Table of Contents

Сервисы ELK

Elasticsearch

Установка пакета из репозитория

# apt install elasticsearch

Запуск и проверка работоспособности

# systemctl edit elasticsearch
# systemctl enable elasticsearch
# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
или
# cat /etc/elasticsearch/elasticsearch.yml
...
xpack.security.enabled: false
...
http.host: [_local_]
...
# systemctl start elasticsearch

# systemctl status elasticsearch


# curl --noproxy localhost -X GET 'http://localhost:9200'
  или
# curl -X GET 'http://localhost:9200'

Примеры запросов

Список индексов

# curl --noproxy localhost -X GET 'http://localhost:9200/_cat/indices?pretty'

Добавление/замена документа

curl --noproxy localhost -H "Content-Type: application/json" -X PUT 'http://localhost:9200/myindex1/mytype1/myid1?pretty' -d '
curl --noproxy localhost -H "Content-Type: application/json" -X PUT 'http://localhost:9200/myindex1/_doc/myid1?pretty' -d '
{
"field1": 111,
"field2": "abcd",
"filed3": {
    "field4": 5.8,
	"field5": "dcba"
  },
"field6": [1,2,3]
}
'

Добавление документа с другим составом полей и автоматическим созданием идентификатора

curl --noproxy localhost -H "Content-Type: application/json" -X POST 'http://localhost:9200/myindex1/mytype1/?pretty' -d '
curl --noproxy localhost -H "Content-Type: application/json" -X POST 'http://localhost:9200/myindex1/_doc/?pretty' -d '
{
"field1": 222,
"field2": "def",
"filed3": {
	"field5": "fde",
	"field7": 222
  },
"field6": [4,5]
}
'

Выборка данных

# curl --noproxy localhost -X GET 'http://localhost:9200/myindex1/mytype1/myid1?pretty'
# curl --noproxy localhost -X GET 'http://localhost:9200/myindex1/_doc/myid1?pretty'

# curl --noproxy localhost -X GET 'http://localhost:9200/myindex1/_search?pretty'

# curl --noproxy localhost -X GET 'http://localhost:9200/_search?pretty'

Удаление ВСЕХ данных

# curl --noproxy localhost -X DELETE 'http://localhost:9200/_all'

Kibana

Установка пакета из репозитория

# apt install kibana

Настройка и запуск

# cat /etc/kibana/kibana.yml
...
#server.port: 5601
...
server.host: "192.168.X.10"
...
#elasticsearch.hosts: ["http://localhost:9200"]
...
systemctl start kibana
systemctl enable kibana
systemctl status kibana

Подключение

Задержка 2-3 минуты

Примеры запросов

GET _search
{
  "size": 10000,
  "query": {
    "match_all": {}
  }
}

GET /_cat/indices

GET /myindex1/mytype1/myid1
GET /myindex1/_doc/myid1

PUT /myindex1/mytype1/myid2
PUT /myindex1/_doc/myid2
{
"field1": 222,
"field2": "fghj",
"filed3": {
    "field4": 8.5,
	"field5": "hgfd"
  },
"field6": [4,5,6]
}

Обновление отдельных полей документа

POST /myindex1/mytype1/myid1/_update
POST /myindex1/_update/myid1
{
  "doc": {
    "filed3": {
      "field4": 6.8 
    }
  }
}

Типы данных полей индекса

GET /myindex1/

Все записи индекса

GET /myindex1/_search

DELETE /myindex1/_doc/myid2

Kibana Dashboard

Filebeat Netflow Top-N

Network Direction → Inbound

или

Add filter → Edit as Query DSL → Elasticsearch Query DSL

{
  "match": {
    "netflow.destination_ipv4_address": "192.168.X.0/24"
  }
}

Logstash

# /usr/share/logstash/bin/logstash -e 'input { stdin {} } output { stdout {} elasticsearch {} }'
...
The stdin plugin is now waiting for input:
...
qwerty
{
      "@version" => "1",
    "@timestamp" => 2021-06-24T06:39:22.147Z,
          "host" => "server.corpX.un",
       "message" => "qwerty"
}
...
GET /logstash-*/_search
  или
GET /.ds-logs-generic-default-*/_search

GET /logstash-*/_search
GET /.ds-logs-generic-default-*/_search
{
  "query": {
    "term": {
      "message": {
        "value": "qwerty"
      }
    }
  }
}

