흙수저의 엔지니어링

FortiGate-100D # get system interface physical
== [onboard]
        ==[dmz]
                mode: static
                ip: 10.10.10.1 255.255.255.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[ha1]
                mode: static
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[ha2]
                mode: static
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[mgmt]
                mode: static
                ip: 192.168.1.99 255.255.255.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[wan1]
                mode: dhcp
                ip: 192.168.0.14 255.255.255.0
                ipv6: ::/0
                status: up
                speed: 1000Mbps (Duplex: full)
        ==[wan2]
                mode: dhcp
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[modem]
                mode: pppoe
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a

FortiGate-100D #

FortiGate-100D # execute shutdown
This operation will shutdown the system !
Do you want to continue? (y/n)y


System is shutting down...


The system is going down NOW !!

FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
The system is halted.

중고로 100D 장비를 구매했습니다.

가져오자마자 패스워드 설정이 되어 있어 초기화 한답시고 매뉴를 잘못 눌러 부팅 디스크를 포멧 했네요.

덕분에 사용해보지도 않던 기능을 사용해 보았습니다.

Windows 10에서 tftp 서버 만들기

tftpd64.exe 검색하셔서 다운로드 받고, 바로 실행하시면 됩니다.

실행 자체가 tftp 서버의 설정이 되는 것이며, firmware 파일이 있는 폴더를 소스 폴더로 설정해 주세요.

IP 설정은 TFTP 서버 설정에 맞는 인터페이스를 선택해 주시면 됩니다.

업로드 할 펌웨어 파일명도 폴더에 있는 이름과 동일하게 설정이 필요합니다.

fortigate disk 날려먹기

FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G000000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...
...
[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H: F

All data will be erased,continue:[Y/N]? Y
FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G00000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, Initialize boot device failed.

TFTP 서버를 이용하여 펌웨어 복구(재설치) 하기

FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G00000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...
.....
[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H: C

[P]:  Set image download port.
[D]:  Set DHCP mode.
[I]:  Set local IP address.
[S]:  Set local subnet mask.
[G]:  Set local gateway.
[V]:  Set local VLAN ID.
[T]:  Set remote TFTP server IP address.
[F]:  Set firmware image file name.
[E]:  Reset TFTP parameters to factory defaults.
[R]:  Review TFTP parameters.
[N]:  Diagnose networking (ping).
[Q]:  Quit this menu.
[H]:  Display this list of options.

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: I

Enter local IP address [192.168.1.66]:192.168.0.18

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: S

Input local subnet mask [255.255.255.0]:

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: G

Enter local gateway IP address [192.168.1.254]:192.168.0.1

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: T

Enter remote TFTP server IP address [192.168.1.168]:192.168.0.54

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: F

Enter firmware file name [image.out]: 6.2.12-FGT_100D-v6-build1319-FORTINET.out

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: R

Image download port:    MGMT
DHCP status:            disabled
Local VLAN ID:          none
Local IP address:       192.168.0.18
Local subnet mask:      255.255.255.0
Local gateway:          192.168.0.1
TFTP server IP address: 192.168.0.54
Firmware file name:     6.2.12-FGT_100D-v6-build1319-FORTINET.out

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: N

[1]:  Ping remote TFTP server.
[2]:  Ping gateway.
[3]:  Ping specified IP address.
[Q]:  Quite the menu.
[H]:  Display the list of opinion.

Enter 1,2,3,Q or H: 1
Begin to send ICMP packets:
Press ESC to abort ping action.

Reply from 192.168.0.54: time=67ms ttl=128
Reply from 192.168.0.54: time=50ms ttl=128
Reply from 192.168.0.54: time=107ms ttl=128
Reply from 192.168.0.54: time=73ms ttl=128
Reply from 192.168.0.54: time=50ms ttl=128
Successfully receive 5 of out 5 packets from 192.168.0.54.

Enter 1,2,3,Q or H: Q

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: Q

[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H: T

Please connect TFTP server to Ethernet port "MGMT".

Initiating firmware TFTP Transfer...

MAC:         90:6C:AC:00:00:00
.#########################################################
Total 60581933 bytes data downloaded.
Verifying the integrity of the firmware image.

Total 262144kB unzipped.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? D
Programming the boot device now.
................................................................................................................................................................................................................................................................
Reading boot image 2721475 bytes.
Initializing firewall...
System is starting...
Resizing shared data partition...done
Formatting shared data partition ... done!
Starting system maintenance...
Scanning /dev/sdb1... (100%)
Scanning /dev/sdb3... (100%)

System storage='Internal' disk-usage changed, please 'execute disk format 255'.


Disk usage changed, please wait for reboot...

Formatting the disk...
- unmounting /data2 :  ok
- unmounting /var/log :  ok
Partitioning and formatting /dev/sda label LOGUSEDX2C5B29F6 ... done


The system is going down NOW !!

Please stand by while rebooting the system.
Restarting system.
FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G00000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...
......

