התקנת ELK (או בשמו החדש Elastic-Stack) – ה-Cheat Sheet

התקנת ELK (או בשמו החדש Elastic-Stack) – ה-Cheat Sheet

כללי
Print Friendly, PDF & Email

על מנת להתקין את Elasticsearch, Logstash, Kibana ולשלוח לוגים מ-Windows על בסיס NXLOG ו-Sysmon יש לבצע את השלבים הבאים:

# On a fresh Ubuntu 16.04 server VM with at least 4GB RAM
# Refresh the APT cache
sudo apt-get update

# Install default Java runtime
sudo apt-get install default-jre

# Download all the components
wget https://artifacts.elastic.co/downloads/logstash/logstash-5.5.0.deb
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.0.deb
wget https://artifacts.elastic.co/downloads/kibana/kibana-5.5.0-amd64.deb

# Install all components
sudo dpkg -i logstash-5.5.0.deb
sudo dpkg -i elasticsearch-5.5.0.deb
sudo dpkg -i kibana-5.5.0-amd64.deb

# Configure kibana to listen on 0.0.0.0 (all interfaces)
# Replace the line '#server: "localhost"' to 'server: "0.0.0.0"'
sudo nano /etc/kibana/kibana.yml

# Enable services
sudo systemctl enable kibana
sudo systemctl enable elasticsearch
sudo systemctl enable logstash

# Configure logstash to listen on 5555/tcp
echo '
input {
tcp {
port => 5555
}
}
output {
elasticsearch {
}
}' | sudo tee /etc/logstash/conf.d/logstash.config

# On a fresh Windows machine download and install NXLOG – https://nxlog.co/system/files/products/files/1/nxlog-ce-2.9.1716.msi
# Configure NXLOG by writing the following into the C:\Program Files (x86)\nxlog\conf\nxlog.conf file:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host 192.168.243.128
Port 5555
# Exec to_syslog_snare();
</Output>

<Route 1>
Path in => out
</Route>

# Start the nxlog service via services.msc

קישורים שימושיים:

https://www.elastic.co/guide/en/logstash/current/output-plugins.html – פירוט לגבי ה-Output plugins ש-Logstash מכיר

https://www.elastic.co/guide/en/logstash/current/input-plugins.html – פירוט לגבי ה-Input plugins ש-Logstash מכיר

https://grokdebug.herokuapp.com/ – אתר מצויין לבדיקת Grok Expressions

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.pdf – מאמר על הפרמטרים הקיימים ב-NXLOG

 

השאר תגובה