Wazuh由部署到受監視系統的端點安全代理和管理服務器組成,管理服務器收集和分析代理收集的資料,此外,Wazuh已與Elastic Stack完全集成,提供了搜索引擎和資料可視化工具,使用戶可以瀏覽其安全警報,
Wazuh提供的功能包括日志資料分析,入侵和惡意軟體檢測,檔案完整性監視,配置評估,漏洞檢測以及對法規遵從性的支持,
本次將部署一套分布式Wazuh方案:
- wazuh-master啟用全功能組件;
- ElasticStack將使用官方基本授權,不啟用X-pack和加密連接;
- Linux版本Agent將安裝到Kibana主機和ElasticSearch主機上,不再額外安裝示例主機;
- 各個功能組件采用單節點部署;
- Wazuh使用4.1.5版本,搭配官方指定7.11.2ElasticStack版本,
- 部署方案
-
部署拓撲
-
網路地址
系統角色 版本 網路地址 ElasticSearch 7.11.2 192.168.248.146 Kibana 7.11.2 192.168.248.145 WazuhMaster 4.1.5 192.168.248.150 WazuhAgent 4.1.5 192.168.248.1 -
部署實施
# 安裝前置軟體 yum install -y zip unzip curl # 匯入秘鑰 rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch # 增加官方源 cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF # 安裝軟體 yum makecache yum upgrade -y yum install -y elasticsearch-7.11.2 # 匯入組態檔 mv /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml-bak touch /etc/elasticsearch/elasticsearch.yml cat > /etc/elasticsearch/elasticsearch.yml << EOF cluster.name: elastic node.name: elasticnode1 network.host: 192.168.248.146 cluster.initial_master_nodes: ["elasticnode1"] path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch EOF # 開通防火墻 firewall-cmd --permanent --add-service=elasticsearch firewall-cmd --reload # 啟動服務 systemctl daemon-reload systemctl enable elasticsearch systemctl start elasticsearch # 校驗服務 # 使用其他主機訪問es環境 curl -XGET http://192.168.248.146:9200 { "name" : "elasticnode1", "cluster_name" : "elastic", "cluster_uuid" : "ahjxhVEHREKNmBAfjcuyNw", "version" : { "number" : "7.11.2", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "3e5a16cfec50876d20ea77b075070932c6464c7d", "build_date" : "2021-03-06T05:54:38.141101Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" } # 禁用軟體源,避免非控升級組件 sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo10.Kibana的安裝
# 安裝前置軟體 yum install -y zip unzip curl # 匯入源秘鑰 rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch # 增加官方源 cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF # 安裝軟體 yum makecache yum upgrade -y yum install -y kibana-7.11.2 # 修改組態檔 cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml-bak cat >> /etc/kibana/kibana.yml << EOF server.port: 5601 server.host: "localhost" server.name: "kibana" i18n.locale: "en" elasticsearch.hosts: ["http://192.168.248.146:9200"] kibana.index: ".kibana" kibana.defaultAppId: "home" EOF # 創建資料目錄 mkdir /usr/share/kibana/data chown -R kibana:kibana /usr/share/kibana # 離線安裝插件 wget https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.5_7.11.2-1.zip cp ./wazuh_kibana-4.1.5_7.11.2-1.zip /tmp cd /usr/share/kibana sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuh_kibana-4.1.5_7.11.2-1.zip # 配置服務 systemctl daemon-reload systemctl enable kibana systemctl start kibana # 禁用軟體源,避免非控升級組件 sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo # 配置反向代理 yum install -y nginx systemctl enable --now nginx vim /etc/ngix/nginx.conf.default # 在server{}中添加配置項 ?``` proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; location / { proxy_pass http://localhost:5601/; } ?``` nginx -s reload # 登錄kibana之后選擇wazuh插件 # 回傳控制臺修改插件組態檔 sed -i ‘:s/localhost/192.168.248.150/g’ /usr/share/kibana/data/wazuh/config/wazuh.yml11.WazuhMaster的安裝
# 安裝前置軟體 yum install -y zip unzip curl # 匯入秘鑰 rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch # 配置官方軟體源 cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF # 安裝軟體 yum makecache yum upgrade -y yum install -y wazuh-manager yum install filebeat-7.11.2 # 配置Filebeat mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml-bak touch /etc/filebeat/filebeat.yml cat > /etc/filebeat/filebeat.yml<<EOF filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false setup.template.json.enabled: true setup.template.json.path: '/etc/filebeat/wazuh-template.json' setup.template.json.name: 'wazuh' setup.template.overwrite: true setup.ilm.enabled: false output.elasticsearch.hosts: ['http://192.168.248.146:9200'] EOF # 匯入filebeat的wazuh日志模板 curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json chmod go+r /etc/filebeat/wazuh-template.json # 匯入filebeat的wazuh日志模型 curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module # 配置防火墻規則 firewall-cmd --permanent --add-port={1514/tcp,1515/tcp,55000/tcp} firewall-cmd --reload # 禁用軟體源,避免非控升級組件 sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo # 啟動服務 systemctl daemon-reload systemctl enable --now wazuh-manager systemctl enable --now filebeat # 驗證Filebeat filebeat test output ··· elasticsearch: http://192.168.248.146:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.248.146 dial up... OK TLS... WARN secure connection disabled talk to server... OK version: 7.11.2 ··· # 重繪kibana12.WazuhAgent的安裝(Linux)
# 在es節點和kibana節點上安裝 sudo WAZUH_MANAGER='192.168.248.150' WAZUH_AGENT_GROUP='default' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpm # 啟動服務 sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent13.WazuhAgent的安裝(Windows)
# 使用管理員權限打開powershell控制臺 Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER='192.168.248.150' WAZUH_REGISTRATION_SERVER='192.168.248.150' WAZUH_AGENT_GROUP='default'
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/423326.html
標籤:其他
上一篇:基于大資料(Hadoop+Java+MySQL)的數碼商城購物推薦系統設計與實作 檔案+任務書+開題報告+文獻綜述+答辯PPT+專案原始碼及資料庫檔案
下一篇:英語寒假沉淀(七)