背景

需要利用Suricata作为IDS来监控办公网出口流量,同时利用ELK(Elasticsearch+Logstash+Kibana)集群进行数据存储与展示。

准备工作:在办公网出口核心交换机上做端口流量镜像,将流量镜像端口连接到一台服务器上,以下的内容都是在这台服务器上开展的。

一、环境准备

基础环境更新:

yum update
yum upgrade

安装基础依赖:

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel

其他基础组件,后面遇到缺啥再装啥就可以了。

需要安装的软件:suricata、Luajit、Hyperscan、elasticsearch(集群)、elasticsearch-head、logstash、filebeat、kibana

其中elasticsearch、logstash、filebeat、kibana需要安装同一版本。

安装的目标机器:192.168.1.101(主)、192.168.1.102、192.168.1.103

注意点:出于性能考量,监控系统各组件安装方式都不建议使用Docker安装

二、suricata部署

部署目标机器:192.168.1.101

Suricata官网:https://suricata-ids.org/ Suricata和ELK流量检测:https://zhuanlan.zhihu.com/p/64742715

安装依赖:

yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel epel-release lz4-devel rustc cargo

编译并安装suricata:

wget https://www.openinfosecfoundation.org/download/suricata-6.0.2.tar.gz
tar -xvf suricata-6.0.2.tar.gz
cd suricata-6.0.2

# 注意,这里的默认参数尽量不要改,否则后面各种问题排查起来也是要命的
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-geoip --enable-luajit --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/local/lib/ --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/ --enable-profiling

编译后的参数:

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  GeoIP2 support:                          yes
  Non-bundled htp:                         no
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.50.0 (Red Hat 1.50.0-1.el7)
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.50.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       yes
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -std=gnu99 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS
  SECCFLAGS

执行安装:

make && make install

安装其他组件:

# 这里执行这一个就够了,它相当于安装:configuration、rules、provide
make install-full

修改配置文件:

vim /etc/suricata/suricata.yaml

# 修改的第一部分
# 修改相关参数,并把不用的注释掉

vars:
  address-groups:
    HOME_NET: "[10.10.11.0/24,172.16.10.0/24]"
    DNS_NET: "[10.10.10.100,10.10.10.101,10.10.10.102]"
#    HOME_NET: "[10.0.0.0/8]"
#    HOME_NET: "[172.16.0.0/12]"
#    HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
#    EXTERNAL_NET: "any"

    HTTP_SERVERS: "$HOME_NET"
#    SMTP_SERVERS: "$HOME_NET"
#    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$DNS_NET"
#    TELNET_SERVERS: "$HOME_NET"
#    AIM_SERVERS: "$EXTERNAL_NET"
#    DC_SERVERS: "$HOME_NET"
#    DNP3_SERVER: "$HOME_NET"
#    DNP3_CLIENT: "$HOME_NET"
#    MODBUS_CLIENT: "$HOME_NET"
#    MODBUS_SERVER: "$HOME_NET"
#    ENIP_CLIENT: "$HOME_NET"
#    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80,443"
#    SHELLCODE_PORTS: "!80"
#    ORACLE_PORTS: 1521
    SSH_PORTS: 22
#    DNP3_PORTS: 20000
#    MODBUS_PORTS: 502
#    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
#    GENEVE_PORTS: 6081
#    VXLAN_PORTS: 4789
#    TEREDO_PORTS: 3544
# 修改的第二部分
# 修改日志存储文件位置。因为home分区比较大,一般是几百GB,而root分区一般几十GB

default-log-dir: /home/suricata/log/suricata/
# 修改的第三部分
# 主要是修改部分参数配置

        - http:
            extended: yes     # enable this for extended logging information
            custom: [ accept, accept_charset, accept_datetime, accept_encoding, accept_language, accept_range, age,
              allow, authorization, cache_control, connection, content_encoding, content_language, content_length,
              content_location, content_md5, content_range, content_type, cookie, date, dnt, etag, expires, from,
              last_modified, link, location, max_forwards, org_src_ip, origin, pragma, proxy_authenticate,
              proxy_authorization, range, referrer, refresh, retry_after, server, set_cookie, te, trailer,
              transfer_encoding, true_client_ip, upgrade, vary, via, warning, www_authenticate, x_authenticated_user,
              x_bluecoat_via, x_flash_version, x_forwarded_proto, x_requested_with ]
            dump-all-headers: [both]

