- \n
- \n
- OS\uff1aCentOS6.5 on VirtualBox + Vagrant<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Logstash 2.1.1<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Elasticsearch 2.1.0<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Kibana 4.3.0<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
- Java 1.8.65<\/ul>\n
\u5ba1\u8ba1\u8bc1\u636e\u8f93\u51fa<\/h1>\n
\u4f7f\u7528\u906e\u7f69\u5c4f\u5e55\u5b89\u88c51<\/h2>\n
\/usr\/share\/elasticsearch\/bin\/plugin install <\/span>elasticsearch\/shield\/latest\r\n<\/code><\/pre>\n\u9700\u8981\u8a2d\u5b9a\u8f38\u51fa\u529f\u7387\u7684\u554f\u984c\u3002<\/h2>\n
\u7531\u4e8e\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5ba1\u8ba1\u8bc1\u636e\u65e5\u5fd7\u7684\u8f93\u51fa\u662f\u65e0\u6548\u7684\uff0c\u56e0\u6b64\u5728elasticsearch.yml\u4e2d\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\u3002<\/p>\n
shield.audit.enabled<\/span>:<\/span> true<\/span>\r\n<\/code><\/pre>\n\u8bbe\u5b9a\u8f93\u51fa\u76ee\u6807<\/h2>\n
\u76d1\u5ba1\u8bc1\u636e\u65e5\u5fd7\u53ef\u9009\u62e9”\u6587\u4ef6\u8f93\u51fa”\u548c”\u5bfc\u5165\u5230Elasticsearch\u7d22\u5f15”\u3002\u53ef\u4ee5\u5728`shield.audit.outputs`\u4e2d\u8fdb\u884c\u6307\u5b9a\u3002\u672c\u6b21\u9009\u62e9\u4e86\u540c\u65f6\u6307\u5b9a\u4e24\u79cd\u8f93\u51fa\u65b9\u5f0f\u3002<\/p>\n
shield.audit.outputs<\/span>:<\/span> [<\/span>index<\/span>,<\/span> logfile<\/span>]<\/span>\r\n<\/code><\/pre>\n\u786e\u8ba4\u4ea7\u51fa<\/h2>\n
\u5b8c\u6210\u8a2d\u5b9a\u540e\uff0c\u91cd\u65b0\u542f\u52a8Elasticsearch\u5e76\u786e\u8ba4\u5ba1\u6838\u8ddf\u8e2a\u65e5\u5fd7\u7684\u8f93\u51fa\u3002
\n\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u6587\u4ef6\u5c06\u8f93\u51fa\u5230\/var\/log\/elasticsearch\/elasticsearch-access.log\u4e2d\u3002<\/p>\n[2015-12-19 04:04:36,480] [Taskmaster] [transport] [access_granted] origin_type=[local_node], origin_address=[127.0.0.1], principal=[__indexing_audit_user], action=[indices:data\/write\/bulk]\r\n[2015-12-19 04:04:36,480] [Taskmaster] [transport] [access_granted] origin_type=[local_node], origin_address=[127.0.0.1], principal=[__indexing_audit_user], action=[indices:data\/write\/bulk[s]], indices=[.shield_audit_log-2015.12.19]\r\n[2015-12-19 04:04:36,515] [Taskmaster] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[kibana4_server], action=[cluster:monitor\/nodes\/info]\r\n[2015-12-19 04:04:36,515] [Taskmaster] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[kibana4_server], action=[cluster:monitor\/nodes\/info[n]]\r\n[2015-12-19 04:04:36,526] [Taskmaster] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[kibana4_server], action=[cluster:monitor\/health], indices=[.kibana]\r\n<\/code><\/pre>\n\u4eceKibana\u4e2d\u67e5\u770b\u5230Elasticsearch\u7684\u5bfc\u5165\u60c5\u51b5\uff0c\u5982\u4e0b\u6240\u793a\u3002<\/p>\n
