HackMD
CentOS + ELK 7.9.2
CentOS-7-x86_64-DVD-2003
ELK = Elasticsearch + Logstash + Kibana
基本 Linux 環境設定
- ip 192.168.120.121/24
- hostnamectl set-hostname elk01
- 設定nameserver 140.110.16.1 和 140.110.4.1
vi /etc/resolv.conf - yum install
net-tools 、 traceroute 、 unzip 、
iptables-services - 停用 NetworkManager
systemctl disable NetworkManager
systemctl stop NetworkManager - 停用 Firewall
systemctl disable firewalld
systemctl stop firewalld - chkconfig network on
systemctl restart network - 啟用 ip-tables
systemctl enable iptables - 設定基本防火牆規則
vi /etc/sysconfig/iptables
systemctl restart iptables - 停用SELINUX (SELINUX=disabled)
vi /etc/selinux/config - stgmon2 免密碼登入 elk01
ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.120.121 - 設定/etc/ssh/sshd_config
AllowUsers root@192.168.120.*
使用RPM方式安裝 import PGP key
指令:
rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
檔案內容:
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1 # 1為啟用
autorefresh=1
type=rpm-md
安裝 Java JDK
指令:yum install java jdk
指令:java -version
安裝 Elasticsearch
指令:yum install elasticsearch
安裝 Kibana
指令:yum install kibana
安裝 Logstash
指令:yum install logstash
安裝 Filebeat
指令:yum install filebeat
自發憑證
指令:/usr/share/elasticsearch/bin/elasticsearch-certutil cert –keep-ca-key –pem –in /home/instance.yml –out /home/mycerts.zip
設定 Elasticsearch (預設9200port)
vi \etc\elasticsearch.yml 加入下方設定
discovery.type: single-node
#單一主機,無多台node
network.host: 192.168.120.121
#主機IP
xpack.license.self_generated.type: basic
#設定License版本
xpack.security.enabled: true
#啟用安全性會詢問Web登入帳密
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ElasticKey/elastic.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/ElasticKey/elastic.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/ElasticKey/ca.crt
產生預設帳號及密碼 (密碼不得低於六個字元)
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords (auto/interactive)
Changed password for user apm_system
PASSWORD apm_system = pJwX9JheGCmZbhxJwNKS
Changed password for user kibana_system
PASSWORD kibana_system = VrORTATcBwlYmSN9giFv
Changed password for user kibana
PASSWORD kibana = VrORTATcBwlYmSN9giFv
Changed password for user logstash_system
PASSWORD logstash_system = JcDyJcN0Is3pzCJ2RjYt
Changed password for user beats_system
PASSWORD beats_system = PRM2AMXPvjONzucWYOGQ
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = CXGV3KdnaMSATDUvVNH2
Changed password for user elastic
PASSWORD elastic = t2MkeMXiqsk2xfKhM42F
開機即啟用服務,現在即啟用服務
systemctl enable elasticsearch
systemctl start elasticsearch
設定 Kibana (預設5601port)
vi /etc/kibana.yml
server.port: 5601
server.host: "192.168.120.121"
elasticsearch.hosts: ["http://192.168.120.121:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "elastic"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/KibanaKey/kibana.crt
server.ssl.key: /etc/kibana/KibanaKey/kibana.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/KibanaKey/ca.crt" ]
elasticsearch.ssl.verificationMode: certificate
xpack.encryptedSavedObjects.encryptionKey: "12345678901234567890123456789012"
#為了讓kibana https://IP:5601 可以使用加密連線
開機即啟用服務,現在即啟用服務
systemctl enable kibana
systemctl start kibana
設定 Logstash (預設5044port)
vi /etc/logstash/logstash.yml
node.name: logstash.local
vi /etc/logstash/conf.d/logstash.conf
開機即啟用服務,現在即啟用服務
systemctl enable logstash
systemctl start logstash
設定Filebeat (預設5044port)
vi /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:- /var/log/messsages
setup.kibana:
host: "https://192.168.120.121:5601"
