟用服務 systemctl enable elasticsearch systemctl start elasticsearch ![](https://i.imgur.com/PRIUb3n.png) --- 設定 Kibana (預設5601port) vi /etc/kibana.yml server.port: 5601 server.host: "192.168.120.121" elasticsearch.hosts: ["http://192.168.120.121:9200"] elasticsearch.username: "elastic" elasticsearch.password: "elastic" server.ssl.enabled: true server.ssl.certificate: /etc/kibana/KibanaKey/kibana.crt server.ssl.key: /etc/kibana/KibanaKey/kibana.key elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/KibanaKey/ca.crt" ] elasticsearch.ssl.verificationMode: certificate xpack.encryptedSavedObjects.encryptionKey: "12345678901234567890123456789012" #為了讓kibana https://IP:5601 可以使用加密連線 ![](https://i.imgur.com/SjQwc13.png) 開機即啟用服務，現在即啟用服務 systemctl enable kibana systemctl start kibana 設定 Logstash (預設5044port) vi /etc/logstash/logstash.yml node.name: logstash.local vi /etc/logstash/conf.d/logstash.conf ![](https://i.imgur.com/EpZUGMz.png) ![](https://i.imgur.com/9LjDxpx.png) 開機即啟用服務，現在即啟用服務 systemctl enable logstash systemctl start logstash 設定Filebeat (預設5044port) vi /etc/filebeat/filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /var/log/messsages setup.kibana: host: "https://192.168.120.121:5601" output.logstash: hosts: ["192.168.120.121:5044"] processors: - add_host_metadata: when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ ![](https://i.imgur.com/DrFOUwk.png) 開機即啟用服務，現在即啟用服務 systemctl enable filebeat systemctl start filebeat --- 安裝Python3.6.8 1. yum install gcc libffi-devel 2. yum install python3-devel ![](https://i.imgur.com/5wWPOwO.png) 3. yum install git 4. You can either install the latest released version of ElastAlert using pip: pip install elastalert or you can clone the ElastAlert repository for the most recent changes: git clone https://github.com/Yelp/elastalert.git 5. python3 setup.py install 跑出 Finished processing dependencies for elastalert==0.2.4 6. ![](https://i.imgur.com/UcRLw71.png) 7. ![](https://i.imgur.com/ugCPos5.png) config.yaml ``` rules_folder: example_rules run_every: minutes: 1 buffer_time: minutes: 15 es_host: 192.168.120.121 es_port: 9200 # ssl auth # #use_ssl: False #verify_certs: False #es_username: elastic #es_password: xxxx writeback_index: elastalert_status writeback_alias: elastalert_alerts alert_time_limit: days: 1 ``` 8. 建立rule 說明 index: 指定index，此為指定開頭為filebeat的index num_events: 發生次數 timeframe: 多久內的時間 alert_subject_args: 設定變數，搭配在alert_subject 範例一 (基本測試用) ``` name: test01 type: frequency index: filebeat* num_events: 1 timeframe: hours: 24 filter: - query: query_string: query: "message: XDSM_EVENT_USER_EXIT" alert: - "email" email: - "1703175@narlabs.org.tw" smtp_host: "192.168.120.130" alert_subject: "Rule_Name {0} occurred at {1}" alert_subject_args: - name - "@timestamp" ``` 範例二 (符合file path及關鍵字) ``` name: dell_r730xd_disk_alert type: frequency index: filebeat* num_events: 1 timeframe: hours: 24 filter: - query: query_string: query: "log.file.path: raidcard.log AND message: 'Predictive failure'" #query: "message: `failure`" alert: - "email" email: #- "1703175@narlabs.org.tw" - "stgp@mail.storage.nchc" smtp_host: "192.168.120.130" alert_subject: "ELK Alert_Rule {0}" alert_subject_args: - name - "@timestamp" alert_text_type: alert_text_only alert_text: " 你好，伺服器硬碟異常，請登入檢查！！！\n 主機名稱: {}\n 主機 IP : {}\n 異常時間 : {}\n 異常訊息: {}" alert_text_args: - host.hostname - host.ip - "@timestamp" - message ``` 範例三 (SSH密碼登入失敗) ``` name: ssh_login_fail_alert type: frequency index: filebeat* num_events: 3 timeframe: minutes: 15 filter: - query: query_string: query: "log.file.path: secure AND message: 'Failed password'" #query: "message: 'Predictive failure'" alert: - "email" email: #- "1703175@narlabs.org.tw" - "stgp@mail.storage.nchc" smtp_host: "192.168.120.130" alert_subject: "ELK Alert_Rule {0}" alert_subject_args: - name - "@timestamp" alert_text_type: alert_text_only alert_text: " 你好，伺服器SSH登入異常，請登入檢查！！！\n\n 主機名稱: {}\n 主機 IP : {}\n ELK時間 : {} UTC需加 8_HR\n 異常訊息: {}" alert_text_args: - host.hostname - host.ip - "@timestamp" - message ``` filter過濾規則參考 https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html 9. 執行方式 cd /root/elastalert 規則測試 elastalert-test-rule /root/elastalert/example_rules/frequency.yaml 執行單一規則 python3 -m elastalert.elastalert --verbose --rule /root/elastalert/example_rules/frequency.yaml 執行全部規則(config檔中預設為example_rules目錄) python3 -m elastalert.elastalert python3 -m elastalert.elastalert --verbose 10. 設定服務開機啟動 vi /lib/systemd/system/elastalert.service ``` [Unit] Description=elastalert After=multi-user.target [Service] Type=simple WorkingDirectory=/root/elastalert ExecStart=/usr/local/bin/elastalert [Install] WantedBy=multi-user.target ``` 啟用服務 ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service systemctl daemon-reload systemctl enable elastalert.service systemctl start elastalert.service systemctl status elastalert.service