![\"capture.PNG\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d453e37434c4406ca1e77\/26-0.png\" "\\"\\"")
<\/div>\n\u65e5\u5fd7\u6761\u76ee\u7c7b\u578b<\/h2>\n
\u53ea\u6709\u5728\u53d1\u751f\u4ee5\u4e0b\u7c7b\u578b\u7684\u4e8b\u4ef6\u65f6\uff0c\u624d\u4f1a\u751f\u6210\u5ba1\u8ba1\u8bc1\u8ff9\u65e5\u5fd7\u3002<\/p>\n
\n\u7a2e\u5225\u8aac\u660eanonymous_access_denied\u8a8d\u8a3c\u30c8\u30fc\u30af\u30f3\u304c\u4ed8\u52a0\u3055\u308c\u3066\u3044\u306a\u3044\u3053\u3068\u306b\u3088\u308a\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408authentication_failed\u8a8d\u8a3c\u30c8\u30fc\u30af\u30f3\u304c\u30de\u30c3\u30c1\u3057\u306a\u3044\u3053\u3068\u306b\u3088\u308a\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408authentication_failed[<realm>]\u8a8d\u8a3c\u30c8\u30fc\u30af\u30f3\u304c\u30de\u30c3\u30c1\u3057\u306a\u3044\u3053\u3068\u306b\u3088\u308a\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408 \uff08\u30ec\u30eb\u30e0\u3054\u3068\u306b\u51fa\u529b\uff09access_granted\u30ed\u30fc\u30eb\u3068\u3057\u3066\u8a31\u53ef\u3055\u308c\u3066\u3044\u308b\u64cd\u4f5c\u3092\u884c\u3063\u305f\u5834\u5408\uff08\u6b63\u5e38\u7cfb\uff09access_denied\u30ed\u30fc\u30eb\u3068\u3057\u3066\u8a31\u53ef\u3055\u308c\u3066\u3044\u306a\u3044\u64cd\u4f5c\u3092\u884c\u3063\u305f\u3053\u3068\u306b\u3088\u308a\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408tampered_request\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u6539\u3056\u3093\u3055\u308c\u305f\u5834\u5408 \uff08typically relates tosearch\/scroll requests when the scroll id is believed to be tampered\uff09connection_grantedIP\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u306b\u3088\u308aTCP\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u304c\u8a31\u53ef\u3055\u308c\u305f\u5834\u5408\uff08\u6b63\u5e38\u7cfb\uff09connection_deniedIP\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u306b\u3088\u308aTCP\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u304c\u7834\u68c4\u3055\u308c\u305f\u5834\u5408<\/div>\n<\/div>\n\u5173\u4e8e\u65e5\u5fd7\u683c\u5f0f\u7684\u95ee\u9898<\/h2>\n
\u6211\u5c06\u7b80\u5355\u8bf4\u660e\u4e00\u4e0b\u65e5\u5fd7\u7684\u683c\u5f0f\u3002<\/p>\n
[<\u65f6\u95f4\u6233>] [<\u672c\u5730\u8282\u70b9\u4fe1\u606f>] [<\u5c42\u7ea7>] [<\u6761\u76ee\u7c7b\u578b>] <\u5c5e\u6027\u5217\u8868><\/p>\n
* <\u65f6\u95f4\u6233>\u2026\u8bb0\u5f55\u65f6\u95f4\u6233
\n* <\u672c\u5730\u8282\u70b9\u4fe1\u606f>\u2026\u8f93\u51fa\u65e5\u5fd7\u7684\u8282\u70b9\u4fe1\u606f
\n* <\u5c42\u7ea7>\u2026\u4e0e\u65e5\u5fd7\u6761\u76ee\u76f8\u5173\u7684\u5c42\u7ea7\uff08\u53ef\u4e3arest\u3001transport\u3001ip_filter\u4e4b\u4e00\uff09
