Elasticsearch/logstash/kibana: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(25 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 20: Zeile 20:
 
==kibana und elastic starten und systemstart aktivieren==
 
==kibana und elastic starten und systemstart aktivieren==
 
*sudo systemctl enable elasticsearch kibana --now
 
*sudo systemctl enable elasticsearch kibana --now
 +
=Enroll Key generieren=
 +
*/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
 +
eyJ2ZXIiOiI4LjEzLjMiLCJhZHIiOlsiMTAuODEuMjU1LjE1MTo5MjAwIl0sImZnciI6IjY2ZTQzZmM5MGZiMjQwNWU3ZDk1OGY5NjQ5ODkxOWQwNjc1NTU1M2QwNmZhYWRjNmE1MGUxMWM5YTIxZDZkZDEiLCJrZXkiOiJReW1PVW84QkhEa2RqdFJ3TzZaWDptTzNJcDU0Q1RYMmhpdGptUDlLVTlnIn0=
 +
=kibana öffnen und Key reinpasten=
 +
*http://purple.xinux.org:5601
 +
[[Datei:Elk-01.png]]
 +
=Verificationcode generieren=
 +
*/usr/share/kibana/bin/kibana-verification-code
 +
Your verification code is:  '''970 916'''
 +
=Code rein kopieren=
 +
[[Datei:Elk-02.png]]
 +
 +
=Aktivieren von HTTPS für Kibana=
 +
*/usr/share/elasticsearch/bin/elasticsearch-certutil ca
 +
*/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns purple.xinux.org --out kibana-server.p12
 +
*openssl pkcs12 -in /usr/share/elasticsearch/elastic-stack-ca.p12 -clcerts -nokeys -out /etc/kibana/kibana-server_ca.crt
 +
*openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.crt -clcerts -nokeys
 +
*openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.key -nocerts -nodes
 +
*chown root:kibana /etc/kibana/kibana-server*
 +
*chmod 660 /etc/kibana/kibana-server*
 +
*echo "server.ssl.enabled: true" | tee -a /etc/kibana/kibana.yml
 +
*echo "server.ssl.certificate: /etc/kibana/kibana-server.crt" | tee -a /etc/kibana/kibana.yml
 +
*echo "server.ssl.key: /etc/kibana/kibana-server.key" |  tee -a /etc/kibana/kibana.yml
 +
*echo "server.publicBaseUrl: \"https://purple.xinux.org:5601\"" | tee -a /etc/kibana/kibana.yml
 +
*/usr/share/kibana/bin/kibana-encryption-keys generate
 +
=Neustart von kibana=
 +
*systemctl restart kibana
 +
=Password ändern=
 +
*https://purple.xinux.org:5601/
 +
 +
[[Datei:Elk-03.png]]
 +
=logstash installieren=
 +
*apt install logstash
 +
=Clonen von pfelf=
 +
*cd /root
 +
*git clone https://github.com/pfelk/pfelk
 +
 +
=Logstash Filter Dateien=
 +
*<nowiki>#</nowiki>Konfigurationsordner anlegen
 +
*'''mkdir -p /etc/pfelk/{conf.d,config,logs,databases,patterns,scripts,templates}'''
 +
*<nowiki>#</nowiki>Konfigurationsvorlagen in die entsprechenden Verzeichnisse kopieren
 +
*'''cp pfelk/etc/pfelk/conf.d/01-inputs.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/02-firewall.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/05-apps.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/30-geoip.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/49-cleanup.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/50-outputs.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/20-interfaces.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/35-rules-desc.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/36-ports-desc.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/37-enhanced_user_agent.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/38-enhanced_url.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/conf.d/45-enhanced_private.pfelk -P /etc/pfelk/conf.d/'''
 +
*'''cp pfelk/etc/pfelk/patterns/pfelk.grok -P /etc/pfelk/patterns/'''
 +
*'''cp pfelk/etc/pfelk/patterns/openvpn.grok -P /etc/pfelk/patterns/'''
 +
*'''cp pfelk/etc/pfelk/databases/private-hostnames.csv -P /etc/pfelk/databases/'''
 +
*'''cp pfelk/etc/pfelk/databases/rule-names.csv -P /etc/pfelk/databases/'''
 +
*'''cp pfelk/etc/pfelk/databases/service-names-port-numbers.csv -P /etc/pfelk/databases/'''
 +
= Logstash Konfiguration=
 +
*'''cp pfelk/etc/pfelk/config/pipelines.yml /etc/logstash/'''
 +
*'''mkdir -p /etc/pfelk/logs'''
 +
*'''cp pfelk/etc/pfelk/scripts/error-data.sh /etc/pfelk/scripts/'''
 +
*'''chmod +x /etc/pfelk/scripts/error-data.sh'''
 +
*'''mkdir /etc/logstash/config'''
 +
*'''cp -r /etc/elasticsearch/certs /etc/logstash/config/'''
 +
*'''chown -R logstash:logstash /etc/logstash'''
 +
=Password eintragen in logstash=
 +
*sed -ie "s/changeme/<dein-passwort>/" /etc/pfelk/conf.d/50-outputs.pfelk
 +
=logstash starten=
 +
*enable logstash.service --now                           
 +
Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /usr/lib/systemd/system/logstash.service.
 +
=logstash journal checken=
 +
*journalctl -fu logstash

