流量分析利器arkime的学习之路（一）---安装部署

开源流量统计系统

目标系统

centos7.9的最小化安装

预备环境

包括了一些软件和rpm包准备

离线安装

先下载软件

yum install --downloadonly --downloaddir=/home/arkime wget net-tools vim
yum install --downloadonly --downloaddir=/home/arkime java-11-openjdk
yum install --downloadonly --downloaddir=/home/arkime perl-libwww-perl perl-JSON libyaml-devel perl-LWP-Protocol-https

然后安装

rpm -ivh *.rpm

在线安装

yum install wget net-tools vim
yum -y install perl-libwww-perl perl-JSON libyaml-devel perl-LWP-Protocol-https
yum -y install java-11-openjdk

es

安装

去官网下载
下载地址

然后通过命令安装

rpm -ivh *.rpm

配置es

vi /etc/elasticsearch/elasticsearch.yml

加入

node.name: es-node
cluster.initial_master_nodes: ["es-node"]
network.host: 0.0.0.0
network.bind_host: 0.0.0.0
network.publish_host: 0.0.0.0
discovery.seed_hosts: ["0.0.0.0", "[::0]"]

开机启动

systemctl enable elasticsearch.service
systemctl start elasticsearch.service

Arkime

安装

wget https://s3.amazonaws.com/files.molo.ch/builds/centos-7/arkime-3.4.2-1.x86_64.rpm
rpm -ivh arkime-3.4.2-1.x86_64.rpm

配置

 cd /opt/arkime/bin/

初始化配置，要配置
接口—本地流量分析网口；
是否安装esdemo—我们这里自己安装了ES，所以选no；
加密S2S的密码
下载GEO files–这里识别IP的地址

[root@c79 bin]# ./Configure 
Found interfaces: ens33;ens36;lo
Semicolon ';' seperated list of interfaces to monitor [eth1] ens36
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200] 
Password to encrypt S2S and other things, don't use spaces [no-default] 123456
Arkime - Creating configuration files
Not overwriting /opt/arkime/etc/config.ini, delete and run again if update required (usually not), or edit by hand
Installing systemd start files, use systemctl
Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] no
Arkime - NOT downloading GEO files

Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt

 4) The Configure script can install elasticsearch for you or you can install yourself
      systemctl start elasticsearch.service
 5) Initialize/Upgrade Elasticsearch Arkime configuration
  a) If this is the first install, or want to delete all data
      /opt/arkime/db/db.pl http://ESHOST:9200 init
  b) If this is an update to a moloch/arkime package
      /opt/arkime/db/db.pl http://ESHOST:9200 upgrade
 6) Add an admin user if a new install or after an init
      /opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin
 7) Start everything
      systemctl start arkimecapture.service
      systemctl start arkimeviewer.service
 8) Look at log files for errors
      /opt/arkime/logs/viewer.log
      /opt/arkime/logs/capture.log
 9) Visit http://arkimeHOST:8005 with your favorite browser.
      user: admin
      password: THEPASSWORD from step #6

If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmind

Any configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#moloch-is-not-working for issues

Additional information can be found at:
  * https://arkime.com/faq
  * https://arkime.com/settings

然后根据提示，进行下面的操作，数据库初始化

[root@c79 bin]# 
/opt/arkime/db/db.pl http://localhost:9200 init 
/opt/arkime/db/db.pl http://localhost:9200 upgrade

配置密码

/opt/arkime/bin/arkime_add_user.sh admin "Admin User" admin --admin

下载ipv4-address-space.csv 和oui.txt,并复制到/opt/arkime/etc/下赋权

chmod a+r /opt/arkime/etc/oui.txt
chmod a+r /opt/arkime/etc/ipv4-address-space.csv

文件下载路径oui.txt和ipv4-addr-space.csv

开机启动

systemctl start arkimecapture.service
systemctl start arkimeviewer.service

打开端口

firewall-cmd --add-port=8005/tcp --permanent
firewall-cmd --reload

重启服务

systemctl restart arkimecapture.service
systemctl restart arkimeviewer.service

界面介绍

访问http://ip:8005，输入用户名密码，密码刚才设置过的admin

API

官方提供了API的介绍，官网提示最好的使用方法，就是参考页面，填写参数，运行请求，然后在浏览器调试窗口查看JavaScript运行请求。
这里有一份整理好的文档。
下载地址