在本教程中,您将学习如何将 Wazuh 管理器与 ELK 堆栈集成为统一的安全信息和事件管理工具。 Wazuh 由部署到受监控系统的端点安全代理和收集和分析代理收集的数据的管理服务器组成。 Wazuh 可以与 Elastic Stack 完全集成,后者提供了一个搜索引擎和数据可视化工具,允许用户浏览他们的安全警报。
将 Wazuh Manager 与 ELK Stack 集成
关于如何将 Wazuh 管理器与 ELK 堆栈集成,有不同的部署方法:
- 一机多用 所有 Wazuh 和 ELK 组件都安装在单个节点上。 适用于测试或小型工作环境。
- 分布式部署 其中每个组件都安装在单独的节点上。 提供高可用性和可扩展性,因此适用于大型工作环境。
本教程将使用多合一部署方法将 Wazuh 管理器与 ELK 堆栈集成。
还 笔记 我们在 Debian 10 系统上运行我们的设置。
在 Debian 10 上安装 Wazuh 服务器
在 Debian 10 上创建 Wazuh 存储库
apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt stable main" | tee /etc/apt/sources.list.d/wazuh.list
更新包信息:
apt update
在 Debian 10 上安装 Wazuh 服务器
接下来,在 Debian 10 上安装 Wazuh 管理器。
apt install wazuh-manager
安装完成后,您可以启动并启用 Wazuh-manager 在系统启动时运行;
systemctl enable --now wazuh-manager
在 Debian 10 上安装 ELK/Elastic Stack
如果需要,您可以部署 OpenDistro ELK,但在此设置中,我们使用的是“通常的”ELK/Elastic 堆栈。
根据 Wazuh 兼容性矩阵,ELK/Elastic stack 7.10.2 与 Wazuh-manager v4.1.5 的当前版本(截至撰写本文时)兼容。
因此,请按如下方式在 Debian 10 上安装 ELK/Elastic 7.10.2;
在 Debian 10 上创建弹性存储库;
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
apt update
在 Debian 10 上安装 Elastic Stack
接下来,在 Debian 10 上安装 ELK stack v7.10.2。在这种情况下,基本上我们只需要 Kibana、Elasticsearch 和 Filebeat。
apt install elasticsearch=7.10.2 kibana=7.10.2 filebeat=7.10.2
配置 Elasticsearch
使用默认设置,Elasticsearch 可以很好地运行。 但是,在此设置中,我们将调整一些 Elasticsearch 设置,例如 JVM 最大和最小内存设置、发现类型……
要更新 JVM 最小和最大内存设置,只需打开 jvm.options 配置文件并根据服务器上的可用内存更新 Xmx 和 Xms 的值。
vim /etc/elasticsearch/jvm.options
在此设置中设置为 512mb
# Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space -Xms512m -Xmx512m另外,如果您正在运行单个节点 ES,就像在我们的设置中一样,那么您需要通过添加以下行在 Elasticsearch 配置文件中定义它 discovery.type: single-node.
echo "discovery.type: single-node" >> /etc/elasticsearch/elasticsearch.yml
上面的配置现在就足够了。
启动并启用 Elasticsearch 在系统启动时运行;
systemctl enable --now elasticsearch
配置 Kibana
定义 Kibana 将绑定到的 IP 地址,默认为 localhost。 相应地替换 IP 地址。
sed -i 's/#server.host: "localhost"/server.host: "192.168.59.12"/' /etc/kibana/kibana.yml
配置 Kibana 连接到 Elasticsearch,默认情况下,Kibana 通过 localhost URL 连接到 Elasticsearch。 在我们的设置中,Elasticsearch 绑定到 localhost 地址。
ss -altnp | grep 9200
LISTEN 0 128 [::ffff:127.0.0.1]:9200 *:* users:(("java",pid=8580,fd=258)) LISTEN 0 128 [::1]:9200 [::]:* users:(("java",pid=8580,fd=257))否则,取消注释该行, elasticsearch.hosts: ["https://localhost:9200"] 并相应地替换地址。
启动并启用 Kibana 在系统启动时运行;
systemctl enable --now kibana
将 Wazuh Manager 与 ELK Stack 集成
安装 Wazuh Manager Kibana 应用程序
运行以下命令为 Kibana App 安装 Wazuh 管理器/服务器。
chown -R kibana: /usr/share/kibana/plugins
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.2-1.zip
安装的示例输出;
Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.10.2-1.zip Transferring 34175540 bytes.................... Transfer complete Retrieving metadata from plugin archive Extracting plugin archive Extraction complete Plugin installation complete创建 Wazuh Kibana 数据目录并将所有权设置为 kibana 用户。
mkdir /usr/share/kibana/data
chown -R kibana: /usr/share/kibana/data
重启 Kibana;
systemctl restart kibana
配置 Filebeat
Wazuh 使用 Filebeat 收集其数据并转发到 Elasticsearch 搜索引擎。
备份默认配置文件并将其替换为以下配置。
mv /etc/filebeat/filebeat.{yml,orig}
cat > /etc/filebeat/filebeat.yml << 'EOL' output.elasticsearch: hosts: ["localhost:9200"] setup.template.json.enabled: true setup.template.json.path: '/etc/filebeat/wazuh-template.json' setup.template.json.name: 'wazuh' setup.ilm.overwrite: true setup.ilm.enabled: false filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0644 EOL测试 Filebeat Elasticsearch 输出;
filebeat test output
elasticsearch: https://localhost:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1, ::1 dial up... OK TLS... WARN secure connection disabled talk to server... OK version: 7.10.2测试 Filebeat 配置;
filebeat test config
Config OK安装 Filebeat Wazuh 模块:
wget -qO- https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xz -C /usr/share/filebeat/module/
下载 Wazuh 警报 Elasticsearch 模板:
wget -O /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
重启 Kibana、Elasticsearch、Filebeat 和 Wazuh-manager
systemctl restart elasticsearch kibana filebeat wazuh-manager
检查每个服务的状态;
systemctl status elasticsearch kibana filebeat wazuh-manager
● elasticsearch.service - Elasticsearch Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-11 00:43:05 EDT; 2min 20s ago Docs: https://www.elastic.co Main PID: 10698 (java) Tasks: 64 (limit: 2359) Memory: 819.4M CGroup: /system.slice/elasticsearch.service ├─10698 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m └─10880 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller May 11 00:42:38 debian systemd[1]: Starting Elasticsearch... May 11 00:43:05 debian systemd[1]: Started Elasticsearch.● kibana.service - Kibana Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-11 00:42:33 EDT; 2min 52s ago Main PID: 10666 (node) Tasks: 11 (limit: 2359) Memory: 285.9M CGroup: /system.slice/kibana.service └─10666 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist May 11 00:43:15 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:15Z","tags":["info","plugins","crossClusterReplication"],"pid":10666,"message":"Your basi May 11 00:43:15 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:15Z","tags":["info","plugins","watcher"],"pid":10666,"message":"Your basic license does n May 11 00:43:15 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:15Z","tags":["info","plugins","monitoring","monitoring","kibana-monitoring"],"pid":10666, May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["error","elasticsearch","data"],"pid":10666,"message":"[version_conflict_eng May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["listening","info"],"pid":10666,"message":"Server running at https://192.168. May 11 00:43:16 debian kibana[10666]: {"type":"log","@timestamp":"2021-05-11T04:43:16Z","tags":["info","http","server","Kibana"],"pid":10666,"message":"http server running● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-11 00:42:33 EDT; 4min 32s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 10667 (filebeat) Tasks: 8 (limit: 2359) Memory: 31.6M CGroup: /system.slice/filebeat.service └─10667 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.d May 11 00:42:33 debian systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-11 00:48:02 EDT; 8s ago Process: 11127 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS) Tasks: 100 (limit: 2359) Memory: 277.5M CGroup: /system.slice/wazuh-manager.service ├─11179 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─11219 /var/ossec/bin/ossec-authd ├─11233 /var/ossec/bin/wazuh-db ├─11256 /var/ossec/bin/ossec-execd ├─11271 /var/ossec/bin/ossec-analysisd ├─11315 /var/ossec/bin/ossec-syscheckd ├─11328 /var/ossec/bin/ossec-remoted ├─11360 /var/ossec/bin/ossec-logcollector ├─11380 /var/ossec/bin/ossec-monitord └─11407 /var/ossec/bin/wazuh-modulesd May 11 00:47:53 debian env[11127]: Started wazuh-db... May 11 00:47:54 debian env[11127]: Started ossec-execd... May 11 00:47:55 debian env[11127]: Started ossec-analysisd... May 11 00:47:56 debian env[11127]: Started ossec-syscheckd... May 11 00:47:57 debian env[11127]: Started ossec-remoted... May 11 00:47:58 debian env[11127]: Started ossec-logcollector... May 11 00:47:59 debian env[11127]: Started ossec-monitord... May 11 00:48:00 debian env[11127]: Started wazuh-modulesd... May 11 00:48:02 debian env[11127]: Completed. May 11 00:48:02 debian systemd[1]: Started Wazuh manager.访问 Kibana Web 界面
您现在可以通过 url 访问 Kibana https://<server-IP-or-hostname>:5601.
在 Kibana 菜单部分下,您应该能够看到 Wazuh App。
当您点击应用程序时,它会带您进入模块页面;
你去吧。 您现在可以继续安装代理以从端点收集日志并将它们发送到 Wazuh 管理器以在 Kibana 上进行可视化。
我们关于如何将 Wazuh Manager 与 ELK Stack 集成的指南到此结束。
参考
分步安装
使用 ElastAlert 配置 ELK 堆栈警报
使用 ELK Stack 监控 Linux 系统指标
在 ELK Stack 上可视化 WordPress 用户活动日志