        - dns:
            enabled: yes
            version: 1
            requests: yes
            responses: yes

        - tls:
            extended: yes
            session-resumption: yes
            custom: [ subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after,
              certificate, chain, ja3 ]
# 修改第四部分
# 全局搜索,将网卡名称改为自己的网卡名称。我这里网卡名称是p2p1,因此将所有eth0/eth1/eth2……都改为p2p1

- interface: p2p1
# 修改第五部分
# 全局搜索,将所有完整校验关掉,不然的话会有非常多的误报,并且占空间

checksum-checks: no
# 修改第六部分
# 修改我们要使用的规则,把不使用的注释掉

default-rule-path: /var/lib/suricata/rules
# 需要把这个目录下的规则复制过去:/usr/share/suricata/rules

rule-files:
#  - suricata.rules
#  - app-layer-events.rules
#  - decoder-events.rules
#  - dhcp-events.rules
#  - dnp3-events.rules
  - dns-events.rules
  - files.rules
  - http-events.rules
#  - ipsec-events.rules
#  - kerberos-events.rules
#  - modbus-events.rules
#  - nfs-events.rules
#  - ntp-events.rules
#  - smb-events.rules
#  - smtp-events.rules
#  - stream-events.rules
  - tls-events.rules

更新规则集:

pip install --upgrade suricata-update
suricata-update

启动测试,若不报错即成功:

/usr/bin/suricata -T

正常启动:

/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i p2p1 --init-errors-fatal

也可以将其使用supervisord守护进程启动:

vim /etc/supervisord.d/suricata.conf

[program:suricata]
directory=/usr/bin
command=suricata -c /etc/suricata/suricata.yaml -i p2p1 --init-errors-fatal
autostart=true
autorestart=false
#stderr_logfile=/tmp/test_stderr.log
#stdout_logfile=/tmp/test_stdout.log
user=root

三、Luajit部署

部署目标机器:192.168.1.101

简介:

LuaJIT是采用C语言写的Lua代码的解释器,LuaJIT试图保留Lua的精髓–轻量级,高效和可扩展。

安装:

wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
sudo make && make install

编辑配置文件:

vim /etc/ld.so.conf

# 添加如下路径,保存退出
/usr/local/lib

执行加载命令:

sudo ldconfig

四、Hyperscan部署

部署目标机器:192.168.1.101

简介:

Hyperscan是一个高性能的多重正则表达式匹配库。在Suricata中它可以用来执行多模式匹配。Hyperscan适用于部署在诸如DPI/IPS/IDS/FW等场景中,目前已经在全球多个客户网络安全方案中得到实际的应用。

使用 Hyperscan 作为 Suricata 的 MPM(多处理模块))匹配器(mpm-algo 设置)可以大大提高性能,尤其是在快速模式匹配方面。 Hyperscan 还在快速模式匹配时考虑深度和偏移量。

安装依赖:

yum install cmake ragel libtool python-devel GyeoIP-devel
yum install boost boost-devel boost-doc
yum install libquadmath libquadmath-devel bzip2-devel

安装:

wget http://downloads.sourceforge.net/project/boost/boost/1.66.0/boost_1_66_0.tar.gz
tar xvzf boost_1_66_0.tar.gz
cd boost_1_66_0/
./bootstrap.sh --prefix=/home/suricata/boost-1.66
./b2 install

// 不要退出目录
git clone https://github.com/intel/hyperscan.git
cd hyperscan
cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home/suricata/boost-1.66
make
make install

编辑配置文件:

vim /etc/ld.so.conf

# 添加如下路径,保存退出
/usr/local/lib64

执行加载命令:

sudo ldconfig

文件结构如下:

德鲁伊监控页面打不开_lua

五、elasticsearch集群部署

部署目标机器:192.168.1.101、192.168.1.102、192.168.1.103

简介:

