centos7 ELK6.5日志收集套件上手(12)

===推荐这个文档，个人感觉适合网工用，适合入门演练===

https://documentation.wazuh.com/current/index.html

• 在elk主机上安装wazuh服务端

#配置wazuh软件repo

cat > /etc/yum.repos.d/wazuh.repo <<\EOF

[wazuh_repo]

gpgcheck=1

gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH

enabled=1

name=Wazuh repository

baseurl=https://packages.wazuh.com/3.x/yum/

protect=1

EOF

#安装wazuh server

yum install wazuh-manager

#安装wazuh-api

curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -

yum install nodejs

yum install wazuh-api

• 在elk主机上安装filebeat

yum install https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.0-x86_64.rpm

#替换启动配置文件

curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/filebeat/filebeat.yml

• elk主机各组件配置修改

#elasticsearch

curl https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

#logstash

curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/01-wazuh-local.conf

usermod -a -G ossec logstash

#kibana(这一步耗时长)

sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.0_6.5.0.zip

• 重启elk服务

systemctl restart elasticsearch kibana logstash filebeat

===基于主机的HIDS，还要部署客户端和配置安全策略，没有基于网络的NIDS方便===