CentOS-7-x86_64-DVD-2003
ELK = Elasticsearch + Logstash + Kibana
基本 Linux 環境設定
使用RPM方式安裝 import PGP key
指令:
rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
檔案內容:
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1 # 1為啟用
autorefresh=1
type=rpm-md
安裝 Java JDK
指令:yum install java jdk
指令:java -version
安裝 Elasticsearch
指令:yum install elasticsearch
安裝 Kibana
指令:yum install kibana
安裝 Logstash
指令:yum install logstash
安裝 Filebeat
指令:yum install filebeat
自發憑證
指令:/usr/share/elasticsearch/bin/elasticsearch-certutil cert –keep-ca-key –pem –in /home/instance.yml –out /home/mycerts.zip
設定 Elasticsearch (預設9200port)
vi \etc\elasticsearch.yml 加入下方設定
discovery.type: single-node
#單一主機,無多台node
network.host: 192.168.120.121
#主機IP
xpack.license.self_generated.type: basic
#設定License版本
xpack.security.enabled: true
#啟用安全性會詢問Web登入帳密
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ElasticKey/elastic.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/ElasticKey/elastic.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/ElasticKey/ca.crt
產生預設帳號及密碼 (密碼不得低於六個字元)
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords (auto/interactive)
Changed password for user apm_system
PASSWORD apm_system = pJwX9JheGCmZbhxJwNKS
Changed password for user kibana_system
PASSWORD kibana_system = VrORTATcBwlYmSN9giFv
Changed password for user kibana
PASSWORD kibana = VrORTATcBwlYmSN9giFv
Changed password for user logstash_system
PASSWORD logstash_system = JcDyJcN0Is3pzCJ2RjYt
Changed password for user beats_system
PASSWORD beats_system = PRM2AMXPvjONzucWYOGQ
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = CXGV3KdnaMSATDUvVNH2
Changed password for user elastic
PASSWORD elastic = t2MkeMXiqsk2xfKhM42F
開機即啟用服務,現在即啟用服務
systemctl enable elasticsearch
systemctl start elasticsearch
設定 Kibana (預設5601port)
vi /etc/kibana.yml
server.port: 5601
server.host: "192.168.120.121"
elasticsearch.hosts: ["http://192.168.120.121:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "elastic"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/KibanaKey/kibana.crt
server.ssl.key: /etc/kibana/KibanaKey/kibana.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/KibanaKey/ca.crt" ]
elasticsearch.ssl.verificationMode: certificate
xpack.encryptedSavedObjects.encryptionKey: "12345678901234567890123456789012"
#為了讓kibana https://IP:5601 可以使用加密連線
開機即啟用服務,現在即啟用服務
systemctl enable kibana
systemctl start kibana
設定 Logstash (預設5044port)
vi /etc/logstash/logstash.yml
node.name: logstash.local
vi /etc/logstash/conf.d/logstash.conf
開機即啟用服務,現在即啟用服務
systemctl enable logstash
systemctl start logstash
設定Filebeat (預設5044port)
vi /etc/filebeat/filebeat.yml
filebeat.inputs:
開機即啟用服務,現在即啟用服務
systemctl enable filebeat
systemctl start filebeat
安裝Python3.6.8
yum install gcc libffi-devel
yum install python3-devel
yum install git
You can either install the latest released version of ElastAlert using pip:
pip install elastalert
or you can clone the ElastAlert repository for the most recent changes:
git clone https://github.com/Yelp/elastalert.git
python3 setup.py install
跑出 Finished processing dependencies for elastalert==0.2.4
config.yaml
建立rule
說明
index: 指定index,此為指定開頭為filebeat的index
num_events: 發生次數
timeframe: 多久內的時間
alert_subject_args: 設定變數,搭配在alert_subject
範例一 (基本測試用)
範例二 (符合file path及關鍵字)
範例三 (SSH密碼登入失敗)
filter過濾規則參考
https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html
執行方式
cd /root/elastalert
規則測試
elastalert-test-rule /root/elastalert/example_rules/frequency.yaml
執行單一規則
python3 -m elastalert.elastalert –verbose –rule /root/elastalert/example_rules/frequency.yaml
執行全部規則(config檔中預設為example_rules目錄)
python3 -m elastalert.elastalert
python3 -m elastalert.elastalert –verbose
設定服務開機啟動
vi /lib/systemd/system/elastalert.service
啟用服務
ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service
systemctl daemon-reload
systemctl enable elastalert.service
systemctl start elastalert.service
systemctl status elastalert.service