wazuh 主机入侵检测系统
安装与使用
wazuh server安装
rpm -ivh wazuh-manager-3.3.1-1.x86_64.rpm
# 启动服务
systemctl start wazuh-manager.service
systemctl status wazuh-manager.service
wazuh api安装
- 安装nodejs
wget -qO- https://rpm.nodesource.com/setup_8.x | bash - # 这里的版本会导致后面的报错
yum install nodejs.x86_64
-
安装python2(Centos7默认python2)
-
安装wazuh api
rpm -ivh wazuh-api-3.3.1-1.x86_64.rpm
systemctl start wazuh-api.service
systemctl status wazuh-api.service
wazuh client安装
rpm -ivh wazuh-agent-3.3.1-1.x86_64.rpm
# 修改配置文件
vim /var/ossec/etc/ossec.conf
# 导入密钥
/var/ossec/bin/manage_agents
# 启动服务
/var/ossec/bin/ossec-control start
ELK安装
- 安装ElasticSearch
# 安装java
yum install java-1.8.0-openjdk.x86_64 java-1.8.0-openjdk-devel.x86_64 -y
# 安装es
rpm -ivh elasticsearch-6.3.0.rpm
# 启动服务
systemctl start elasticsearch.service
# 创建template
curl https://raw.githubusercontent.com/wazuh/wazuh/3.3/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
- 安装Logstash
# 安装Logstash
ln -s /usr/share/jdk1.8.0_171/bin/java /usr/sbin/java
rpm -ivh logstash-6.3.0.rpm
# Logstash配置文件
wget https://raw.githubusercontent.com/wazuh/wazuh/3.3/extensions/logstash/01-wazuh-local.conf -O /etc/logstash/conf.d/01-wazuh.conf
# 启动服务
systemctl start logstash.service
- 安装Kibana
rpm -ivh kibana-6.3.0-x86_64.rpm
# 安装插件
export NODE_OPTIONS="--max-old-space-size=3072"
/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.3.1_6.3.0.zip
#卸载插件
/usr/share/kibana/bin/kibana-plugin remove wazuh
备注:安装Kibana插件会报错
DeprecationWarning: os.tmpDir() is deprecated. Use os.tmpdir() instead.
解决方案:
使用nodejs版本10
wget -qO- https://rpm.nodesource.com/setup_10.x | bash - # 配置nodejs源
wazuh+ELK+Filebeat
配置filebeat
vim /etc/filebeat/filebeat.yml
filebeat.yml文件内容:
filebeat.inputs:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
output.logstash:
hosts: ["localhost:5044"]
配置logstash
vim /etc/logstash/conf.d/wazuh.conf
wazuh.conf文件内容:
input {
beats {
port => 5044
codec => "json_lines"
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
}
}
wazuh客户端自动化部署
对于互联网公司来说,企业服务器很多时候变化很频繁,所以我们需要做到自动化来部署agent,同样在服务器量级很大的时候我们也需要一键部署。
对于agent比较重要的就是服务端先生成密钥,然后客户端获取密钥导入文件中。
代码实现
大家可以根据需求来进行修改,修改完成以后就可以与运维协调在系统初始化的时候加入客户端自动部署的代码。