为什么ES集群至少要3个节点:
ELFK专栏:
ELK集群安装:

ElasticSearch简称ES,它是一个实时的分布式搜索和分析引擎,它可以用于全文搜索,结构化搜索以及分析。它是一个建立在全文搜索引擎 Apache Lucene 基础上的搜索引擎,使用 Java 语言编写。

基础配置,三台机器都一样:

vim /etc/security/limits.conf

# 这些数尽量不要省,不然启动失败还得改回来,麻烦
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096

vim /etc/sysctl.conf

vm.max_map_count=655360

安装Java,三台机器都一样:

tar zxf jdk-8u271-linux-x64.tar.gz
mv jdk1.8.0_271/ /usr/local/java

vim /etc/profile

export JAVA_HOME=/usr/local/java
export JRE_HOME=/usr/local/java/jre
export PATH=$PATH:/usr/local/java/bin
export CLASSPATH=./:/usr/local/java/lib:/usr/local/java/jre/lib
# 让环境变量生效
source !$
java -version

# 这里最好直接放在/bin下面,否则后面logstash报错非常难排查原因
which java
ln -s /usr/local/java/bin/* /bin

安装elasticsearch,三台机器都一样:

tar zxf elasticsearch-7.5.1.tar.gz
mv elasticsearch-7.5.1 /usr/local/elasticsearch

mkdir /usr/local/elasticsearch/data
chown -R admin:admin /usr/local/elasticsearch

192.168.1.101机器修改配置文件:

vim /usr/local/elasticsearch/config/elasticsearch.yml

cluster.name: ELK         # 集群名,同一个集群,集群名必须一致
node.name: es-1           # 集群节点,可任意取

transport.tcp.compress: true
path.data: /usr/local/elasticsearch/data         # 数据存放路径
path.logs: /usr/local/elasticsearch/logs         # 日志存放路径

network.host: 192.168.1.101           # 监听IP地址,
http.port: 9200
transport.tcp.port: 9300

discovery.seed_hosts: ["192.168.1.101", "192.168.1.102", "192.168.1.103"]
cluster.initial_master_nodes: ["192.168.1.101", "192.168.1.102", "192.168.1.103"]

network.publish_host: 192.168.1.101
node.master: true          # 允许成为主节点
node.data: true            # 允许成为数据节点

#xpack.security.enabled: true       # 建议关闭或不设置,若设置了有很多非常麻烦的事
http.cors.enabled: true
http.cors.allow-origin: "*"

indices.query.bool.max_clause_count: 8192
search.max_buckets: 100000

192.168.1.102机器修改配置文件:

vim /usr/local/elasticsearch/config/elasticsearch.yml

cluster.name: ELK         # 集群名,同一个集群,集群名必须一致
node.name: es-2           # 集群节点,可任意取

transport.tcp.compress: true
path.data: /usr/local/elasticsearch/data         # 数据存放路径
path.logs: /usr/local/elasticsearch/logs         # 日志存放路径

network.host: 192.168.1.102           # 监听IP地址,
http.port: 9200
transport.tcp.port: 9300

discovery.seed_hosts: ["192.168.1.101", "192.168.1.102", "192.168.1.103"]
cluster.initial_master_nodes: ["192.168.1.101", "192.168.1.102", "192.168.1.103"]

network.publish_host: 192.168.1.102
node.master: true          # 允许成为主节点
node.data: true            # 允许成为数据节点

#xpack.security.enabled: true       # 建议关闭或不设置,若设置了有很多非常麻烦的事
http.cors.enabled: true
http.cors.allow-origin: "*"

indices.query.bool.max_clause_count: 8192
search.max_buckets: 100000

192.168.1.103机器修改配置文件:

vim /usr/local/elasticsearch/config/elasticsearch.yml

cluster.name: ELK         # 集群名,同一个集群,集群名必须一致
node.name: es-3           # 集群节点,可任意取

transport.tcp.compress: true
path.data: /usr/local/elasticsearch/data         # 数据存放路径
path.logs: /usr/local/elasticsearch/logs         # 日志存放路径

network.host: 192.168.1.103           # 监听IP地址,
http.port: 9200
transport.tcp.port: 9300

discovery.seed_hosts: ["192.168.1.101", "192.168.1.102", "192.168.1.103"]
cluster.initial_master_nodes: ["192.168.1.101", "192.168.1.102", "192.168.1.103"]

network.publish_host: 192.168.1.103
node.master: true          # 允许成为主节点
node.data: true            # 允许成为数据节点

