# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
#非华为云提供镜像可使用该命令下载对应版本
docker pull centos:7.7.1908
# wget https://download.opensuse.org/repositories/security:/zeek/CentOS_7/x86_64/zeek-lts-5.0.4-2.1.x86_64.rpm
添加软件源并手动安装
# cd /etc/yum.repos.d/
# wget https://download.opensuse.org/repositories/security:zeek/CentOS_7/security:zeek.repo --no-check-certificate
# yum install zeek-lts
设置json格式日志
/opt/zeek/share/zeek/site/local.zeek后追加@load policy/tuning/json-logs.zeek
配置监控网卡
vi /opt/zeek/etc/node.cfg
配置网段
vi /opt/zeek/etc/networks.cfg
启动zeek
cd /opt/zeek/bin
./zeekctl deploy
./zeekctl start
安装filebeat
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.8.1-x86_64.rpm
rpm -vi filebeat-7.8.1-x86_64.rpm
修改filebeat配置
vi /etc/filebeat/filebeat.yml
filebeat modules enable zeek
配置,引用 https://zhuanlan.zhihu.com/p/534979574
/etc/filebeat/modules.d/zeek.yml
filebeat setup
service filebeat start
配置如下
====================================================================================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
- /opt/zeek/logs/current/*.log
#- c:\programdata\elasticsearch\logs\*
===================================================================================
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
====================================================================================
elasticsearch以来java8以上
下载Oracle JDK安装包
下载官网地址:https://www.oracle.com/java/technologies/downloads/#java11
下载 jdk-11.0.17_linux-x64_bin.tar.gz
账号 bxxxxxxxx@live.com
密码 Bxxxxxxxxxxxx8
mkdir -p /usr/local/java
cd /usr/local/java/
tar -zxvf jdk-11.0.17_linux-x64_bin.tar.gz
vim /etc/profile 写入
export JAVA_HOME=/usr/local/java/jdk-11.0.17
export PATH=$JAVA_HOME/bin:$PATH
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
加载配置文件
source /etc/profile
验证配置
java -version
java version "11.0.17" 2022-10-18 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.17+10-LTS-269)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.17+10-LTS-269, mixed mode)
安装elasticsearch
cd /usr/local/es
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.1-linux-x86_64.tar.gz
tar -zxvf elasticsearch-7.8.1-linux-x86_64.tar.gz
mv elasticsearch-7.8.1 es7.8.1
useradd es
passwd es --> asdf
chown -R es:es /usr/local/es/es7.8.1/
cd es7.8.1/bin/
切换用户后运行
su es
./elasticsearch
遇到报错
max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536] in elasticsearch log
vi /etc/security/limits.conf
末尾添加
* soft nofile 65536
* hard nofile 65536
此时默认只能够本机访问,通过命令访问
curl http://localhost:9200
返回Json表示本地访问成功
{
"name" : "ecs-18835",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "TLF-aGoITzO7n5rs79iXBQ",
"version" : {
"number" : "7.8.1",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
"build_date" : "2020-07-21T16:40:44.668009Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
修改外部可访问,一旦启用外部访问着表示正式生产环境,对配置有要求并作检查
vi /usr/local/es/es7.8.1/config/elasticsearch.yml
修改字段为 network.host: 0.0.0.0
然后重新启动 elasticsearch
根据本次运行的错误提示,有一项
vi /usr/local/es/es7.8.1/config/elasticsearch.yml
打开此项
cluster.initial_master_nodes: ["node-1"]
引用自https://blog.csdn.net/qq_43655835/article/details/104637625
根据系统内存大小设置jvm大小
vi /usr/local/es/es7.8.1/config/jvm.options
根据实际修改(华为云2G,分512m)
-Xms512m
-Xmx512m
vi /etc/sysctl.conf 末尾加入
vm.max_map_count = 655360
执行命令
sysctl -p
打开华为云入方向规则
允许 TCP : 9200 IPv4 0.0.0.0/0
浏览器访问公网 http://ip:9200
返回
{
"name" : "ecs-18835",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "TLF-aGoITzO7n5rs79iXBQ",
"version" : {
"number" : "7.8.1",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
"build_date" : "2020-07-21T16:40:44.668009Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
运行
nohup ./elasticsearch &
安装kibana版本号和elasticsearch有对应关系的
mkdir /usr/local/kibana
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.8.1-linux-x86_64.tar.g
z
tar -xzf kibana-7.8.1-linux-x86_64.tar.gz
可能会报一些错
The Reporting plugin encountered issues launching Chromium in a self-test. You may have trouble generating reports.
安装一下即可
yum install ipa-gothic-fonts
yum install xorg-x11-fonts-100dpi
yum install xorg-x11-fonts-75dpi
yum install xorg-x11-utils
yum install xorg-x11-fonts-cyrillic
yum install xorg-x11-fonts-Type1
yum install xorg-x11-fonts-misc
yum install fontconfig
yum install freetype
开启公网访问权限
vi /usr/local/kibana/kibana-7.8.1/config/kibana.yml
#server.host: "localhost" --> server.host: "0.0.0.0"
配置华为云入方向规则
允许 TCP : 5601 IPv4 0.0.0.0/0
运行
nohup ./kibana &
浏览器访问
http://ip:5601
另:
本地安装zeek依赖的rpm包(未验证后更新)
通过源安装获得的一整套的rpm包
# cd /etc/yum.repos.d/
# wget https://download.opensuse.org/repositories/security:zeek/CentOS_7/security:zeek.repo --no-check-certificate
# yum install zeek-lts
使用本地安装命令一次性安装
yum localinstall *.rpm
设置网卡混杂模式命令
ifconfig ens33 promisc
参考链接
开源IDS网络流量分析与监控系统Zeek对接GrayLog - 云计算运维 - OSSQ
https://blog.ossq.cn/2303.html
http://www.senlt.cn/article/171944181.html
https://blog.ossq.cn/2287.html
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
