2015-04-08 68 views
0

我已經在一系列不同的linux機器上安裝了logstash-forwarders來創建一個用於日誌收集的ELK堆棧,並且這個工作非常好。在ELK堆棧建議之上的Suricata安裝?

現在我期待在安裝suricata到主ELK堆棧開始使用IDS/IPS功能

我的第一個問題是,我只需要安裝suricata到主ELK對話框,改變conf文件上這個盒子加上logtash-forwarders,所以suricata只需要安裝在一個盒子上?

其次,我試圖改變conf文件,以允許suricata所以我列出了我的conf文件logstash及以下

的文件logstash轉發13 suricata.conf是我嘗試把它帶入logstash conf文件,但我不確定這是否是正確的方法,我不知道如何處理logstash-forwarder conf甚至?

任何幫助將是驚人

/etc/logstash/conf.d$ ls 
01-lumberjack-input.conf 11-sshlog.conf 13-suricata.conf 
10-syslog.conf   12-apache.conf 30-lumberjack-output.conf 

01-伐木-input.conf中

input { 
    lumberjack { 
    port => 5000 
    type => "logs" 
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" 
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" 
    } 

} 

10的syslog.conf

濾波器{ 如果[式] ==「日誌「{

grok { 
    match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } 
    add_field => [ "received_at", "%{@timestamp}" ] 
    add_field => [ "received_from", "%{host}" ] 
} 
syslog_pri { } 
date { 
    match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] 
} 

} }

11 sshlog.conf

filter { 
if [type] == "sshlog" { 
    grok { 
    type => "sshlog" 
    match => {"message" => "Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"} 
    add_tag => "ssh_brute_force_attack" 
    } 

    grok { 
    type => "sshlog" 
    match => {"message" => "Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"} 
    add_tag => "ssh_sucessful_login" 
    } 

    geoip { 
    source => "src_ip" 
    } 
} 
} 

12的apache.conf

filter { 
    if [type] == "apache-access" { 
    grok { 
     match => { "message" => "%{COMBINEDAPACHELOG}" } 
    } 
    } 
} 

13 suricata.conf

filter { 
     if [type] == "SuricataIDPS" { 
     date { 
      match => [ "timestamp", "ISO8601" ] 
     } 
     ruby { 
      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
     } 
     } 

    if [src_ip] { 
    geoip { 
     source => "src_ip" 
     target => "geoip" 
     #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
     add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] 
     add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] 
    } 
    mutate { 
     convert => [ "[geoip][coordinates]", "float" ] 
    } 
    if ![geoip.ip] { 
     if [dest_ip] { 
     geoip { 
      source => "dest_ip" 
      target => "geoip" 
      #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] 
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] 
     } 
     mutate { 
      convert => [ "[geoip][coordinates]", "float" ] 
     } 
     } 
    } 
    } 
} 

30伐木輸出。 conf

output { 
    elasticsearch { host => localhost } 
    stdout { codec => rubydebug } 
} 

logstash fordwarer的conf

"files": [ 
    { 
     "paths": [ 
     "/var/log/syslog", 
     "/var/log/auth.log" 
     ], 
     "fields": { "type": "syslog" } 
    }, 
    # An array of hashes. Each hash tells what paths to watch and 
    # what fields to annotate on events from those paths. 
    #{ 
     #"paths": [ 
     # single paths are fine 
     #"/var/log/messages", 
     # globs are fine too, they will be periodically evaluated 
     # to see if any new files match the wildcard. 
     #"/var/log/*.log" 
     #], 

     # A dictionary of fields to annotate on each event. 
     #"fields": { "type": "syslog" } 
    #}, { 
     # A path of "-" means stdin. 
     #"paths": [ "-" ], 
     #"fields": { "type": "stdin" } 
# }, 
     { 
     "paths": [ 
     "/var/log/apache2/*.log" 
     ], 
     "fields": { "type": "apache-access" } 
     }, 
     { 
     "paths": [ 
     "/var/log/auth*.log" 
     ], 
     "fields": { "type": "sshlog" } 
     } 
     "files": [ 
    { 
     "paths": [ "/var/log/suricata/eve.json" ], 
     "fields": { "type": "suricata" } 
    } 

    ] 


} 

回答

0

只好在兩臺服務器上安裝suricata和做一些配置的變化來獲取數據後JSON

除非是被張貼上述一切都需要所有