output.logstash:
hosts: ["192.168.120.121:5044"]
processors: - add_host_metadata:
when.not.contains.tags: forwarded - add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
- /var/log/messsages
開機即啟用服務,現在即啟用服務
systemctl enable filebeat
systemctl start filebeat
安裝Python3.6.8
-
yum install gcc libffi-devel
-
yum install python3-devel
-
yum install git
-
You can either install the latest released version of ElastAlert using pip:
pip install elastalert
or you can clone the ElastAlert repository for the most recent changes:
git clone https://github.com/Yelp/elastalert.git
-
python3 setup.py install
跑出 Finished processing dependencies for elastalert==0.2.4
config.yaml
rules_folder: example_rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: 192.168.120.121
es_port: 9200
# ssl auth #
#use_ssl: False
#verify_certs: False
#es_username: elastic
#es_password: xxxx
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
days: 1
-
建立rule
說明
index: 指定index,此為指定開頭為filebeat的index
num_events: 發生次數
timeframe: 多久內的時間
alert_subject_args: 設定變數,搭配在alert_subject範例一 (基本測試用)
name: test01 type: frequency index: filebeat* num_events: 1 timeframe: hours: 24 filter: - query: query_string: query: "message: XDSM_EVENT_USER_EXIT" alert: - "email" email: - "1703175@narlabs.org.tw" smtp_host: "192.168.120.130" alert_subject: "Rule_Name {0} occurred at {1}" alert_subject_args: - name - "@timestamp"範例二 (符合file path及關鍵字)
name: dell_r730xd_disk_alert type: frequency index: filebeat* num_events: 1 timeframe: hours: 24 filter: - query: query_string: query: "log.file.path: raidcard.log AND message: 'Predictive failure'" #query: "message: `failure`" alert: - "email" email: #- "1703175@narlabs.org.tw" - "stgp@mail.storage.nchc" smtp_host: "192.168.120.130" alert_subject: "ELK Alert_Rule {0}" alert_subject_args: - name - "@timestamp" alert_text_type: alert_text_only alert_text: " 你好,伺服器硬碟異常,請登入檢查!!!\n 主機名稱: {}\n 主機 IP : {}\n 異常時間 : {}\n 異常訊息: {}" alert_text_args: - host.hostname - host.ip - "@timestamp" - message範例三 (SSH密碼登入失敗)
name: ssh_login_fail_alert type: frequency index: filebeat* num_events: 3 timeframe: minutes: 15 filter: - query: query_string: query: "log.file.path: secure AND message: 'Failed password'" #query: "message: 'Predictive failure'" alert: - "email" email: #- "1703175@narlabs.org.tw" - "stgp@mail.storage.nchc" smtp_host: "192.168.120.130" alert_subject: "ELK Alert_Rule {0}" alert_subject_args: - name - "@timestamp" alert_text_type: alert_text_only alert_text: " 你好,伺服器SSH登入異常,請登入檢查!!!\n\n 主機名稱: {}\n 主機 IP : {}\n ELK時間 : {} UTC需加 8_HR\n 異常訊息: {}" alert_text_args: - host.hostname - host.ip - "@timestamp" - messagefilter過濾規則參考
https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html -
執行方式
cd /root/elastalert規則測試
elastalert-test-rule /root/elastalert/example_rules/frequency.yaml執行單一規則
python3 -m elastalert.elastalert –verbose –rule /root/elastalert/example_rules/frequency.yaml執行全部規則(config檔中預設為example_rules目錄)
python3 -m elastalert.elastalert
python3 -m elastalert.elastalert –verbose -
設定服務開機啟動
vi /lib/systemd/system/elastalert.service[Unit] Description=elastalert After=multi-user.target [Service] Type=simple WorkingDirectory=/root/elastalert ExecStart=/usr/local/bin/elastalert [Install] WantedBy=multi-user.target啟用服務
ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service
systemctl daemon-reload
systemctl enable elastalert.service
systemctl start elastalert.service
systemctl status elastalert.service
