ELKの設定

Elasticsearchの設定

Configuring Elasticsearch

elasticsearchのjvm.options

vi /etc/elasticsearch/jvm.options

VMのメモリが8GBなので半分の4GBを指定

-Xms4g
-Xmx4g

elasticsearch.yml

vi /etc/elasticsearch/elasticsearch.yml

cluster.name: my-home
node.name: my-home-node-1
network.host: 192.168.0.2
cluster.initial_master_nodes: my-home-node-1

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

log4j2.properties

Kibanaの設定

Configuring Kibana

kibana.yml

vi /etc/kibana/kibana.yml

server.host: "192.168.0.2"
elasticsearch.hosts: ["http://192.168.0.2:9200"]
logging.quiet: true
i18n.locale: "ja-JP"

elasticsearch.username: "elastic"
elasticsearch.password: "password"

logstash

logstashのjvm.options

vi /etc/logstash/jvm.options

-Xms2g
-Xmx2g

pipelines.yml

vi /etc/logstash/pipelines.yml

- pipeline.id: suricata
  path.config: "/etc/logstash/conf.d/suricata.conf"

logstash.yml

vi /etc/logstash/logstash.yml

pipeline.id: suricata

log.level: warn

conf.d

cp /etc/logstash/logstash-sample.conf /etc/logstash/conf.d/suricata.conf

vi /etc/logstash/conf.d/suricata.conf

input {
  beats {
    host => "0.0.0.0"
    port => "5044"
  }
}

filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    ruby {
      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
    }
  }
}

output {
  elasticsearch {
    hosts => ["http://192.168.0.2:9200"]
    index => "logstash-suricata-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "password"
  }
}

filebeat

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.  
  paths:
    - /var/log/suricata/fast.log
    - /var/log/suricata/eve.json

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.0.2:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: warning

filebeat modules enable suricata