Длится 3-4 минуты

# /usr/share/logstash/bin/logstash-plugin install logstash-output-exec
# cat /etc/logstash/conf.d/cisco-backup-config.conf
input {
  udp {
    port => "8514"
  }
}

filter {
  grok {
    match => [
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}"
    ]
    overwrite => [ "message" ]
    remove_field => [ "syslog5424_pri", "@version" ]
  }
}

output {
  if [message] =~ /Configured/ {
    exec {
      command => "sudo /root/cisco-backup-config-logstash.sh %{host}"
    }
  }
#  stdout { codec => rubydebug }
  elasticsearch {
    index => "network-%{+YYYY.MM.dd}"
  }
}
# cat /root/cisco-backup-config-logstash.sh
#!/bin/sh

#ip=$1
ip=`echo $1 | cut -d: -f2 | cut -d'}' -f1`

#cisco_name=`host $ip | awk '{ print $NF }' | cut -d. -f1`
cisco_name=`getent hosts $ip | awk '{ print $NF }'`

#echo $1 $ip $cisco_name >> /tmp/cisco-backup-config-logstash.log

/usr/bin/sshpass -p cisco /usr/bin/scp ${cisco_name}:running-config /srv/tftp/${cisco_name}-running-config
cd /srv/tftp/
/usr/bin/git add *
/usr/bin/git --no-optional-locks status | grep 'modified\|deleted\|new file' | /usr/bin/git commit -a -F -
# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/cisco-backup-config.conf

systemctl start logstash
systemctl enable logstash
systemctl status logstash

# tail -f /var/log/logstash/logstash-plain.log
GET /network-*/_search

Filebeat

# apt install filebeat

# cat /etc/filebeat/filebeat.yml
...
- type: log
  или, начиная с версии 8.0
- type: filestream
...
  enabled: true
...
  exclude_lines: ['filebeat']
...
setup.kibana:
...
  host: "192.168.X.10:5601"
...
output.elasticsearch:
...
  hosts: ["localhost:9200"]
...
# filebeat test config -e -c /etc/filebeat/filebeat.yml
...
Config OK

systemctl enable filebeat
systemctl start filebeat
systemctl status filebeat
GET /.ds-filebeat-*/_count
 но, работает и так:
GET /filebeat-*/_count

GET /filebeat-*/_search
{
  "sort": [{"@timestamp": {"order": "desc"}}],
  "query": {
    "match": {
      "log.file.path": "/var/log/auth.log"
    }
  }
}

filebeat netflow module

# filebeat modules enable netflow

# filebeat setup -e
  2 минуты

# cat /etc/filebeat/modules.d/netflow.yml
- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 0.0.0.0
      netflow_port: 9555
# systemctl stop filebeat

# filebeat run --modules netflow -d "*" -e
...
Exiting: module netflow is configured but has no enabled filesets

# systemctl start filebeat

Приметры запросов

Все NetFlow записи для IP 192.168.X.10

GET /filebeat-*/_search?size=10000
{
  "query": {
    "match": {
      "netflow.destination_ipv4_address": "192.168.X.10"
    }
  }
}

Все NetFlow записи для сети 192.168.X.0/24 за последние сутки

GET /filebeat-*/_search?size=10000
{
  "sort": [{"netflow.exporter.timestamp": {"order": "desc"}}],
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "netflow.destination_ipv4_address": "192.168.X.0/24"
          }
        },
        {
          "range": {
            "netflow.exporter.timestamp": {
               "gte": "now-1d",
               "lte": "now"
            }   
          }
        }
      ]
    }
  }
}

Список уникальных IP сети предприятия за весь период наблюдения

GET /filebeat-*/_search
{
  "size": 0,
  "aggs": {
    "unique_dst_ip": {
      "terms": {
        "field": "netflow.destination_ipv4_address"
      }
    }
  },
  "query": {
    "match": {
      "netflow.destination_ipv4_address": "192.168.X.0/24"
    }
  },
  "track_total_hits": true
}

Суммарный объем входящего трафика для данного IP адреса с некоторой даты до текущего момента

GET /filebeat-*/_search
{
  "size": 0,
  "aggregations": {
    "download_sum": {
      "sum": {
        "field": "network.bytes"
      }
    }
  },
  "query": {
    "bool": {
      "must": [
        {    
          "match": {
            "netflow.destination_ipv4_address": "192.168.X.128"
          }
        },
        {
          "range": {
            "netflow.exporter.timestamp": {
               "gte": "2021-07-07T00:00:00",
               "lt": "now"
            }   
          }
        }
      ]  
    }
  },
  "track_total_hits": true
}