\n* <\u6761\u76ee\u7c7b\u578b>\u2026\u6761\u76ee\u7c7b\u578b\uff08\u53c2\u89c1\u4e0a\u8ff0\u8bf4\u660e\uff09
\n* <\u5c5e\u6027\u5217\u8868>\u2026\u4e0e\u4e8b\u4ef6\u76f8\u5173\u7684\u5c5e\u6027\u4fe1\u606f<\/p>\n\u5f02\u5e38\u8bbf\u95ee\u68c0\u6d4b\u548c\u8b66\u62a5<\/h1>\n
\u4e0b\u4e00\u6b65\uff0c\u4f7f\u7528Watcher\u6765\u68c0\u6d4b\u548c\u53d1\u9001\u7535\u5b50\u90ae\u4ef6\u901a\u77e5\u6709\u5173\u975e\u6cd5\u8bbf\u95ee\u7684\u4fe1\u606f\u3002
\n\u672c\u6b21\u5c06\u5b9a\u4e49\u201c\u975e\u6cd5\u8bbf\u95ee\u201d\u4e3a\u201c\u5f53\u65e5\u5fd7\u7c7b\u578b\u4e3aanonymous_access_denied\u7684\u65e5\u5fd7\u88ab\u8f93\u51fa\u5230\u5ba1\u8ba1\u65e5\u5fd7\u65f6\u201d\u3002
\nanonymous_access_denied\u6307\u7684\u662f\u201c\u7531\u4e8e\u8bf7\u6c42\u88ab\u62d2\u7edd\u800c\u8f93\u51fa\u7684\u65e5\u5fd7\uff0c\u539f\u56e0\u662f\u672a\u9644\u52a0\u8ba4\u8bc1\u4ee4\u724c\u201d\u3002<\/p>\n\u89c2\u5bdf\u8005\u5b89\u88c51<\/h2>\n
\/usr\/share\/elasticsearch\/bin\/plugin install <\/span>elasticsearch\/watcher\/latest\r\n<\/code><\/pre>\n\u8bf7\u91cd\u65b0\u542f\u52a8Elasticsearch\uff0c\u5e76\u786e\u8ba4Watcher\u5df2\u7ecf\u542f\u52a8\u3002
\n\u5982\u679cwarcher_state\u4e3astarted\uff0c\u90a3\u5c31OK\u4e86\u3002
\n\u7531\u4e8e\u5df2\u7ecf\u5b89\u88c5\u4e86shield\uff0c\u6240\u4ee5\u8bf7\u6307\u5b9a\u7528\u6237\u540d\u548c\u5bc6\u7801\u8fdb\u884cGET\u8bf7\u6c42\u3002<\/p>\ncurl -XGET<\/span> -u<\/span> admin 'http:\/\/localhost:9200\/_watcher\/stats?pretty'<\/span>\r\nEnter host password for <\/span>user 'admin'<\/span>:\r\n{<\/span>\r\n \"watcher_state\"<\/span> : \"started\"<\/span>,\r\n \"watch_count\"<\/span> : 0,\r\n \"execution_thread_pool\"<\/span> : {<\/span>\r\n \"queue_size\"<\/span> : 0,\r\n \"max_size\"<\/span> : 0\r\n }<\/span>,\r\n \"manually_stopped\"<\/span> : false<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n\u89c2\u770b\u7684\u5b9a\u4e49<\/h2>\n
\u901a\u8fc7\u53d1\u9001POST\u8bf7\u6c42\u5e76\u6dfb\u52a0Watcher\u7d22\u5f15\u6765\u6dfb\u52a0Watch\u5b9a\u4e49\u3002<\/p>\n
curl -XPUT<\/span> -u<\/span> admin 'http:\/\/localhost:9200\/_watcher\/watch\/log_error_watch'<\/span> -d<\/span> '{\r\n \"trigger\" : {\r\n \"schedule\" : {\r\n \"interval\" : \"10s\"\r\n }\r\n }\r\n, \"input\" : {\r\n \"search\" : {\r\n \"request\" : {\r\n \"indices\" : [ \".shield_audit_log-*\" ]\r\n , \"body\" : {\r\n \"query\" : { \r\n \"bool\" : { \r\n \"must\" : [\r\n { \"match\": { \"event_type\" : \"anonymous_access_denied\"}}\r\n ]\r\n , \"filter\" : [ \r\n { \"range\": { \"@timestamp\" : { \"gte\": \"{{ctx.trigger.scheduled_time}}||-10s\" }}}\r\n ]\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n, \"condition\" : {\r\n \"compare\" : {\r\n \"ctx.payload.hits.total\" : { \r\n \"gt\" : 0\r\n }\r\n }\r\n }\r\n, \"actions\" : {\r\n \"email_admin\" : { \r\n \"email\": {\r\n \"to\" : \"<Your Mail Address>\"\r\n , \"subject\" : \"\u3010ERROR\u3011Elasticsearch\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\uff08{{ctx.payload.hits.total}}\u4ef6\uff09\"\r\n , \"body\" : {\r\n \"text\" : \"{{ctx.payload.hits.hits}}\" \r\n }\r\n }\r\n }\r\n }\r\n}'<\/span>\r\n<\/code><\/pre>\n\u4ee5\u4e0a\u7684\u5b9a\u4e49\u662f\u5728\u6bcf10\u79d2\u949f\u7684\u95f4\u9694\u5185\u641c\u7d22\u5df2\u6ce8\u518c\u7684Elasticsearch\u5ba1\u8ba1\u65e5\u5fd7\u7d22\u5f15\uff0c\u5e76\u5728\u68c0\u6d4b\u5230\u975e\u6cd5\u8bbf\u95ee\u65e5\u5fd7\u65f6\u901a\u8fc7\u7535\u5b50\u90ae\u4ef6\u8fdb\u884c\u901a\u77e5\u3002<\/p>\n
\u8ba9\u6211\u4eec\u6309\u7167\u987a\u5e8f\u6765\u770b\u4e0b\u53bb\u5427\u3002
\nWatch\u7684\u5b9a\u4e49\u53ef\u4ee5\u5927\u81f4\u5206\u4e3a\u56db\u4e2a\u90e8\u5206\uff0c\u5373trigger\uff08\u89e6\u53d1\u5668\uff09\u3001input\uff08\u8f93\u5165\uff09\u3001condition\uff08\u6761\u4ef6\uff09\u548cactions\uff08\u52a8\u4f5c\uff09\u3002<\/p>\n\u89e6\u53d1 (ch\u016b f\u0101)<\/h3>\n
\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u4f7f\u7528\u8ba1\u5212\u89e6\u53d1\u5668\u4ee510\u79d2\u7684\u95f4\u9694\u542f\u52a8\u76d1\u89c6\u5668\u6765\u5b9a\u4e49\u89e6\u53d1\u5668\u3002<\/p>\n
\"<\/span>trigger<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>schedule<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>interval<\/span>\"<\/span> :<\/span> \"<\/span>10s<\/span>\"<\/span>\r\n }<\/span>\r\n }<\/span>\r\n<\/code><\/pre>\n\u8bf7\u53c2\u8003\u4ee5\u4e0b\u94fe\u63a5\uff1ahttps:\/\/www.elastic.co\/guide\/en\/watcher\/current\/trigger.html<\/p>\n
\u8bf7\u7ed9\u6211\u4e00\u4e2a\u4e2d\u6587\u7684\u7ffb\u8bd1\u9009\u9879:
\n\u8f93\u5165<\/h3>\n\u8f93\u5165\u5b9a\u4e49\u4e86Watcher\u7684\u5ba1\u8ba1\u76ee\u6807\u3002
\n\u8fd9\u91cc\u4ece.shield_audit_log\u7d22\u5f15\u4e2d\u6ce8\u518c\u7684\u6587\u6863\u4e2d\u63d0\u53d6event_type\u5b57\u6bb5\u4e3aanonymous_access_denied\u7684\u5185\u5bb9\u3002<\/p>\n\u901a\u8fc7\u7b5b\u9009\u65f6\u95f4\u6233\u5927\u4e8e\u300cWatcher\u542f\u52a8\u88ab\u8c03\u5ea6\u7684\u65f6\u95f4 – 10\u79d2\u300d\u7684\u65e5\u5fd7\uff0c\u4ee5\u907f\u514d\u5bf9\u5df2\u7ecf\u68c0\u6d4b\u8fc7\u7684\u65e5\u5fd7\u8fdb\u884c\u91cd\u590d\u68c0\u6d4b\u3002<\/p>\n