#xpack.security.enabled: true       # 建议关闭或不设置,若设置了有很多非常麻烦的事
http.cors.enabled: true
http.cors.allow-origin: "*"

indices.query.bool.max_clause_count: 8192
search.max_buckets: 100000

尽量将所有机器设置为允许成为主节点和数据节点,除非机器负载很高。

修改日志,三台机器都一样:

vim //usr/local/elasticsearch/config/log4j2.properties

appender.rolling.strategy.action.condition.nested_condition.type = IfLastModified
appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
# 只存储7天的日志
appender.rolling.strategy.action.condition.nested_condition.age = 7D

启动elasticsearch集群,三台机器都一样:

cd  /usr/local/elasticsearch/bin
# 后台启动
./elasticsearch -d
# 非后台启动,主要用于调试
./elasticsearch

查看集群健康状态:

# curl '192.168.1.101:9200/_cluster/health?pretty'
# curl '192.168.1.102:9200/_cluster/health?pretty'
# curl '192.168.1.103:9200/_cluster/health?pretty' 

{
  "cluster_name" : "ELK",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

在root下执行以下命令,三台机器都一样,否则在运行一段时间后就会出错:

// 自行换IP
curl -XPUT -H 'Content-Type: application/json' http://192.168.1.101:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'

六、elasticsearch-head部署

部署目标机器:192.168.1.101

用它来看ES状态非常直观,除此外感觉这个没啥卵用,可以不安装。

nodejs安装:

因为head插件是用node.js开发的,所以需要此环境。

tar -Jxf node-v14.15.4-linux-x64.tar.xz
mv node-v14.15.4-linux-x64/ /usr/local/node

vim /etc/profile

export NODE_HOME=/usr/local/node
export PATH=$NODE_HOME/bin:$PATH
export NODE_PATH=$NODE_HOME/lib/node_modules:$PATH
source !$
node -v

head插件安装:

wget  https://github.com/mobz/elasticsearch-head/archive/master.zip
unzip master.zip
mv elasticsearch-head-master/ /usr/local/elasticsearch-head
cd /usr/local/elasticsearch-head

npm install -g cnpm --registry=https://registry.npm.taobao.org
cnpm install -g grunt-cli
cnpm install -g grunt
cnpm install grunt-contrib-clean
cnpm install grunt-contrib-concat
cnpm install grunt-contrib-watch
cnpm install grunt-contrib-connect
cnpm install grunt-contrib-copy
cnpm install grunt-contrib-jasmine				#若报错就再执行一遍

vim /usr/local/elasticsearch-head/Gruntfile.js

connect: {
        server: {
                options: {
                        hostname: '0.0.0.0',     # 新增这一行即可,不要忘了后面的逗号
                        port: 9100,
                        base: '.',
                        keepalive: true
                }
        }
}

后台启动

cd /usr/local/elasticsearch-head
nohup grunt server &
eval "cd /usr/local/elasticsearch-head/ ; nohup  npm run start >/dev/null 2>&1 & "

最终web页面:http://192.168.1.101:9100/

德鲁伊监控页面打不开_德鲁伊监控页面打不开_02

七、logstash部署

部署目标机器:192.168.1.101

logstash安装:
logstash出现的问题:
synesis_lite_suricata项目:https://github.com/orright/synesis_lite_suricata

简介:

Logstash是一个具有实时传输能力的数据收集引擎,用来进行数据收集(如:读取文本文件)、解析、过滤,并将数据发送给ES。

由于需要加入数据模板,最好使用yum部署安装

yum安装部署logstash:

vim /etc/yum.repos.d/logstash.repo

[logstash-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

安装密钥,否则无法下载

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
yum install logstash-7.5.1

安装x-pack:

./logstash-plugin install x-pack

修改配置文件:

vim /etc/logstash/jvm.options

-Xms4g
-Xmx4g

vim /etc/logstash/log4j2.properties

appender.rolling.strategy.action.type = Delete
appender.rolling.strategy.action.basepath = ${sys:ls.logs}
appender.rolling.strategy.action.condition.type = IfFileName
appender.rolling.strategy.action.condition.glob = ${sys:ls.logs}/logstash-${sys:ls.log.format}
appender.rolling.strategy.action.condition.nested_condition.type = IfLastModified
appender.rolling.strategy.action.condition.nested_condition.age = 7D

vim /etc/logstash/logstash.yml

http.host: "172.16.10.248"
http.port: 9600
path.data: /usr/share/logstash/data2
path.logs: /usr/share/logstash/logs
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.hosts: [ "172.16.10.248:9200","10.10.11.33:9200","192.168.150.134:9200" ]

vim /etc/logstash/pipelines.yml
这一步由于使用了synesis_lite_suricata模板的配置文件,因此比较消耗性能,会影响到数据的实时性。如果对数据实时性要求较高,这里的目录可以定向到自己的配置文件。

- pipeline.id: synlite_suricata
  path.config: "/etc/logstash/synlite_suricata/conf.d/*.conf"

# 如果是自己的配置文件,例如:

- pipeline.id: synlite_suricata
  path.config: "/etc/logstash/logstash.conf"

导入数据模板synesis_lite_suricata:

项目主页:https://github.com/orright/synesis_lite_suricata

在实践中,这一步千万不要执行,否则报错,而且无法排查原因,博主就因为这个失去了一个周末假期

cd /usr/share/logstash
./logstash-plugin update logstash-filter-dns

将synesis_lite_suricata下的synlite_suricata移动到logstash的配置目录下

mv synesis_lite_suricata/logstash/synlite_suricata /etc/logstash

此时的目录结构(logstash.conf和logstash.conf没用,是我用来测试的。当然,如果要使用自定义配置文件的话,它就有用了):

德鲁伊监控页面打不开_德鲁伊监控页面打不开_03

vim logstash.service.d/synlite_suricata.conf

[Service]
# Synesis Lite for Suricata global configuration
Environment="SYNLITE_SURICATA_DICT_PATH=/etc/logstash/synlite_suricata/dictionaries"
Environment="SYNLITE_SURICATA_TEMPLATE_PATH=/etc/logstash/synlite_suricata/templates"
Environment="SYNLITE_SURICATA_GEOIP_DB_PATH=/etc/logstash/synlite_suricata/geoipdbs"
Environment="SYNLITE_SURICATA_GEOIP_CACHE_SIZE=8192"
Environment="SYNLITE_SURICATA_GEOIP_LOOKUP=true"
Environment="SYNLITE_SURICATA_ASN_LOOKUP=true"
Environment="SYNLITE_SURICATA_CLEANUP_SIGS=false"

# Name resolution option
Environment="SYNLITE_SURICATA_RESOLVE_IP2HOST=false"
Environment="SYNLITE_SURICATA_NAMESERVER=127.0.0.1"
Environment="SYNLITE_SURICATA_DNS_HIT_CACHE_SIZE=25000"
Environment="SYNLITE_SURICATA_DNS_HIT_CACHE_TTL=900"
Environment="SYNLITE_SURICATA_DNS_FAILED_CACHE_SIZE=75000"
Environment="SYNLITE_SURICATA_DNS_FAILED_CACHE_TTL=3600"

# Elasticsearch connection settings
Environment="SYNLITE_SURICATA_ES_HOST=[192.168.1.101:9200, 192.168.1.102:9200, 192.168.1.103:9200]"
# 如果是开源的ES,这里的用户名和密码都不用管,它会自动忽略
Environment="SYNLITE_SURICATA_ES_USER=elastic"
Environment="SYNLITE_SURICATA_ES_PASSWD=changeme"

