###### tags: `Wazuh` `ELK` # Подключение источников к мониторингу в ELK: apt install logstash systemctl enable logstash.service Настраиваем logstash: cd etc/logstash/conf.d/ nano input.conf: ``` input { beats { port => 5044 } } output { elasticsearch { hosts => "localhost:9200" index => "nginx-%{+YYYY.MM.dd}" } #stdout { codec => rubydebug } } ``` > Передаем все данные в elasticsearch под указанным индексом с маской в виде даты. nano filter.conf ``` filter { if [type] == "nginx_access" { grok { match => { "message" => "%{IPORHOST:remote_ip} - %{DATA:user} \[%{HTTPDATE:access_time}\] \"%{WORD:http_method} %{DATA:url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \"%{DATA:referrer}\" \"%{DATA:agent}\"" } } } date { match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ] } geoip { source => "remote_ip" target => "geoip" add_tag => [ "nginx-geoip" ] } } ``` Filebeat: `apt install filebeat` > nano etc/filebeat/filebeat.yml ``` filebeat.inputs: - type: log enabled: true paths: - /var/log/nginx/*-access.log fields: type: nginx_access fields_under_root: true scan_frequency: 5s - type: log enabled: true paths: - /var/log/nginx/*-error.log fields: type: nginx_error fields_under_root: true scan_frequency: 5s output.logstash: hosts: ["ip ELK:5044"] xpack.monitoring: enabled: true elasticsearch: hosts: ["ip ELK:9200"] ``` ``` systemctl start filebeat systemctl enable filebeat ``` Winlogbeat: > Качаем на машину с Windows https://www.elastic.co/downloads/beats/winlogbeat Переходим в папку с скачанным скриптом и запускаем Powershell от администратора: PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat' PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1 В winlogbeat.yml указываем куда слать: ``` winlogbeat.event_logs: - name: Application ignore_older: 72h - name: Security - name: System tags: ["winsrv"] output.logstash: hosts: ["ip ELK:5044"] logging.level: info logging.to_files: true logging.files: path: C:/ProgramData/Elastic/Beats/winlogbeat name: winlogbeat.log keepfiles: 7 xpack.monitoring: enabled: true elasticsearch: hosts: ["ip ELK:9200"] ``` Проверяем настройки в Powershell: `PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e` Стартуем: `PS C:\Program Files\Winlogbeat> Start-Service winlogbeat` # Wazuh: **Linux:** ``` curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list apt-get update WAZUH_MANAGER="WAZUH SERVER IP" apt-get install wazuh-agent systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list apt-get update echo "wazuh-agent hold" | dpkg --set-selections ``` **Windows:** Качаем инсталлер на машину с win: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.5-1.msi Устанавливаем, переходим в C:\Program Files (x86)\ossec-agent Редактируем C:\Program Files (x86)\ossec-agent\ossec.conf ``` <client> <server> <address>Указываем IP WAzuh server</address> ... </server> </client> ``` Запускаем службу из cmd (Administrator): **net start wazuh**