🔦 🥇 👩🏼‍🔧 ELK, SIEM dari OpenSource, Open Distro: Walking Through Open Distro ⏮️ 🛅 🖖🏿

Posting ini akan menjelaskan cara menginstal dan mengkonfigurasi Distro terbuka untuk Elasticsearch.

Plugin berikut tersedia di Distro terbuka:

Keamanan
Memperingatkan
SQL
Manajemen Keamanan Informasi (ISM)
Penganalisis Kinerja

Daftar isi untuk semua posting.

Dalam proyek kami, kami hanya memasang plugin keamanan dan peringatan.

Fungsi 1-Peringatan:

Open Distro for Elasticsearch memungkinkan Anda untuk melacak data Anda dan secara otomatis mengirim peringatan ke pemangku kepentingan. Mudah untuk disiapkan dan dikelola, dan menggunakan antarmuka Kibana dengan API yang kuat.

, , - . , , . , Elasticsearch .

URL- ( 1.6.0 ) :

https://opendistro.github.io/for-elasticsearch-docs/version-history/

, elasticsearch kibana:

/usr/share/elasticsearch :  Elasticsearch
/usr/share/kibana :  Kibana

1.1- Alerting elasticsearch:

cd /usr/share/elasticsearch
sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-sql/opendistro_sql-1.6.0.0.zip

1.2- Alerting kibana :

cd /usr/share/kibana
sudo bin/kibana-plugin install — allow-root https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-alerting/opendistro-alerting-1.6.0.0.zip

1.3- , :

— Kibana :

sudo bin/kibana-plugin list
sudo bin/kibana-plugin remove <plugin-name>

— elasticsearch :

sudo bin/elasticsearch-plugin list
sudo bin/elasticsearch-plugin remove <plugin-name>

1.4- kibana elasticsearch :

systemctl restart kibana elasticsearch

: , elasticsearch kibana , kibana ( kibana is not ready yet ). kibana elasticsearch top.

1.5- kibana :

1.6- :

) URL- - Slack:

Slack — , « , ». Slack — .

Webhooks — Slack. - URL-, JSON . Incoming Webhooks, .

(slack.com)
, Slack.
, ,
, , Incoming Webhook, :
Slack
( ) « ».
, URL- - ( , )
Kibana → Alerting → Destination add destination:
, Slack, URl - .

1.6.2- Slack:

( : 4624 , )

Monitor Schedule

, :

, , :

Kibana, Slack:

Slack- (#test ) :

2- :

, , , .

2.1- :

, Kibana . , , , .

( 1 4), , . URL:

Kibana:

sudo bin/kibana-plugin install — allow-root https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-1.6.0.0.zip

Elasticsearch:

sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-1.6.0.0.zip

: type y

sudo sh /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh

securityadmin.sh.

cd /usr/share/elasticsearch/plugins/opendistro_security/tools/
chmod +x install_demo_configuration.sh
./install_demo_configuration.sh

y ( : admin / : admin)

/etc/elasticsearch/elasticsearch.yml

2.2- elasticsearch logstash kibana:

, SSL elasticsearch. , .

2.2.1- Elasticsearch:

x-pack security elasticsearch: elasticsearch , , - xpack, ELK Stack, /etc/elasticsearch/elasticsearch.yml .

2.2.2- :

x-pack security Kibana: xpack.security ssl /etc/kibana/kibana.yml

. , — https, http.

2.2.3- Logstash:

elasticsearch, logstash, , logstash.

, https, http.

sudo nano /etc/logstash/conf.d/logstash.conf

: , elasticsearch , SSL, , . , — https, http.

2.3- :

systemctl restart elasticsearch
systemctl restart logtash
systemctl restart kibana

, . top . (kibana is not ready yet).

ELK .

, URL- Elasticsearch (http , https)

Di sini Anda dapat membuat pengguna, menetapkan peran dan izin:

Ini membantu Anda mengatur grup SOC berdasarkan peran, tindakan, dan hak istimewa.

Berikut adalah peran default dan database pengguna internal:

Obrolan Telegram di Elasticsearch: https://t.me/elasticsearch_ru

ELK, SIEM dari OpenSource, Open Distro: Walking Through Open Distro