\"<\/span>input<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>search<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>request<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>indices<\/span>\"<\/span> :<\/span> [<\/span> \"<\/span>.shield_audit_log-*<\/span>\"<\/span> ]<\/span>\r\n ,<\/span> \"<\/span>body<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>query<\/span>\"<\/span> :<\/span> {<\/span> \r\n \"<\/span>bool<\/span>\"<\/span> :<\/span> {<\/span> \r\n \"<\/span>must<\/span>\"<\/span> :<\/span> [<\/span>\r\n {<\/span> \"<\/span>match<\/span>\"<\/span>:<\/span> {<\/span> \"<\/span>event_type<\/span>\"<\/span> :<\/span> \"<\/span>anonymous_access_denied<\/span>\"<\/span>}}<\/span>\r\n ]<\/span>\r\n ,<\/span> \"<\/span>filter<\/span>\"<\/span> :<\/span> [<\/span> \r\n {<\/span> \"<\/span>range<\/span>\"<\/span>:<\/span> {<\/span> \"<\/span>@timestamp<\/span>\"<\/span> :<\/span> {<\/span> \"<\/span>gte<\/span>\"<\/span>:<\/span> \"<\/span>{{ctx.trigger.scheduled_time}}||-10s<\/span>\"<\/span> }}}<\/span>\r\n ]<\/span>\r\n }<\/span>\r\n }<\/span>\r\n }<\/span>\r\n }<\/span>\r\n }<\/span>\r\n }<\/span>\r\n<\/code><\/pre>\n\u8bf7\u53c2\u8003\u4ee5\u4e0b\u94fe\u63a5\u83b7\u53d6\u66f4\u591a\u4fe1\u606f\uff1ahttps:\/\/www.elastic.co\/guide\/en\/watcher\/current\/input.html<\/p>\n
\u72b6\u6001<\/h3>\n
\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u5b9a\u4e49\u4e86\u53ea\u6709\u5f53\u8f93\u5165\u7684\u9879\u76ee\u6570\u5927\u4e8e\u6216\u7b49\u4e8e0\u65f6\u624d\u6267\u884c\u64cd\u4f5c\u7684\u6761\u4ef6\u3002<\/p>\n
\"<\/span>condition<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>compare<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>ctx.payload.hits.total<\/span>\"<\/span> :<\/span> {<\/span> \r\n \"<\/span>gt<\/span>\"<\/span> :<\/span> 0<\/span>\r\n }<\/span>\r\n }<\/span>\r\n }<\/span>\r\n<\/code><\/pre>\n\u8bf7\u67e5\u9605\uff1ahttps:\/\/www.elastic.co\/guide\/en\/watcher\/current\/condition.html<\/p>\n
\u884c\u52a8<\/h3>\n
\u5f53\u68c0\u6d4b\u5230watch\u5bf9\u8c61\u65f6\uff0c\u5b9a\u4e49\u76f8\u5e94\u7684\u64cd\u4f5c\u3002
\n\u64cd\u4f5c\u53ef\u4ee5\u5305\u62ec\u53d1\u9001\u90ae\u4ef6\u3001\u4e0eSlack\u96c6\u6210\u3001\u4e0eHipchat\u96c6\u6210\u3001\u8f93\u51fa\u65e5\u5fd7\u7b49\u591a\u79cd\u65b9\u5f0f\uff0c
\n\u4f46\u5728\u6b64\u5904\u6211\u4eec\u9009\u62e9\u53d1\u9001\u90ae\u4ef6\u64cd\u4f5c\u3002<\/p>\n\"<\/span>actions<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>email_admin<\/span>\"<\/span> :<\/span> {<\/span> \r\n \"<\/span>email<\/span>\"<\/span>:<\/span> {<\/span>\r\n \"<\/span>to<\/span>\"<\/span> :<\/span> \"<\/span><Your Mail Address><\/span>\"<\/span>\r\n ,<\/span> \"<\/span>subject<\/span>\"<\/span> :<\/span> \"<\/span>\u3010ERROR\u3011Elasticsearch\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\uff08{{ctx.payload.hits.total}}\u4ef6\uff09<\/span>\"<\/span>\r\n ,<\/span> \"<\/span>body<\/span>\"<\/span> :<\/span> {<\/span>\r\n \"<\/span>text<\/span>\"<\/span> :<\/span> \"<\/span>{{ctx.payload.hits.hits}}<\/span>\"<\/span> \r\n }<\/span>\r\n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n