Ubuntu 20.04 安装Arkime流量分析工具

Ubuntu 20.04 安装Arkime流量分析工具

1.安装ES

apt-get update -y
apt-get install gnupg2 curl  vim wget -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch --no-check-certificate | apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list
apt-get update -y
apt-get install elasticsearch -y
vim /etc/elasticsearch/elasticsearch.yml
#其它默认就好，可以修改一下es存储路径
vim  /etc/elasticsearch/jvm.options`
...
-Xms4g
-Xmx4g
...

2.启动开机自启：
systemctl enable elasticsearch
systemctl startelasticsearch

3.端口查看

ss -antpl | grep 9200

3.安装和配置Arkime
官网下载：https://arkime.com/#download

apt install arkime_3.4.2-1_amd64.deb
/opt/arkime/bin/Configure
#配置镜像口
Found interfaces: lo;eth0;eth1
Semicolon ';' seperated list of interfaces to monitor [eth1] eth0
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200] 
Password to encrypt S2S and other things [no-default] mypassword
Moloch - Creating configuration files
Installing systemd start files, use systemctl
Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days
Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited
Download GEO files? (yes or no) [yes] yes

9) Visit http://MOLOCHHOST:8005 with your favorite browser.
      user: admin
      password: THEPASSWORD from step #6

If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://molo.ch/faq#maxmind

Any configuration changes can be made to /data/moloch/etc/config.ini
See https://molo.ch/faq#moloch-is-not-working for issues

Additional information can be found at:
  * https://molo.ch/faq
  * https://molo.ch/settings

4.初始化：

/opt/arkime/db/db.pl http://localhost:9200 init

5.添加admin用户

/opt/arkime/bin/arkime_add_user.sh admin " SuperAdmin" mypassword --admin

6.启动开机自启：

systemctl start  arkimecapture  arkimeviewer
systemctl enable arkimecapture  arkimeviewer
systemctl status  arkimecapture  arkimeviewer

7.端口查看

ss -antpl | grep 8005

8.访问
ip+8005/ admin/mypassword

9.配置IP所带的国家信息
https://arkime.com/faq#maxmind

首先注册用户，其它随便填写，但是邮箱要正确。

打开邮箱点开连接设置密码：

10.安装 geoipupdate 工具

apt-get install geoipupdate

11.创建许可证密钥并记录下来
登录

12.复制ak

13.配置ak

14.启动服务

直接执行
geoipupdate
会发现/var/lib/GeoIP/有文件库了
GeoLite2-City.mmdb  GeoLite2-Country.mmdb  s  

15.配置一下arkime服务

vim /opt/arkime/etc/config.ini
...
geoLite2Country = /var/lib/GeoIP/GeoLite2-Country.mmdb;/usr/share/GeoIP/GeoLite2-Country.mmdb;/opt/arkime/etc/GeoLite2-Country.mmdb
geoLite2ASN = /var/lib/GeoIP/GeoLite2-ASN.mmdb;/usr/share/GeoIP/GeoLite2-ASN.mmdb;/opt/arkime/etc/GeoLite2-ASN.mmdb
...

16.重启服务

systemctl restart  arkimecapture  arkimeviewer

17.过会儿可以看到ip信息的国家