Loading

在 Ubuntu18.04集成Zeek与ELK

  • Elasticsearch :一个分布式RESTful搜索引擎,用于存储所有收集的数据。
  • Logstash :Elastic Stack的数据处理组件,用于将传入数据发送到Elasticsearch。
  • Kibana :用于搜索和可视化日志的Web界面。

默认情况下,所有Zeek日志都被写入/usr/local/zeek/logs/current(在Linux上),并且每天轮换一次。

安装Elasticsearch

  • 添加Elastic库
sudo su
apt-get update -y
apt-get install apt-transport-https -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
apt-get update -y
  • 安装配置 Java
apt-get update -y
apt install openjdk-8-jdk
java -version
  • 安装配置 Elasticsearch
apt-get install elasticsearch
sed -i 's/#network.host: 192.168.0.1/network.host: localhost/g' /etc/elasticsearch/elasticsearch.yml
sed -i 's/#http.port: 9200/http.port: 9200/g' /etc/elasticsearch/elasticsearch.yml
systemctl enable elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch
  • 测试 Elasticsearch
curl http://localhost:9200

安装Kibana

apt-get install kibana
sed -i 's/#server.host: "localhost"/server.host: "localhost"/g' /etc/kibana/kibana.yml
sed -i 's/#server.port: 5601/server.port: 5601/g' /etc/kibana/kibana.yml
sed -i 's?#elasticsearch.hosts:?elasticsearch.hosts:?g' /etc/kibana/kibana.yml
systemctl enable kibana
systemctl start kibana
systemctl status kibana

安装Logstash

apt-get install logstash -y
mkdir /etc/logstash/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/logstash/ssl/logstash.key -out /etc/logstash/ssl/logstash.crt
  • 配置Logstash
sudo vim /etc/logstash/zeek-conn-01.conf

下面是完整的配置文件,用于从Filebeat输入zeek conn日志,处理它们并将它们发送到Elasticsearch中进行索引

input {
  beats {
    host => "localhost"
    port => 5044
  }
}

filter {
  if [message] =~ /^#/ {
    drop { }
  }

  if [type] == "zeek-conn" {
    
    csv {
      columns => ["ts","uid","id_orig_h","id_orig_p","id_resp_h","id_resp_p","proto","service","duration","orig_bytes","resp_bytes","conn_state","local_orig","local_resp","missed_bytes","history","orig_pkts","orig_ip_bytes","resp_pkts","resp_ip_bytes","tunnel_parents"]
      separator => "	"
    }

    date {
      match => [ "ts", "UNIX" ]
    }
    
    geoip {
       source => "id.orig_h"
    }

    mutate {
      convert => { "id.orig_p" => "integer" }
      convert => { "id.resp_p" => "integer" }
      convert => { "orig_bytes" => "integer" }
      convert => { "duration" => "float" }
      convert => { "resp_bytes" => "integer" }
      convert => { "missed_bytes" => "integer" }
      convert => { "orig_pkts" => "integer" }
      convert => { "orig_ip_bytes" => "integer" }
      convert => { "resp_pkts" => "integer" }
      convert => { "resp_ip_bytes" => "integer" }
    }
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
}
systemctl enable logstash
systemctl start logstash

使用Filebeat运送Zeek日志

  • 在Ubuntu 18.04上安装/设置Filebeat
mkdir /etc/filebeat/ssl
wget https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/ElasticStackv7/configs/filebeat/filebeat.yml -O /etc/filebeat/filebeat.yml
sed -i 's#"localhost:5044"#"<IP addr or FQDN of Logstash>:5044"#g' /etc/filebeat/filebeat.yml
systemctl enable filebeat
systemctl start filebeat
systemctl status filebeat
  • 配置Filebeat
sudo vim /etc/filebeat/filebeat.yml

在Filebeat配置文件中,定义到日志文件和输出目的地的路径。下面的示例定义了zeek的conn.log文件的prospectors,该文件包含网络TCP/UDP/ICMP连接上的数据。要跟踪其他日志,需要以类似的方式为每个文件添加prospectors。

filebeat.prospectors:
- input_type: log
  paths: 
    - "/usr/local/zeek/logs/current/conn.log"
  fields:
    type: "zeek-conn"
  fields_under_root: true

output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

启动数据管道

  • 启动logstash
cd /usr/share/logstash
sudo bin/logstash -f zeek-conn-01.conf
  • 启动Filebeat
sudo service filebeat start

过一段时间后,如果配置文件中没有错误,就会创建一个新的Logstash索引,它的模式可以在Kibana中定义。

在浏览器中打开如下网址进入Kibana仪表板

http://localhost:5601

也可以通过http://localhost:5601/status查看kibana状态,这个页面也包括了所有安装的插件列表。

logstash.png
输入索引模式,选择timestamp字段,并创建新的索引模式。打开Kibana中的发现页面,显示zeek conn.log消息。左侧将显示Logstash处理的所有可用字段的列表,以供分析

创建可视化

Kibana可视化是基于Elasticsearch查询的。通过用一系列的Elasticsearch聚集来提取并处理数据。

为了创建一个可视化的视图:

  1. 点击左侧导航条中的“Visualize”按钮
  2. 点击“Create new visualization”按钮或者加号(+)按钮
  3. 选择一个可视化类型
  4. 指定一个搜索查询来检索可视化数据
  5. 在可视化的构建器中选择Y轴的聚合操作。例如,sum,average,count等等
  6. 设置X轴Y轴

874963-20180815142051383-1539845797.png

创建Dashboard仪表板

Visualize可以创建Elasticsearch索引中的数据的可视化效果。Kibana仪表板显示可视化和搜索的集合,可以安排、调整和编辑仪表板内容,然后保存仪表板以便共享它。

构建一个Dashboard

  1. 在导航条上点击“Dashboard”
  2. 点击“Create new dashboard”或者“加号(+)”按钮
  3. 点击“Add”按钮
  4. 为了添加一个可视化,从可视化列表中选择一个,或者点击“Add new visualization”按钮新创建一个
  5. 为了添加一个已保存的查询,点击“Saved Search”选项卡,然后从列表中选择一个
  6. 当完成添加并且调整了dashboard的内容后,去顶部菜单栏,点击“Save”,然后输入一个名字
posted @ 2022-08-13 14:27  锦瑟,无端  阅读(573)  评论(0编辑  收藏  举报