This post will describe how to install and configure open Distro for Elasticsearch.
The following plugins are available in open Distro:
- Security
- Alerting
- SQL
- Information Security Management (ISM)
- Performance Analyzer
Table of contents for all posts.
- Introduction. Infrastructure and technology deployment for SOC as a Service (SOCasS)
- ELK stack - installation and configuration
- Walking through the open Distro
- Dashboards and ELK SIEM visualization
- Integration with WAZUH
- Alerting
- Making report
- Case Management
In our project, we only installed security and alert plugins.
1-Alert Function:
Open Distro for Elasticsearch allows you to track your data and automatically send alerts to stakeholders. It's easy to set up and manage, and uses the Kibana interface with a powerful API.
, , - . , , . , Elasticsearch .
URL- ( 1.6.0 ) :
https://opendistro.github.io/for-elasticsearch-docs/version-history/
, elasticsearch kibana:
/usr/share/elasticsearch : Elasticsearch
/usr/share/kibana : Kibana1.1- Alerting elasticsearch:
cd /usr/share/elasticsearch
sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-sql/opendistro_sql-1.6.0.0.zip1.2- Alerting kibana :
cd /usr/share/kibana
sudo bin/kibana-plugin install โ allow-root https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-alerting/opendistro-alerting-1.6.0.0.zip1.3- , :
โ Kibana :
sudo bin/kibana-plugin list
sudo bin/kibana-plugin remove <plugin-name>โ elasticsearch :
sudo bin/elasticsearch-plugin list
sudo bin/elasticsearch-plugin remove <plugin-name>1.4- kibana elasticsearch :
systemctl restart kibana elasticsearch: , elasticsearch kibana , kibana ( kibana is not ready yet ). kibana elasticsearch top.
1.5- kibana :
1.6- :
) URL- - Slack:
Slack โ , ยซ , ยป. Slack โ .
Webhooks โ Slack. - URL-, JSON . Incoming Webhooks, .
(slack.com)
, Slack.
, ,
, , Incoming Webhook, :
Slack
( ) ยซ ยป.
, URL- - ( , )
Kibana โ Alerting โ Destination add destination:
, Slack, URl - .
1.6.2- Slack:
:
:
( : 4624 , )
- Monitor Schedule
, :
, , :
Kibana, Slack:
Slack- (#test ) :
2- :
, , , .
2.1- :
, Kibana . , , , .
( 1 4), , . URL:
Kibana:
sudo bin/kibana-plugin install โ allow-root https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-1.6.0.0.zipElasticsearch:
sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-1.6.0.0.zip: type y
:
sudo sh /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh.
securityadmin.sh.
:
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/
chmod +x install_demo_configuration.sh
./install_demo_configuration.shy ( : admin / : admin)
/etc/elasticsearch/elasticsearch.yml
2.2- elasticsearch logstash kibana:
, SSL elasticsearch. , .
2.2.1- Elasticsearch:
x-pack security elasticsearch: elasticsearch , , - xpack, ELK Stack, /etc/elasticsearch/elasticsearch.yml .
2.2.2- :
x-pack security Kibana: xpack.security ssl /etc/kibana/kibana.yml
. , โ https, http.
2.2.3- Logstash:
elasticsearch, logstash, , logstash.
, https, http.
sudo nano /etc/logstash/conf.d/logstash.conf
: , elasticsearch , SSL, , . , โ https, http.
2.3- :
systemctl restart elasticsearch
systemctl restart logtash
systemctl restart kibana, . top . (kibana is not ready yet).
ELK .
, URL- Elasticsearch (http , https)
:
Here you can create users, assign roles and permissions:
It helps you organize SOC groups based on roles, actions, and privileges.
Here are the default roles and database of internal users:
Telegram chat on Elasticsearch: https://t.me/elasticsearch_ru