01-Pré-requis (Serveur)
apt-get install openjdk-8-jdk
02-Dépots
wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add –
apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-6.x.list
apt-get update
apt-get install elasticsearch
03-Elasticsearch
nano /etc/elasticsearch/elasticsearch.yml
Modifier
network.host: localhost
systemctl restart elasticsearch
systemctl daemon-reload
systemctl enable elasticsearch
04-Kibana
apt-get install kibana
nano /etc/kibana/kibana.yml
server.port: 5601
server.host: "localhost"
elasticsearch.hosts: ["http://localhost:9200"]
kibana.index: ".kibana"
systemctl restart kibana
systemctl daemon-reload
systemctl enable kibana
05- Kibana (reverse Proxy)
apt-get -y install nginx apache2-utils
echo “kibanaadmin:`openssl passwd -apr1`” | sudo tee -a /etc/nginx/htpasswd.users
nano /etc/nginx/sites-available/default
server {
listen 80;
server_name example.com;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
nginx -t
systemctl restart nginx
06-Logstash – Installation
apt-get install logstash
systemctl start logstash.service
systemctl enable logstash.service
07- Logstash – Configuration (Serveur)
Cette partie défini comment Logstash va recevoir les logs (input=>syslog, input=>apache_access, …), les traiter (filter=>grok) et les envoyers (output=> elasticsearch, output=> stdout) Avec Filebeat
nano /etc/logstash/conf.d/01-logstash-apache.conf
input {
beats {
port => "5044"
type => "apache_access"
}
}
filter {
grok {
match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%$
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[apache2][access][time]"
}
useragent {
source => "[apache2][access][agent]"
target => "[apache2][access][user_agent]"
remove_field => "[apache2][access][agent]"
}
geoip {
source => "[apache2][access][remote_ip]"
target => "[apache2][access][geoip]"
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logstash-test-loina-%{+YYYY.MM.dd}"
}
# stdout { codec => rubydebug }
}
Avec Rsyslog
nano /etc/logstash/conf.d/01-logstash-rsyslog.conf
input {
udp {
port => 10514
codec => "json"
type => "syslog"
}
}
filter {
# This replaces the host field (UDP source) with the host that generated the message (sysloghost)
if [sysloghost] {
mutate {
replace => [ "host", "%{sysloghost}" ]
remove_field => "sysloghost" # prune the field after successfully replacing "host"
}
}
}
output {
elasticsearch { host => localhost }
}
Test de la configuration en mode lecture (voir avec output: stdout) => Lance le service (Ctrl+C pour l’arrêter)
/usr/share/logstash/bin/logstash --debug –configtest -f /etc/logstash/conf.d/01-logstash-log-apache.conf
Test de la configuration(check uniquement)
/usr/share/logstash/bin/logstash --debug –configtest -f /etc/logstash/conf.d/01-logstash-log-apache.conf -t
08-Logstash – Configuration (client) Avec Filebeat
wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add –
apt-get install apt-transport-https
echo “deb https://artifacts.elastic.co/packages/5.x/apt stable main” | tee -a /etc/apt/sources.list.d/elastic-5.x.list
apt-get install install filebeat
chkconfig –add filebeat
nano /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/syslog
#Pas de sortie direct vers elasticsearch
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
output.logstash:
# The Logstash hosts
hosts: ["elk.loina.wf:5044"]
systemctl start filebeat
systemctl enable filebeat
Avec Rsyslog
apt-get install rsyslog
nano /etc/rsyslog.d/logstash-json.conf
template(name="ls_json"
type="list"
option.json="on") { constant(value="{") constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",\"@version\":\"1") constant(value="\",\"message\":\"") property(name="msg") constant(value="\",\"host\":\"") property(name="hostname") constant(value="\",\"severity\":\"") property(name="syslogseverity-text") constant(value="\",\"facility\":\"") property(name="syslogfacility-text") constant(value="\",\"programname\":\"") property(name="programname") constant(value="\",\"procid\":\"") property(name="procid") constant(value="\"}\n")
}
nano /etc/rsyslog.conf
*.* @IP_Serveur_Logstash:10514;ls_json
09-Rédémarage des services
systemctl logstash restart
systemctl elacticsearch restart
systemctl kibana restart
ou
reboot
10-Accès à l’interface de Kibana
https://IP_serveur_Kibana (ou http://IP_serveur_Kibana:5061) 11-Configuration de Kibana
Ajout d’un index à Kibana
Ajout d’alert à kibana
git clone https://github.com/Yelp/elastalert.git
https://github.com/Yelp/elastalert/tree/master/example_rules
Fail2ban https://miteshshah.github.io/linux/elk/how-to-monitor-fail2ban-logs-on-elk-stack/ http://www.jouvinio.net/wiki/index.php/Configuration_Logstash_-_Fail2ban