Elasticsearch/logstash/kibana

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Voraussetzung

  • Installieren von Kali Purple

Update

  • apt update && apt upgrade

Checken wie der Hostname ist

  • hostname -f
purple.xinux.org

Installation von elasticsearch

  • apt install elasticsearch -y
Wir notieren das Passwort
The generated password for the elastic built-in superuser is : tMF3iXWcd*Wb-RMbE9+F

Installation von kibana

  • apt install kibana -y

kibana keystore anlegen

  • /usr/share/kibana/bin/kibana-encryption-keys generate -q

kibana ports und ip anpassen

  • echo "server.port: 5601" >> /etc/kibana/kibana.yml
  • echo "server.host: 0.0.0.0" >> /etc/kibana/kibana.yml

kibana und elastic starten und systemstart aktivieren

  • sudo systemctl enable elasticsearch kibana --now

Enroll Key generieren

  • /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
eyJ2ZXIiOiI4LjEzLjMiLCJhZHIiOlsiMTAuODEuMjU1LjE1MTo5MjAwIl0sImZnciI6IjY2ZTQzZmM5MGZiMjQwNWU3ZDk1OGY5NjQ5ODkxOWQwNjc1NTU1M2QwNmZhYWRjNmE1MGUxMWM5YTIxZDZkZDEiLCJrZXkiOiJReW1PVW84QkhEa2RqdFJ3TzZaWDptTzNJcDU0Q1RYMmhpdGptUDlLVTlnIn0=

kibana öffnen und Key reinpasten

Elk-01.png

Verificationcode generieren

  • /usr/share/kibana/bin/kibana-verification-code
Your verification code is:  970 916

Code rein kopieren

Elk-02.png

Aktivieren von HTTPS für Kibana

  • /usr/share/elasticsearch/bin/elasticsearch-certutil ca
  • /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns purple.xinux.org --out kibana-server.p12
  • openssl pkcs12 -in /usr/share/elasticsearch/elastic-stack-ca.p12 -clcerts -nokeys -out /etc/kibana/kibana-server_ca.crt
  • openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.crt -clcerts -nokeys
  • openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.key -nocerts -nodes
  • chown root:kibana /etc/kibana/kibana-server*
  • chmod 660 /etc/kibana/kibana-server*
  • echo "server.ssl.enabled: true" | tee -a /etc/kibana/kibana.yml
  • echo "server.ssl.certificate: /etc/kibana/kibana-server.crt" | tee -a /etc/kibana/kibana.yml
  • echo "server.ssl.key: /etc/kibana/kibana-server.key" | tee -a /etc/kibana/kibana.yml
  • echo "server.publicBaseUrl: \"https://purple.xinux.org:5601\"" | tee -a /etc/kibana/kibana.yml
  • /usr/share/kibana/bin/kibana-encryption-keys generate

Neustart von kibana

  • systemctl restart kibana

Password ändern

Elk-03.png

logstash installieren

  • apt install logstash

Clonen von pfelf

Logstash Filter Dateien

  • #Konfigurationsordner anlegen
  • mkdir -p /etc/pfelk/{conf.d,config,logs,databases,patterns,scripts,templates}
  • #Konfigurationsvorlagen in die entsprechenden Verzeichnisse kopieren
  • cp pfelk/etc/pfelk/conf.d/01-inputs.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/02-firewall.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/05-apps.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/30-geoip.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/49-cleanup.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/50-outputs.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/20-interfaces.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/35-rules-desc.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/36-ports-desc.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/37-enhanced_user_agent.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/38-enhanced_url.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/45-enhanced_private.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/patterns/pfelk.grok -P /etc/pfelk/patterns/
  • cp pfelk/etc/pfelk/patterns/openvpn.grok -P /etc/pfelk/patterns/
  • cp pfelk/etc/pfelk/databases/private-hostnames.csv -P /etc/pfelk/databases/
  • cp pfelk/etc/pfelk/databases/rule-names.csv -P /etc/pfelk/databases/
  • cp pfelk/etc/pfelk/databases/service-names-port-numbers.csv -P /etc/pfelk/databases/

Logstash Konfiguration

  • cp pfelk/etc/pfelk/config/pipelines.yml /etc/logstash/
  • mkdir -p /etc/pfelk/logs
  • cp pfelk/etc/pfelk/scripts/error-data.sh /etc/pfelk/scripts/
  • chmod +x /etc/pfelk/scripts/error-data.sh
  • mkdir /etc/logstash/config
  • cp -r /etc/elasticsearch/certs /etc/logstash/config/
  • chown -R logstash:logstash /etc/logstash

Password eintragen in logstash

  • sed -ie "s/changeme/<dein-passwort>/" /etc/pfelk/conf.d/50-outputs.pfelk

logstash starten

  • enable logstash.service --now
Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /usr/lib/systemd/system/logstash.service.

logstash journal checken

  • journalctl -fu logstash
Abgerufen von „http://wiki.ixheim.de/index.php?title=Elasticsearch/logstash/kibana&oldid=53263