# Beats input
Environment="SYNLITE_SURICATA_BEATS_HOST=172.16.10.248"
Environment="SYNLITE_SURICATA_BEATS_PORT=5044"

移动synlite_suricata.conf

mv logstash.service.d/synlite_suricata.conf /etc/systemd/system/logstash.service.d/synlite_suricata.conf
# 使配置生效
systemctl daemon-reload
# 启动logstash
systemctl start logstash

验证配置文件,这里就是我测试配置文件用的:

./logstash --path.settings /etc/logstash/ -f /etc/logstash/logstash.conf --config.test_and_exit

八、filebeat安装

部署目标机器:192.168.1.101

下载及安装:

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.5.1-linux-x86_64.tar.gz
tar -zxvf filebeat-7.5.1-linux-x86_64.tar.gz
mv filebeat-7.5.1-linux-x86_64 filebeat
cd filebeat

修改配置文件:

vim filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  # 必须和/etc/suricata/suricata.yaml力的日志配置路径一致
  paths:
    - /home/suricata/log/suricata/eve.json

  fields:
    event.type: suricata

  json.keys_under_root: true
  json.overwrite_keys: true    

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:
  host: ["192.168.1.101:5601"]

output.logstash:
  hosts: ["192.168.1.101:5044"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

运行:

./filebeat -c ./filebeat.yml

也可以将其使用supervisord守护进程启动:

vim /etc/supervisord.d/filebeat.conf

[program:filebeat]
directory=/home/suricata/filebeat
command=/home/suricata/filebeat/filebeat -e -c /home/suricata/filebeat/filebeat.yml
autostart=true
autorestart=false
stderr_logfile=/tmp/test_stderr.log
stdout_logfile=/tmp/test_stdout.log
user=root

九、kibana部署

部署目标机器:192.168.1.101

Kibana为 Elasticsearch 提供了分析和可视化的 Web 平台。它可以在 Elasticsearch 的索引中查找,交互数据,并生成各种维度表格、图形。

yum安装部署kibana:

vim /etc/yum.repos.d/kibana.repo

[kibana-7.x]
name=Kibana repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

安装密钥,否则无法下载

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
yum install kibana-7.5.1

修改配置文件:

vi /etc/kibana/kibana.yml

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.1.101:9200","http://192.168.1.101:9200","http://192.168.1.101:9200"]

logging.dest: /usr/share/kibana/logs/kibana.log
kibana.index: ".kibana"
i18n.locale: "zh-CN"

启动kibana:

systemctl start kibana

最终web页面:http://192.168.1.101:5601/

添加模板文件:/kibana/synlite_suricata.kibana.7.1.x.json

添加位置:

德鲁伊监控页面打不开_elk_04

创建索引:

要创建至少两个索引:suricata-*suricata_stats-*

德鲁伊监控页面打不开_elk_05

数据展示

德鲁伊监控页面打不开_vim_06

垃圾数据删除

suricata在内网跑起来后,短短时间就会有大量告警。所以我们得对规则进行优化,某些我们不关心的规则可以禁用掉。禁用掉相关规则后,不会再生成对应的告警。但是ES中已存在的该规则告警该怎么删除呢?我们可以在kibana中直接删除:使用kibana面板中的Dev Tools。

德鲁伊监控页面打不开_lua_07

告警量不大的删除方式:

POST logstash-suricata_log-*/_delete_by_query
{
  "query": {
    "match": {
      "alert.signature": "SURICATA STREAM 3way handshake wrong seq wrong ack"
    }
  }
}

若告警量大,则会报超时错误,此时的删除方式:

POST logstash-suricata_log-*/_delete_by_query?wait_for_completion=false
{
  "query": {
    "match": {
      "alert.signature": "SURICATA STREAM bad window update"
    }
  }
}

上述步骤若成功会返回一个task,检查清空操作是否完成:

GET _tasks/NQtjLxAaTiig6ZDZ3nK-cw:126846320

若删除完成,则会提示"completed": true

删除ES中的索引数据

这个就很简单了,如下面这样

德鲁伊监控页面打不开_vim_08