拓扑图:
step1:修改rsyslog.conf文件,重启rsyslogd服务
在需要监控bash审计的服务器修改rsyslog.conf文件(单机部署,如安装在142)
#/etc/init.d/rsyslog restart //修改后重启命令
也可以使用saltstack工具完成多个客户节点bash文件部署及/etc/rsyslog.conf文件的修改>>>>>>
# salt -N clienta state.sls audit
(文末附salt工具部署脚本)
step2:logstash安装(安装在144)>>>>>>
主要任务:接收由各个监控节点发过来的bash审计日志,同时将这些日志发送给elasticsearch服务。
#wget https://artifacts.elastic.co/downloads/logstash/logstash-6.3.1.tar.gz
# tar -zxvf logstash-6.3.1.tar.gz
# pwd
/usr/local/soft/logstash-6.3.1/config
# vim bash.conf
input {
syslog{
port => "3514"
type => "bash"
}
tcp {
port => "2514"
type => "network"
}
udp {
port => "2514"
type => "network"
}
}
output {
if ([type] == "bash") {
if "_grokparsefailure" not in [tags] {
elasticsearch {
hosts => "192.168.*.144:9200"
index => "bash_%{+YYYY.MM.dd}"
}
}
}
elseif ([type] == "network") {
if "_grokparsefailure" not in [tags] {
elasticsearch {
hosts => "192.168.*.144:9200"
index => "network_%{+YYYY.MM.dd}"
}
}
}
elseif ([type] == "ossec") {
if "_grokparsefailure" not in [tags] {
elasticsearch {
hosts => "192.168.*.144:9200"
index => "ossec_%{+YYYY.MM.dd}"
}
}
}
}
启动logstash:
./bin/logstash -f /usr/local/soft/logstash-6.3.1/config/bash.conf &
日志位置:/usr/local/soft/logstash-6.3.1/logs/logstash-slowlog-plain.log
step3:安装elasticsearch>>>>>>
将审计日志生成elasticsear格式的索引文件
注意(安装在144):
1.不能以root用户进行启动,需要创建用户,并对解压的elasticsearch目录赋予此用户(如:admin)权限
2.安装成功后,只能telnet 127.0.0.1 9200可以通,需要修改elasticsearch.yml配置文件
增加或修改network.host处为:network.host: 0.0.0.0,重启后才可以是有ip加端口号的方式进行访问
#bin/elasticsearch
# curl http://127.0.0.1:9200
浏览器访问:192.168.*.144:9200
显示如下,则成功:
{
"name" : "9sv4OVU",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "dEfYVoqhQUiW0U8GH2mi0A",
"version" : {
"number" : "6.3.1",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "eb782d0",
"build_date" : "2018-06-29T21:59:26.107521Z",
"build_snapshot" : false,
"lucene_version" : "7.3.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
查看某一索引的内容,如bash_2019.05.27:
http://ip.144:9200/bash_2019.05.27
step4:kibana安装(安装在144)>>>>>>
目的:可视化索引文件,便于日志查询及管理。
注意:kibana启动后也存在无法通过ip加端口号访问服务的情况
老方法,修改kibana.yml配置文件增加或修改为:server.host: "0.0.0.0"重启服务即可解决
【异常】
kibana创建Index Patterns时,报如下异常:
blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];: [cluster_block_exception] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];
【处理方式:】
#curl -XPUT -H "Content-Type: application/json" http://127.0.0.1:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'
【salt工具部署bash】
install_bash:
cmd.run:
- name: tar zxvf bash.tar.gz && cd bash && ./configure --prefix=/usr/local/bash && make && make install
- cwd: /root/Downloads
- unless: test -e /usr/local/bash/bin/bash
- require:
- file: /root/Downloads/bash.tar.gz
/root/Downloads/bash.tar.gz:
file.managed:
- source: salt://audit/bash.tar.gz
- user: root
- group: root
- mode: 755
- template: jinja
- require:
- file: /root/Downloads
bak_bash:
cmd.run:
- name: cp /bin/bash /bin/bashbak
- unless: test -e /bin/bashbak
- require:
- cmd: install_bash
cp_bash:
cmd.run:
- name: \cp -f /usr/local/bash/bin/bash /bin/bash
- require:
- cmd: bak_bash
/etc/rsyslog.conf:
file.append:
- text: "local6.notice @192.168.192.144:3514"
rsyslog:
service.running:
- enable: True
- restart: True
- watch:
- file: /etc/rsyslog.conf
【参考网址,官网】
https://www.elastic.co/downloads/kibana
https://www.elastic.co/cn/downloads/logstash
https://www.elastic.co/downloads/elasticsearch
http://ftp.gnu.org/gnu/bash/