ELK SIEM Open Distro:ELK堆栈-安装和配置。
本章将描述ELK堆栈的安装和配置。可以跳过这一章而不进行翻译,但是原来各章之间的线索将丢失。
所有职位的目录。
1-安装和配置ELK STACK
1.1- ELK简介
A-什么是ELK?
1.2-安装ELK
在我们的项目中,我们开始配置ELK Stack Basic(7.6.1),并参考elastic.co提供的官方指南:
https://www.elastic.co/guide/zh-CN/elastic-stack/current/installing-elastic-stack.html
1.3- ELK配置
在本节中,我们将为您提供为ELK堆栈所做的配置。
A- Elasticsearch配置
所有设置都是在/etc/elasticsearch/elasticsearch.yml的elasticsearch.yml文件中进行的
要打开它,请使用以下命令:sudo nano /etc/elasticsearch/elasticsearch.yml
elasticsearch.
. , , . http.port . .
network.bind_host: 0.0.0.0 Elasticsearch, ELK.
, ElasticSearch :
sudo systemctl restart elasticsearch: network.bind_host to 0.0.0.0 - . .
B-Kibana:
kibana.yml, /etc/kibana/kibana.yml. , :
sudo nano /etc/kibana/kibana.yml
Kibana , server.host: "0.0.0.0". , , . , , 5601. Kibana: sudo systemctl restart kibana
Kibana . Http://your_Server_IP: 5601
, , , .
: server.host 0.0.0.0 - . .
C-Logstash:
logstash:
sudo cat /etc/logstash/logstash-sample.confLogstash. , /etc/logstash/conf.d/ logstash.conf
: sudo systemctl restart logstash
D- :**
logstash, kibana elasticsearch. :
, . , tcp6 tcp.
Kibana: 5601
Elasticsearch: 9200
Logstash: 5044
2-Beats :
A- Winlogbeat:
URL:
https://www.elastic.co/fr/downloads/beats/winlogbeat
:
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html
B- Winlogbeat:
winlogbeat.yml:
winlogbeat.event_logs:
winlogbeat winlogbeat.yml , Winlogbeat. , , . , Sysmon .
:
— index.number_of_shards:
, . , Elasticsearch , , .
— index.number_of_replicas:
, Elasticsearch . , , Elasticsearch. , .
:
Elasticsearch Logstash .
:
, winlogbeat, :
(ILM):
, ILM. ILM Index Lifecycle Manager — x-pack, ELK, ELK oss. ILM , . : , , , , , .
ILM ELK, , Elasticsearch. ILM , .
Sysmon MITER ATT & CK:
Sysmon , , sysmon ELK.
(Sysmon) — Windows , , , Windows. , . , Windows Event Collection SIEM, , , .
MITER ATT & CK — , . ATT & CK , , .
I. Sysmon:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
II. xml- sysmon, MITER ATT CK: https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml
III. Sysmon :
sysmon64 -accepteula -i sysmonconfig-export.xmlIV. :
sysmon64 –c, :
I. :
, . , , , , .
Elasticsearch. Elasticsearch, . winlogbeat Elasticsearch, .
Logstash Elasticsearch.
II. :
https://www.elastic.co/guide/en/beats/winlogbeat/current/load-kibana-dashboards.html
:
, Kibana.
:
, . Elasticsearch, , Logstash, .
ELK:
winlogbeat sysmon PowerShell services.msc, Kibana.
winlogbeat. ELK STACK Logstash , .
winlogbeat:
Discover sysmon ( MITER):
winlogbeat , .
, :
Winlogbeat
Filebeat
Packetbeat
Metricbeat
, , metricbeat filebeat, , .
, filebeat ssh, sudo ubuntu Suricata Suricata IDS.
Suricata:
Suricata filebeat:
sudo filebeat modules enable Suricata
, filebeat, /etc/filebeat/modules.d/
, :
filebeat modules list
这是我们用来在设备上安装Suricata的链接:https : //www.alibabacloud.com/blog/594941
您应该获得一个与此工具栏相似的工具栏。如果您不能完全得到这个结果,请不要担心,我们将在以下文章中使用仪表板。
也可以将Suricata接口集成到ELK堆栈中,您可以检查此链接。