OPNsense Elastic Search: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 66: | Zeile 66: | ||
#cacert => '/etc/logstash/config/certs/http_ca.crt' #[Disable if using Docker] | #cacert => '/etc/logstash/config/certs/http_ca.crt' #[Disable if using Docker] | ||
user => "elastic" | user => "elastic" | ||
| − | password => " | + | password => "...$" |
} | } | ||
} | } | ||
Version vom 1. Februar 2024, 11:11 Uhr
Vorraussetzungen
- 32 GB RAM
- 32 GB Festplattenspeicher für Docker und ELK-Stack
Swap für mehr Stabilität entfernen
- swapoff -a
- vim /etc/fstab # swap entfernen
Maximale Memory Maps erhöhen
- vim /etc/sysctl.conf
vm.max_map_count=262144
- sysctl -p
Konfigurationsdateien herunterladen
- mkdir -p /etc/openelk/{conf.d,config,logs,databases,patterns,scripts,templates}
- vim install-script.sh
#!/bin/bash wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/.env -P /etc/openelk/docker/ wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/docker-compose.yml -P /etc/openelk/docker/ wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/config/logstash.yml -P /etc/openelk/config/ wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/config/pipelines.yml -P /etc/openelk/config/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/01-inputs.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/02-firewall.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/05-apps.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/30-geoip.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/49-cleanup.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/50-outputs.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/20-interfaces.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/35-rules-desc.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/36-ports-desc.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/37-enhanced_user_agent.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/38-enhanced_url.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/45-enhanced_private.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/patterns/pfelk.grok -P /etc/openelk/patterns/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/patterns/openvpn.grok -P /etc/openelk/patterns/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases/private-hostnames.csv -P /etc/openelk/databases/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases/rule-names.csv -P /etc/openelk/databases/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases/service-names-port-numbers.csv -P /etc/openelk/databases/
Konfiguration anpassen
- vim /etc/openelk/docker/.env
... ELASTIC_PASSWORD=... ... KIBANA_PASSWORD=... ... LOGSTASH_PASSWORD=... ... ES_MEM_LIMIT=17179869184 # mind. 4GB KB_MEM_LIMIT=2147483648 # mind. 1GB LS_MEM_LIMIT=8589934592 # mind. 4GB
- vim /etc/openelk/conf.d/50-outputs.pfelk
output {
elasticsearch {
data_stream => "true"
data_stream_type => "logs"
data_stream_dataset => "pfelk"
### X-Pack Security Method ###
#[DOCKER]# hosts => ["https://es01:9200"]
#[DOCKER]# ssl => true
[DOCKER]# cacert => '/usr/share/logstash/config/certs/ca/ca.crt'
hosts => ["https://localhost:9200"]
#cacert => '/etc/logstash/config/certs/http_ca.crt' #[Disable if using Docker]
user => "elastic"
password => "...$"
}
}