16
Dec

ELK packetbeat

   Posted by: admin   in Mẹo vặt của hiếu râu

#yum -y install java-openjdk-devel java-openjdk

cat <<EOF | sudo tee /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF


sudo yum clean all
sudo yum makecache
sudo yum -y install elasticsearch
vi /etc/elasticsearch/jvm.options
set 4G heap
systemctl enable --now elasticsearch.service 
curl http://127.0.0.1:9200 
yum -y install kibana
vi /etc/kibana/kibana.yml
server.host: "0.0.0.0"
server.name: "kibana.example.com"
elasticsearch.url: "http://localhost:9200"
systemctl enable --now kibana
yum install filebeat auditbeat metricbeat packetbeat heartbeat-elastic
curl -s -H "Content-Type: application/json" -XPUT localhost:9200/sniff -d
'{"mappings": { "doc" :  {"properties" : {"@datetime":{"type":"date"}}}}'}
cat json.txt

{ “index” : { “_index” : “sniff” , “_type” : “_doc” } }

{”@datetime”:1576812955644,”proto”:”TCP”,”length”:52,”source”:”10.10.26.253″,”sport”:57086,”dest”:”10.10.26.238″,”dport”:5601}
{ “index” : { “_index” : “sniff” , “_type” : “_doc” } }
{”@datetime”:1576812955644,”proto”:”TCP”,”length”:52,”source”:”10.10.26.238″,”sport”:5601,”dest”:”10.10.26.253″,”dport”:57086}
{ “index” : { “_index” : “sniff” , “_type” : “_doc” } }
{”@datetime”:1576812955644,”proto”:”TCP”,”length”:40,”source”:”10.10.26.253″,”sport”:57086,”dest”:”10.10.26.238″,”dport”:5601}
curl -s -H “Content-Type: application/x-ndjson” -XPOST localhost:9200/_bulk –data-binary “@json.txt”
tcpdump -i eth1 -nnnn -tt -v not port 22 | php tcparse.php
# cat load.sh
#!/bin/bash

/bin/killall tcpdump
sleep 5
/sbin/tcpdump -i eth7 -nnnn -tt -G 60 -z /_DATA/reload2.sh -w /tmp/PCAP2-%Y-%m-%d-%H-%M-%S &
/sbin/tcpdump -i eth6 -nnnn -tt -G 60 -z /_DATA/reload.sh -w /tmp/PCAP-%Y-%m-%d-%H-%M-%S &

# cat reload.sh
#!/bin/bash

rm -f /_DATA/json.txt
rm -f /_DATA/sql.txt tcpdump -v -nnnn -tt -r $1 not vrrp | php /_DATA/tcparse.php json.txt sql.txt 1
curl -s -H “Content-Type: application/x-ndjson” -XPOST localhost:9200/_bulk –data-binary “@/_DATA/json.txt”
mkdir /_DATA/`date +%Y-%m` > /dev/null 2>&1
mkdir /_DATA/`date +%Y-%m`/`date +%d` > /dev/null 2>&1
mv $1 /_DATA/`date +%Y-%m`/`date +%d`
/bin/mysql –defaults-extra-file=/_DATA/mysql.ini SNIFF < /_DATA/sql.txt &

This entry was posted on Monday, December 16th, 2019 at 11:00 am and is filed under Mẹo vặt của hiếu râu. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed at this time.