Chandler: ELK

yum install -y python36 gcc python36-devel git
python3 -m pip install --upgrade pip
pip3 install elastalert
mkdir elastalert
cd elastalert
git clone https://github.com/Yelp/elastalert.git
cd elastalert
cp config.yaml.example config.yaml
mkdir rules

2021年11月2日星期二

ELK index lifecycle, snapshot

Reference:

Snapshot and restore

【Kibana】索引生命周期策略不生效，报错: index.lifecycle.rollover_alias [somta-logs] does not point to index

喬叔教 Elastic - 14 - 管理 Index 的 Best Practice (6/7) - Snapshot Lifecycle Management (SLM)

index lifecycle:

錯誤訊息：

illegal_argument_exception: index.lifecycle.rollover_alias [filebeat-7.12.1] does not point to index [filebeat-7.12.1-2021.09.02]

解法：

取消 lifecycle policy 的 Enable rollover

2021年5月17日星期一

ELK geoip map for fortigate

Reference:

How To Map User Location with GeoIP and ELK

ELK利用GeoIP映射用户地理位置（十二）

Day6 - 便利的 logstsh plugin (filter - 2)

vi /etc/logstash/conf.d/logstash.conf

filter {
grok {
match => [message, "%{SYSLOGTIMESTAMP:systime} %{DATA:gw} date=%{DATA:date} time=%{TIME:time} devname=%{DATA:devname} devid=%{DATA:devid} logid=%{DATA:logid} type=%{DATA:type} subtype=%{DATA:subtype} level=%{DATA:level} vd=%{DATA:vd} srcip=%{IP:srcip} srcport=%{DATA:srcport} srcintf=\"%{DATA:srcintf}\" dstip=%{IP:dstip} dstport=%{DATA:dstport} dstintf=\"%{DATA:dstintf}\" sessionid=%{DATA:sessionid} proto=%{INT:proto} action=%{DATA:action} policyid=%{DATA:policyid} policytype=%{DATA:policytype} dstcountry=\"%{DATA:dstcountry}\" srccountry=\"%{DATA:srccountry}\" trandisp=%{DATA:trandisp} service=\"%{DATA:servicename}\" app=\"%{DATA:app}\" duration=%{INT:duration} sentbyte=%{INT:sentbyte} rcvdbyte=%{INT:rcvdbyte} sentpkt=%{INT:sentbyte} appcat=%{QS:appcat} crscore=%{INT:crscore} craction=%{INT:craction} crlevel=%{DATA:crlevel}"]
}
geoip {
source => "srcip"
}
}