ELK 安装-siem

这篇主要是为了给自己记笔记,有点粗糙,不建议观看

安装elk

下载 curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-x86_64.rpm

sudo rpm -vi auditbeat-7.6.1-x86_64.rpm

下面是需要用到的软件包,用上面的方法下载

{elasticsearch-7.6.1-x86_64.rpm kibana-7.6.1-x86_64.rpm filebeat-7.6.1-x86_64.rpm logstash-7.6.1.rpm

auditbeat-7.6.1-x86_64.rpm packetbeat-7.6.1-x86_64.rpm}

主机上传es kibana 软件包 7.6版本elasticsearch-7.6.1-x86_64.rpm kibana-7.6.1-x86_64.rpm

#yum install -y elasticsearch-7.6.1-x86_64.rpm kibana-7.6.1-x86_64.rpm
# vim /etc/elasticsearch/elasticsearch.yml

cluster.name: my-siem

node.name: node-1

network.host: 0.0.0.0

cluster.initial_master_nodes: node-1

# systemctl start elasticsearch

curl http://localhost:9200

{ "name" : "node-1", "cluster_name" : "my-siem", "cluster_uuid" : "jD1WhvTsQaSXPsk1ZzCEsA", "version" : { "number" : "7.6.1", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "aa751e09be0a5072e8570670309b1f12348f023b", "build_date" : "2020-02-29T00:15:25.529771Z", "build_snapshot" : false, "lucene_version" : "8.4.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" }

#vim /etc/kibana/kibana.yml

server.host: "192.168.0.60"

elasticsearch.hosts: ["http://localhost:9200"]

i18n.locale: "zh-CN"

#systemctl start kibana

#systemctl status kibana

访问 192.168.0.60:5601

 

节点1

上传包或直接下载

auditbeat-7.6.1-x86_64.rpm

filebeat-7.6.1-x86_64.rpm

packetbeat-7.6.1-x86_64.rpm

#yum install -y auditbeat-7.6.1-x86_64.rpm filebeat-7.6.1-x86_64.rpm packetbeat-7.6.1-x86_64.rpm

#vim /etc/auditbeat/auditbeat.yml

hosts: ["192.168.0.60:9200"]

host: "192.168.0.60:5601"

tags: ["ebank1", "dengbao3"] --这块 可以忽略,也可打开自己修改,定义,没太懂,,

#auditbeat setup

#systemctl start auditbeat

 

#vim /etc/packetbeat/packetbeat.yml

host: "192.168.0.60:5601"

hosts: ["192.168.0.60:9200"]

#packetbeat setup

#systemctl start packetbeat

 

回到网页,刷新,能看到数据了

 

 

启动cisco模块

开启kiabna中的仪表盘: filebeat setup --dashboards
启动cisco模块的([Filebeat Cisco] ASA Firewall)dashbord 看不到数据,这个是因为,这个视图是监控查看指定索引的数据才会展示出来数据的,把自定义的索引内容给删除掉,启用cisco模块后,会自动生成默认的索引,届时就可以在([Filebeat Cisco] ASA Firewall)dashbord 看到数据了
解决步骤:
1.配置文件中开启如下这个:
配置文件中开启这个
setup.kibana:
host: "localhost:5601"
2.配置文件中删除自定义的索引配置
3.执行这个:filebeat setup --dashboards
4.重启filebeat
5.kibana中删除原先自定义的索引文件,同时查看是否会自动生产新的索引,等有这个后再去([Filebeat Cisco] ASA Firewall)dashbord 中查看

 

posted @ 2022-02-11 15:31  日光倾城-  阅读(217)  评论(0)    收藏  举报