ELK, SIEM de OpenSource, Open Distro: pilha ELK - instalaĆ§Ć£o e configuraĆ§Ć£o

ELK SIEM Open Distro: ELK stack - instalaĆ§Ć£o e configuraĆ§Ć£o.



Este capĆ­tulo descreverĆ” a instalaĆ§Ć£o e configuraĆ§Ć£o da pilha ELK. AlguĆ©m poderia ter pulado este capĆ­tulo e nĆ£o traduzido, mas entĆ£o o fio entre os capĆ­tulos originais serĆ” perdido.



ƍndice de todas as postagens.





1- InstalaĆ§Ć£o e configuraĆ§Ć£o de ELK STACK



1.1- IntroduĆ§Ć£o ao ELK



A- O que Ć© ELK?



B- DiferenƧa entre ELK Basic e ELK Oss?





1.2- Instalando ELK



Em nosso projeto, comeƧamos a configurar ELK Stack Basic (7.6.1) e consultamos o guia oficial fornecido por elastic.co:



https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html







1.3- configuraĆ§Ć£o ELK



Nesta seĆ§Ć£o, forneceremos a configuraĆ§Ć£o que fizemos para a pilha ELK.



A- ConfiguraĆ§Ć£o do Elasticsearch



Todas as configuraƧƵes foram feitas no arquivo elasticsearch.yml localizado em /etc/elasticsearch/elasticsearch.yml



, : sudo nano /etc/elasticsearch/elasticsearch.yml



elasticsearch.





. , , . http.port . .



network.bind_host: 0.0.0.0 Elasticsearch, ELK.





, ElasticSearch :



sudo systemctl restart elasticsearch


: network.bind_host to 0.0.0.0 - . .



B-Kibana:



kibana.yml, /etc/kibana/kibana.yml. , :



sudo nano /etc/kibana/kibana.yml






Kibana , server.host: "0.0.0.0". , , . , , 5601. Kibana: sudo systemctl restart kibana



Kibana . Http://your_Server_IP: 5601





, , , .



: server.host 0.0.0.0 - . .



C-Logstash:



logstash:



sudo cat /etc/logstash/logstash-sample.conf


Logstash. , /etc/logstash/conf.d/ logstash.conf





: sudo systemctl restart logstash



D- :**



logstash, kibana elasticsearch. :







, . , tcp6 tcp.



Kibana: 5601



Elasticsearch: 9200



Logstash: 5044





2-Beats :



A- Winlogbeat:



URL:



https://www.elastic.co/fr/downloads/beats/winlogbeat



:



https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html



B- Winlogbeat:



winlogbeat.yml:





winlogbeat.event_logs:



winlogbeat winlogbeat.yml , Winlogbeat. , , . , Sysmon .



, .



:



ā€” index.number_of_shards:



, . , Elasticsearch , , .



ā€” index.number_of_replicas:



, Elasticsearch . , , Elasticsearch. , .



:









Elasticsearch Logstash .



:





, winlogbeat, :



(ILM):



, ILM. ILM Index Lifecycle Manager ā€” x-pack, ELK, ELK oss. ILM , . : , , , , , .



ILM ELK, , Elasticsearch. ILM , .





Sysmon MITER ATT & CK:



Sysmon , , sysmon ELK.



(Sysmon) ā€” Windows , , , Windows. , . , Windows Event Collection SIEM, , , .



MITER ATT & CK ā€” , . ATT & CK , , .



I. Sysmon:



https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon



II. xml- sysmon, MITER ATT CK: https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml



III. Sysmon :



sysmon64 -accepteula -i sysmonconfig-export.xml


IV. :



sysmon64 ā€“c


, :



I. :



, . , , , , .



Elasticsearch. Elasticsearch, . winlogbeat Elasticsearch, .



Logstash Elasticsearch.



II. :



https://www.elastic.co/guide/en/beats/winlogbeat/current/load-kibana-dashboards.html



:



, Kibana.



:









, . Elasticsearch, , Logstash, .



ELK:



winlogbeat sysmon PowerShell services.msc, Kibana.



winlogbeat. ELK STACK Logstash , .





winlogbeat:





Discover sysmon ( MITER):







winlogbeat , .



, :



Winlogbeat



Filebeat



Packetbeat



Metricbeat



, , metricbeat filebeat, , .



, filebeat ssh, sudo ubuntu Suricata Suricata IDS.



Suricata:



Suricata filebeat:



sudo filebeat modules enable Suricata



, filebeat, /etc/filebeat/modules.d/



, :



filebeat modules list



Este Ć© o link que usamos para instalar o Suricata em nosso dispositivo: https://www.alibabacloud.com/blog/594941



VocĆŖ deve obter uma barra de ferramentas semelhante a esta. NĆ£o se preocupe se nĆ£o obtiver exatamente esse resultado, trabalharemos com o painel nos artigos a seguir.





TambĆ©m Ć© possĆ­vel integrar a interface Suricata na pilha ELK, para a qual vocĆŖ pode verificar este link .



Elasticsearch telegrama chat




All Articles