인프라
Elasticsearch 엘라스틱 서치 본문
beats : 로그(데이터)를 수집하는 어플
logstash : 데이터를 가공(사전) 처리하는 어플
leasticsearch : 검색엔진 (데이터베이스)
kibana : 시각화
web server (log) ---> beats -->
file server(log) ---> beats --> elasticsearch (9200번) <-- kibana
DB server (log) ---> beats -->
web server(log) ---> beats -->
file server(log) ---> beats --> logstash(사전처리) --> elasticsearch (9200번) <-- kibana
DB server(log) ---> beats -->
port 9200 - log 수집
port 9300 - 동기화

superuer is : pw *** 비밀번호 꼭 저장해 두기
비밀번호 리셋
Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'
kibana 등록 토큰생성
Generate an enrollment token for Kibana instances with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'
node 등록 토큰생성
Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'
[root@ns2 snort]# vi /etc/elasticsearch/elasticsearch.yml





- 노드가 2개 이상인 경우 설정

[root@ns2 snort]# systemctl start elasticsearch.service

엘라스틱 rpm 삭제
[root@ns2 ~]# systemctl stop elasticsearch.service
[root@ns2 ~]# rpm -e elasticsearch
Stopping elasticsearch service... OK
경고: /etc/elasticsearch/elasticsearch.yml(이)가 /etc/elasticsearch/elasticsearch.yml.rpmsave(으)로 저장되었습니다
Deleting log directory... OK
[root@ns2 ~]# ls /var/lib/elasticsearch/
_state indices node.lock nodes snapshot_cache
[root@ns2 ~]# rm -rf /etc/elasticsearch/
[root@ns2 ~]# rm -rf /var/lib/elasticsearch/
[root@ns2 ~]# rpm -e elasticsearch
Stopping elasticsearch service... OK
경고: /etc/elasticsearch/elasticsearch.yml(이)가 /etc/elasticsearch/elasticsearch.yml.rpmsave(으)로 저장되었습니다
Deleting log directory... OK

HOSTNAME 변경
[root@ns2 ~]# export HOSTNAME=node-1.kitri.com
[root@ns2 ~]# env | grep HOSTNAME
HOSTNAME=node-1.kitri.com
---------------> hostname이 이전 ljy.ne.ki 로 설정되어있어. rpm 삭제후, hostname 변경. 다시 설치

설정 다시 확인
[root@ns2 ~]# curl -XGET "https://node-1.kitri.com:9200" --cacert /etc/elasticsearch/certs/http_ ca.crt --user "elastic:io8UrloXcqKmP2SrFon*"

노드의 상태 확인
[root@ns2 ~]# curl -XGET --cacert /etc/elasticsearch/certs/http_ca.crt --user "elastic:io8UrloXcqKmP2SrFon*" "https://node-1.kitri.com:9200/_cat/nodes"
192.168.8.13 41 97 0 0.00 0.07 0.12 cdfhilmrstw * node-1.kitri.com
인덱스의 상태 확인
curl -XGET --cacert /etc/elasticsearch/certs/http_ca.crt --user "elastic:io8UrloXcqKmP2SrFon*" "https://node-1.kitri.com:9200/_cat/indices"
kibana 설치
- 웹환경에서 접근하기 위한 응용프로그램
[root@ns2 ~]# rpm -Uvp kibana-8.5.0-x86_64.rpm
경고: kibana-8.5.0-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing packages...
kibana-8.5.0-1.x86_64
Creating kibana group... OK
Creating kibana user... OK
Created Kibana keystore in /etc/kibana/kibana.keystore
[root@ns2 ~]# vi /etc/kibana/kibana.yml

로컬 hosts 파일 수정



[root@ns2 ~]# systemctl start kibana.service
[root@ns2 ~]# systemctl enable kibana.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /usr/lib/systemd/system/kibana.service.
[root@ns2 ~]# firewall-cmd --add-port=5601/tcp --permanent
success
[root@ns2 ~]# firewall-cmd --reload
http://node-1.kitri.com:5601

kibana 등록 토큰생성
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana





user : elastic
pw :io8UrloXcqKmP2SrFon*


[root@ns2 ~]# vi /etc/kibana/kibana.yml

host 수정변경
log 분석하기
[root@ns1 ~]# ls -lh /var/log/httpd/
합계 96K
-rw-r--r--. 1 root root 64K 11월 11 13:23 access_log
-rw-r--r--. 1 root root 29K 11월 11 12:57 error_log
[root@ns1 ~]# tail -n 2 /var/log/httpd/access_log
1.1.10.11 - - [11/Nov/2022:13:17:45 +0900] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "http://centos/wp-admin/users.php?update=add&id=3" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
1.1.10.11 - - [11/Nov/2022:13:23:52 +0900] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "http://centos/wp-admin/users.php?update=add&id=3" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
filebeat -> log를 요청하는 쪽에 설치
(상시 구동됨)

수집 가능한 리스트

활성화. disabled 삭제
filebeat에서 apache Module 활성화
vi /etc/filebeat/modules.d/apache.yml



[root@ns1 ~]# vi /etc/filebeat/filebeat.yml


패스워는 아래 꺼 넣기
user : elastic
pw :io8UrloXcqKmP2SrFon*
[root@ns1 ~]# vi /etc/hosts

filebeat의 CA 인증서를 es-node1 복사


disabled 없는건 구동 중
- systemctl enable filebeat.service 로 데몬 돌리기
systemctl enable filebeat.service


snort -A console -i ens33 -c rules/local.rules

