在 Ubuntu18.04集成Zeek与ELK
- Elasticsearch :一个分布式RESTful搜索引擎,用于存储所有收集的数据。
- Logstash :Elastic Stack的数据处理组件,用于将传入数据发送到Elasticsearch。
- Kibana :用于搜索和可视化日志的Web界面。
默认情况下,所有Zeek日志都被写入/usr/local/zeek/logs/current(在Linux上),并且每天轮换一次。
安装Elasticsearch
- 添加Elastic库
sudo su
apt-get update -y
apt-get install apt-transport-https -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
apt-get update -y
- 安装配置 Java
apt-get update -y
apt install openjdk-8-jdk
java -version
- 安装配置 Elasticsearch
apt-get install elasticsearch
sed -i 's/#network.host: 192.168.0.1/network.host: localhost/g' /etc/elasticsearch/elasticsearch.yml
sed -i 's/#http.port: 9200/http.port: 9200/g' /etc/elasticsearch/elasticsearch.yml
systemctl enable elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch
- 测试 Elasticsearch
curl http://localhost:9200
安装Kibana
apt-get install kibana
sed -i 's/#server.host: "localhost"/server.host: "localhost"/g' /etc/kibana/kibana.yml
sed -i 's/#server.port: 5601/server.port: 5601/g' /etc/kibana/kibana.yml
sed -i 's?#elasticsearch.hosts:?elasticsearch.hosts:?g' /etc/kibana/kibana.yml
systemctl enable kibana
systemctl start kibana
systemctl status kibana
安装Logstash
apt-get install logstash -y
mkdir /etc/logstash/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/logstash/ssl/logstash.key -out /etc/logstash/ssl/logstash.crt
- 配置Logstash
sudo vim /etc/logstash/zeek-conn-01.conf
下面是完整的配置文件,用于从Filebeat输入zeek conn日志,处理它们并将它们发送到Elasticsearch中进行索引
input {
beats {
host => "localhost"
port => 5044
}
}
filter {
if [message] =~ /^#/ {
drop { }
}
if [type] == "zeek-conn" {
csv {
columns => ["ts","uid","id_orig_h","id_orig_p","id_resp_h","id_resp_p","proto","service","duration","orig_bytes","resp_bytes","conn_state","local_orig","local_resp","missed_bytes","history","orig_pkts","orig_ip_bytes","resp_pkts","resp_ip_bytes","tunnel_parents"]
separator => " "
}
date {
match => [ "ts", "UNIX" ]
}
geoip {
source => "id.orig_h"
}
mutate {
convert => { "id.orig_p" => "integer" }
convert => { "id.resp_p" => "integer" }
convert => { "orig_bytes" => "integer" }
convert => { "duration" => "float" }
convert => { "resp_bytes" => "integer" }
convert => { "missed_bytes" => "integer" }
convert => { "orig_pkts" => "integer" }
convert => { "orig_ip_bytes" => "integer" }
convert => { "resp_pkts" => "integer" }
convert => { "resp_ip_bytes" => "integer" }
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
systemctl enable logstash
systemctl start logstash
使用Filebeat运送Zeek日志
- 在Ubuntu 18.04上安装/设置Filebeat
mkdir /etc/filebeat/ssl
wget https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/ElasticStackv7/configs/filebeat/filebeat.yml -O /etc/filebeat/filebeat.yml
sed -i 's#"localhost:5044"#"<IP addr or FQDN of Logstash>:5044"#g' /etc/filebeat/filebeat.yml
systemctl enable filebeat
systemctl start filebeat
systemctl status filebeat
- 配置Filebeat
sudo vim /etc/filebeat/filebeat.yml
在Filebeat配置文件中,定义到日志文件和输出目的地的路径。下面的示例定义了zeek的conn.log文件的prospectors,该文件包含网络TCP/UDP/ICMP连接上的数据。要跟踪其他日志,需要以类似的方式为每个文件添加prospectors。
filebeat.prospectors:
- input_type: log
paths:
- "/usr/local/zeek/logs/current/conn.log"
fields:
type: "zeek-conn"
fields_under_root: true
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
启动数据管道
- 启动logstash
cd /usr/share/logstash
sudo bin/logstash -f zeek-conn-01.conf
- 启动Filebeat
sudo service filebeat start
过一段时间后,如果配置文件中没有错误,就会创建一个新的Logstash索引,它的模式可以在Kibana中定义。
在浏览器中打开如下网址进入Kibana仪表板
http://localhost:5601
也可以通过http://localhost:5601/status
查看kibana状态,这个页面也包括了所有安装的插件列表。
输入索引模式,选择timestamp字段,并创建新的索引模式。打开Kibana中的发现页面,显示zeek conn.log消息。左侧将显示Logstash处理的所有可用字段的列表,以供分析
创建可视化
Kibana可视化是基于Elasticsearch查询的。通过用一系列的Elasticsearch聚集来提取并处理数据。
为了创建一个可视化的视图:
- 点击左侧导航条中的“Visualize”按钮
- 点击“Create new visualization”按钮或者加号(+)按钮
- 选择一个可视化类型
- 指定一个搜索查询来检索可视化数据
- 在可视化的构建器中选择Y轴的聚合操作。例如,sum,average,count等等
- 设置X轴Y轴
创建Dashboard仪表板
Visualize可以创建Elasticsearch索引中的数据的可视化效果。Kibana仪表板显示可视化和搜索的集合,可以安排、调整和编辑仪表板内容,然后保存仪表板以便共享它。
构建一个Dashboard
- 在导航条上点击“Dashboard”
- 点击“Create new dashboard”或者“加号(+)”按钮
- 点击“Add”按钮
- 为了添加一个可视化,从可视化列表中选择一个,或者点击“Add new visualization”按钮新创建一个
- 为了添加一个已保存的查询,点击“Saved Search”选项卡,然后从列表中选择一个
- 当完成添加并且调整了dashboard的内容后,去顶部菜单栏,点击“Save”,然后输入一个名字