SIEM (ElasticSearch)
ElasticSearch
Установка
Ubuntu, 4 ядра, 8ГБ, 30ГБ
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://mirror.yandex.ru/mirrors/elastic/8/ stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update && sudo apt install elasticsearchВ консоли отобразится пароль суперюзера
The generated password for the elastic built-in superuser is : b0kLYdJDYetVHoPQafmc
Затем изменяем конфиг java vm, устанавливаем 8ГБ лимит. nano /etc/elasticsearch/jvm.options
## heap to 4 GB, create a new file in the jvm.options.d
## directory containing these lines:
##
-Xms8g
-Xmx8g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/8.19/heap-size.html
## for more informationПерегружаем службы
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.serviceСтавим kibana
sudo apt install kibana
sudo systemctl daemon-reload
sudo systemctl enable kibana.service
sudo systemctl start kibana.service
sudo systemctl status kibana.serviceГенерируем пароль для пользователя kibana
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system
Password for the [kibana_system] user successfully reset.
New value: QiF9U+blQujOvEg+jHyBНастраиваем сертификаты
sudo cp -R /etc/elasticsearch/certs /etc/kibana
sudo chown -R root:kibana /etc/kibana/certsНастраиваем параметры kibana в файле /etc/kibana/kibana.yml
server.host: "192.168.1.184"
elasticsearch.username: "kibana_system"
elasticsearch.password: "QiF9U+blQujOvEg+jHyB"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/http_ca.crt" ]
elasticsearch.hosts: ["https://192.168.1.184:9200"]Входим по адресу http://192.168.1.184:5601/ и там логин elastic пароль b0kLYdJDYetVHoPQafmc