Aktuelle Version vom 7. Mai 2024, 11:15 Uhr

Voraussetzung

  • Installieren von Kali Purple

Update

  • apt update && apt upgrade

Checken wie der Hostname ist

  • hostname -f
purple.xinux.org

Installation von elasticsearch

  • apt install elasticsearch -y
Wir notieren das Passwort
The generated password for the elastic built-in superuser is : tMF3iXWcd*Wb-RMbE9+F

Installation von kibana

  • apt install kibana -y

kibana keystore anlegen

  • /usr/share/kibana/bin/kibana-encryption-keys generate -q

kibana ports und ip anpassen

  • echo "server.port: 5601" >> /etc/kibana/kibana.yml
  • echo "server.host: 0.0.0.0" >> /etc/kibana/kibana.yml

kibana und elastic starten und systemstart aktivieren

  • sudo systemctl enable elasticsearch kibana --now

Enroll Key generieren

  • /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
eyJ2ZXIiOiI4LjEzLjMiLCJhZHIiOlsiMTAuODEuMjU1LjE1MTo5MjAwIl0sImZnciI6IjY2ZTQzZmM5MGZiMjQwNWU3ZDk1OGY5NjQ5ODkxOWQwNjc1NTU1M2QwNmZhYWRjNmE1MGUxMWM5YTIxZDZkZDEiLCJrZXkiOiJReW1PVW84QkhEa2RqdFJ3TzZaWDptTzNJcDU0Q1RYMmhpdGptUDlLVTlnIn0=

kibana öffnen und Key reinpasten

Elk-01.png

Verificationcode generieren

  • /usr/share/kibana/bin/kibana-verification-code
Your verification code is:  970 916

Code rein kopieren

Elk-02.png

Aktivieren von HTTPS für Kibana

  • /usr/share/elasticsearch/bin/elasticsearch-certutil ca
  • /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns purple.xinux.org --out kibana-server.p12
  • openssl pkcs12 -in /usr/share/elasticsearch/elastic-stack-ca.p12 -clcerts -nokeys -out /etc/kibana/kibana-server_ca.crt
  • openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.crt -clcerts -nokeys
  • openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.key -nocerts -nodes
  • chown root:kibana /etc/kibana/kibana-server*
  • chmod 660 /etc/kibana/kibana-server*
  • echo "server.ssl.enabled: true" | tee -a /etc/kibana/kibana.yml
  • echo "server.ssl.certificate: /etc/kibana/kibana-server.crt" | tee -a /etc/kibana/kibana.yml
  • echo "server.ssl.key: /etc/kibana/kibana-server.key" | tee -a /etc/kibana/kibana.yml
  • echo "server.publicBaseUrl: \"https://purple.xinux.org:5601\"" | tee -a /etc/kibana/kibana.yml
  • /usr/share/kibana/bin/kibana-encryption-keys generate

Neustart von kibana

  • systemctl restart kibana

Password ändern

Elk-03.png

logstash installieren

  • apt install logstash

Clonen von pfelf

Logstash Filter Dateien

  • #Konfigurationsordner anlegen
  • mkdir -p /etc/pfelk/{conf.d,config,logs,databases,patterns,scripts,templates}
  • #Konfigurationsvorlagen in die entsprechenden Verzeichnisse kopieren
  • cp pfelk/etc/pfelk/conf.d/01-inputs.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/02-firewall.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/05-apps.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/30-geoip.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/49-cleanup.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/50-outputs.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/20-interfaces.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/35-rules-desc.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/36-ports-desc.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/37-enhanced_user_agent.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/38-enhanced_url.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/conf.d/45-enhanced_private.pfelk -P /etc/pfelk/conf.d/
  • cp pfelk/etc/pfelk/patterns/pfelk.grok -P /etc/pfelk/patterns/
  • cp pfelk/etc/pfelk/patterns/openvpn.grok -P /etc/pfelk/patterns/
  • cp pfelk/etc/pfelk/databases/private-hostnames.csv -P /etc/pfelk/databases/
  • cp pfelk/etc/pfelk/databases/rule-names.csv -P /etc/pfelk/databases/
  • cp pfelk/etc/pfelk/databases/service-names-port-numbers.csv -P /etc/pfelk/databases/

Logstash Konfiguration

  • cp pfelk/etc/pfelk/config/pipelines.yml /etc/logstash/
  • mkdir -p /etc/pfelk/logs
  • cp pfelk/etc/pfelk/scripts/error-data.sh /etc/pfelk/scripts/
  • chmod +x /etc/pfelk/scripts/error-data.sh
  • mkdir /etc/logstash/config
  • cp -r /etc/elasticsearch/certs /etc/logstash/config/
  • chown -R logstash:logstash /etc/logstash

Password eintragen in logstash

  • sed -ie "s/changeme/<dein-passwort>/" /etc/pfelk/conf.d/50-outputs.pfelk

logstash starten

  • enable logstash.service --now
Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /usr/lib/systemd/system/logstash.service.

logstash journal checken

  • journalctl -fu logstash
Abgerufen von „http://wiki.ixheim.de/index.php?title=Elasticsearch/logstash/kibana&oldid=53263