OPNsense Elastic Search: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 4: | Zeile 4: | ||
= Swap für mehr Stabilität entfernen = | = Swap für mehr Stabilität entfernen = | ||
| − | * swapoff -a | + | * '''swapoff -a''' |
| − | * vim /etc/fstab # swap entfernen | + | * '''vim /etc/fstab''' # swap entfernen |
= Maximale Memory Maps erhöhen = | = Maximale Memory Maps erhöhen = | ||
| − | * vim /etc/sysctl.conf | + | * '''vim ''/etc/sysctl.conf'' ''' |
vm.max_map_count=262144 | vm.max_map_count=262144 | ||
| − | * sysctl -p | + | * '''sysctl -p''' |
= Konfigurationsdateien herunterladen = | = Konfigurationsdateien herunterladen = | ||
| − | * mkdir -p /etc/openelk/{conf.d,config,logs,databases,patterns,scripts,templates} | + | * '''mkdir -p /etc/openelk/{conf.d,config,logs,databases,patterns,scripts,templates}''' |
| − | * vim install-script.sh | + | * '''vim ''install-script.sh'' ''' |
#!/bin/bash | #!/bin/bash | ||
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/.env -P /etc/openelk/docker/ | wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/.env -P /etc/openelk/docker/ | ||
| Zeile 40: | Zeile 40: | ||
= Konfiguration anpassen = | = Konfiguration anpassen = | ||
| − | * vim /etc/openelk/docker/.env | + | * '''vim ''/etc/openelk/docker/.env'' ''' |
... | ... | ||
| Zeile 53: | Zeile 53: | ||
LS_MEM_LIMIT=8589934592 # mind. 4GB | LS_MEM_LIMIT=8589934592 # mind. 4GB | ||
| − | * vim /etc/openelk/conf.d/50-outputs.pfelk | + | * '''vim ''/etc/openelk/conf.d/50-outputs.pfelk'' ''' |
output { | output { | ||
elasticsearch { | elasticsearch { | ||
Version vom 1. Februar 2024, 10:56 Uhr
Vorraussetzungen
- 32 GB RAM
- 32 GB Festplattenspeicher für Docker und ELK-Stack
Swap für mehr Stabilität entfernen
- swapoff -a
- vim /etc/fstab # swap entfernen
Maximale Memory Maps erhöhen
- vim /etc/sysctl.conf
vm.max_map_count=262144
- sysctl -p
Konfigurationsdateien herunterladen
- mkdir -p /etc/openelk/{conf.d,config,logs,databases,patterns,scripts,templates}
- vim install-script.sh
#!/bin/bash wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/.env -P /etc/openelk/docker/ wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/docker-compose.yml -P /etc/openelk/docker/ wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/config/logstash.yml -P /etc/openelk/config/ wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/config/pipelines.yml -P /etc/openelk/config/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/01-inputs.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/02-firewall.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/05-apps.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/30-geoip.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/49-cleanup.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/50-outputs.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/20-interfaces.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/35-rules-desc.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/36-ports-desc.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/37-enhanced_user_agent.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/38-enhanced_url.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/conf.d/45-enhanced_private.pfelk -P /etc/openelk/conf.d/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/patterns/pfelk.grok -P /etc/openelk/patterns/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/patterns/openvpn.grok -P /etc/openelk/patterns/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases/private-hostnames.csv -P /etc/openelk/databases/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases/rule-names.csv -P /etc/openelk/databases/ wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases/service-names-port-numbers.csv -P /etc/openelk/databases/
Konfiguration anpassen
- vim /etc/openelk/docker/.env
... ELASTIC_PASSWORD=... ... KIBANA_PASSWORD=... ... LOGSTASH_PASSWORD=... ... ES_MEM_LIMIT=17179869184 # mind. 4GB KB_MEM_LIMIT=2147483648 # mind. 1GB LS_MEM_LIMIT=8589934592 # mind. 4GB
- vim /etc/openelk/conf.d/50-outputs.pfelk
output {
elasticsearch {
data_stream => "true"
data_stream_type => "logs"
data_stream_dataset => "pfelk"
### X-Pack Security Method ###
#[DOCKER]# hosts => ["https://es01:9200"]
#[DOCKER]# ssl => true
[DOCKER]# cacert => '/usr/share/logstash/config/certs/ca/ca.crt'
hosts => ["https://localhost:9200"]
#cacert => '/etc/logstash/config/certs/http_ca.crt' #[Disable if using Docker]
user => "elastic"
password => "123Start$"
}
}