notfounduser's diary

## download elasticsearch & kibana [root@superset min]# wget https://artifacts.elastic.co/downloads/kibana/kibana-7.16.0-x86_64.rpm --2021-12-13 13:42:14-- https://artifacts.elastic.co/downloads/kibana/kibana-7.16.0-x86_64.rpm Resolving artifacts.elastic.co (artifacts.elastic.co)... 34.120.127.130, 2600:1901:0:1d7:: Connecting to artifacts.elastic.co (artifacts.elastic.co)|34.120.127.130|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 286976720 (274M) [binary/octet-stream] Saving to: ‘kibana-7.16.0-x86_64.rpm’ 26% [================> ] 77,127,104 91.8MB/s ^C [root@superset min]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.16.0-x86_64.rpm --2021-12-13 13:42:39-- https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.16.0-x86_64.rpm Resolving artifacts.elastic.co (artifacts.elastic.co)... 34.120.127.130, 2600:1901:0:1d7:: Connecting to artifacts.elas

#start project min@min-HVM-domU:~/kibana$ yarn start yarn run v1.22.4 $ node scripts/kibana --dev log [14:53:58.044] [warning][plugins-discovery] Explicit plugin paths [/home/min/kibana/x-pack] should only be used in development. Relative imports may not work properly in production. log [14:53:58.808] [warning][plugins-discovery] Expect plugin "id" in camelCase, but found: beats_management log [14:53:58.824] [warning][plugins-discovery] Expect plugin "id" in camelCase, but found: triggers_actions_ui [BABEL] Note: The code generator has deoptimised the styling of /home/min/kibana/x-pack/plugins/siem/server/utils/beat_schema/8.0.0/filebeat.ts as it exceeds the max of 500KB. log [14:56:22.508] [info][plugins-service] Plugin "visTypeXy" is disabled. log [14:56:22.510] [info][plugins-service] Plugin "ingestManager" is disabled. log [14:56:22.511] [info][plugins-service] Plugin "lists" is disabled. log [14:56:22.51

#set kibana developement root@min-HVM-domU:~# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.7.0-amd64.deb --2020-05-20 19:12:33-- https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.7.0-amd64.deb Resolving artifacts.elastic.co (artifacts.elastic.co)... 151.101.110.222, 2a04:4e42:36::734 접속 artifacts.elastic.co (artifacts.elastic.co)|151.101.110.222|:443... 접속됨. HTTP request sent, awaiting response... 200 OK Length: 314465174 (300M) [application/octet-stream] Saving to: ‘elasticsearch-7.7.0-amd64.deb’ elasticsearch-7.7.0-amd64.deb 0%[ ] 440.44K 72.3KB/s eta 63m 3s delasticsearch-7.7.0-amd64.deb 100%[=====================================================>] 299.90M 38.1MB/s in 3m 34s 2020-05-20 19:16:08 (1.40 MB/s) - ‘elasticsearch-7.7.0-amd64.deb’ saved [314465174/314465174] root@min-HVM-domU:~# dpkg -i elasticsearch-7.7.0-amd64.deb Selecting previously unselected package

logstash로 data 수집 후, kibana index 작성중 이하의 에러가 발생 Error "forbidden" 권한 문제? #edit privileges PUT /_all/_settings {"index.blocks.read_only_allow_delete": null}

동작 시간 모니터링으로 활성 상태를 탐지하고 서비스가 가능한지 모니터링합니다 Heartbeat 설치 Heartbeat 다운로드 및 설치 설치파일 다운로드 https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-6.4.2-x86_64.rpm 설치 # yum install heartbeat-6.4.2-x86_64.rpm 환경설정 # heartbeat setup –template -E output.logstash.enabled=false -E ‘output.elasticsearch.hosts=[“192.168.0.113:9200”]’ 키바나 대시보드 템플릿 추가 # heartbeat setup –dashboards Loading dashboards (Kibana must be running and reachable) Loaded dashboards 대시보드 kibana 접속설정 및 데이터 수집 elasticsearch 경로 설정 http, icmp 형태로 서버의 서비스 유무를 확인 Heartbeat 실행 # /usr/share/heartbeat/bin/heartbeat -e -c ./heartbeat.yml -d “publish” Heartbeat 모니터링 대시보드

Windows 기반 인프라의 상태를 확인하기 위해 Winlogbeat를 설치하고 Windows 이벤트 로그를 수집합니다 Winlogbeat 설치 설치파일 다운로드  https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.4.2-windows-x86_64.zip Powershell로 설치 .\install-service-winlogbeat.ps1 대시보드 템플릿 템플릿 셋업  .\winlogbeat.exe setup –dashboards Winlogbeat 환경설정 대시보드 kibana 접속설정 및 데이터 수집 elasticsearch 경로 설정 Winlogbeat 모니터링 대시보드