Reading boot image 2721475 bytes.
Initializing firewall...
System is starting...


FortiGate-100D login:

fortigate 초기 패스워드 재설정하기

기본 설정: admin

패스워드: 없음

FortiGate-100D login: admin
Password:
You are forced to change your password, please input a new password.
New Password:*****
Confirm Password:*****
Welcome!

FortiGate-100D #

fortigate 패스워드를 모를 경우 (재부팅 후 1분 이내 접속 가능)

ID: maintainer

PW: bcpb<씨리얼 넘버>

*씨리얼 넘버: 장비 재부팅할때 3번째 줄에 보입니다.

 확인은 못해 봤지만, Forti 7.2.4 버전부터는 삭제되었다는 글귀를 보았습니다.

FortiGate-100D login: maintainer
Password: ********************
Welcome!

FortiGate-100D # config system admin

FortiGate-100D (admin) # edit <변경할 ID>

FortiGate-100D (admin) # set password <변경할 패스워드>

FortiGate-100D (admin) # end

FortiGate-100D # exit

FortiGate-100D login:

snmp_exporter 다운로드

https://github.com/prometheus/snmp_exporter/releases/tag/v0.21.0

snmp_exporter 설치

[root@tmplogsvr ~]# cd /opt
[root@tmplogsvr opt]# wget https://github.com/prometheus/snmp_exporter/releases/download/v0.21.0/snmp_exporter-0.21.0.linux-amd64.tar.gz
--2023-03-22 14:14:01--  https://github.com/prometheus/snmp_exporter/releases/download/v0.21.0/snmp_exporter-0.21.0.linux-amd64.tar.gz
Resolving github.com (github.com)... 20.200.245.247
Connecting to github.com (github.com)|20.200.245.247|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/31185891/35d0421a-cf03-4349-ae63-426c22348a41?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230322%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230322T051348Z&X-Amz-Expires=300&X-Amz-Signature=4a0ef1b1d88523c258386ec4bc5645e9e8114053243b06e8cfd218ce1895d008&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=31185891&response-content-disposition=attachment%3B%20filename%3Dsnmp_exporter-0.21.0.linux-amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2023-03-22 14:14:01--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/31185891/35d0421a-cf03-4349-ae63-426c22348a41?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230322%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230322T051348Z&X-Amz-Expires=300&X-Amz-Signature=4a0ef1b1d88523c258386ec4bc5645e9e8114053243b06e8cfd218ce1895d008&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=31185891&response-content-disposition=attachment%3B%20filename%3Dsnmp_exporter-0.21.0.linux-amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8468035 (8.1M) [application/octet-stream]
Saving to: ‘snmp_exporter-0.21.0.linux-amd64.tar.gz’

snmp_exporter-0.21.0.linux-amd64.tar.gz           100%[===========================================================================================================>]   8.08M  43.5MB/s    in 0.2s

2023-03-22 14:14:02 (43.5 MB/s) - ‘snmp_exporter-0.21.0.linux-amd64.tar.gz’ saved [8468035/8468035]

[root@tmplogsvr opt]# tar zxvf ./snmp_exporter-0.21.0.linux-amd64.tar.gz
[root@tmplogsvr opt]# rm -rf ./snmp_exporter-0.21.0.linux-amd64.tar.gz
[root@tmplogsvr opt]# mv ./snmp_exporter-0.21.0.linux-amd64 ./snmp_exporter
[root@tmplogsvr opt]# ln -s /opt/snmp_exporter/snmp_exporter /usr/local/bin/snmp_exporter
[root@tmplogsvr opt]# useradd --system snmp_exporter
[root@tmplogsvr opt]# echo '
[Unit]
Description=Prometheus SNMP Exporter Service
After=network.target

[Service]
Type=simple
User=snmp_exporter
ExecStart=/usr/local/bin/snmp_exporter --config.file="/opt/snmp_exporter/snmp.yml"

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/snmp-exporter.service
[root@tmplogsvr opt]# systemctl daemon-reload
[root@tmplogsvr opt]# systemctl enable snmp-exporter.service

snmp_export 실행

[root@tmplogsvr opt]# systemctl start snmp-exporter.service
[root@tmplogsvr opt]# systemctl status snmp-exporter.service
● snmp-exporter.service - Prometheus SNMP Exporter Service
   Loaded: loaded (/etc/systemd/system/snmp-exporter.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-03-22 14:33:22 KST; 5s ago
 Main PID: 241313 (snmp_exporter)
    Tasks: 10 (limit: 99645)
   Memory: 30.7M
   CGroup: /system.slice/snmp-exporter.service
           └─241313 /usr/local/bin/snmp_exporter --config.file=/opt/snmp_exporter/snmp.yml

 3월 22 14:33:22 tmplogsvr systemd[1]: Started Prometheus SNMP Exporter Service.
 3월 22 14:33:22 tmplogsvr snmp_exporter[241313]: ts=2023-03-22T05:33:22.219Z caller=main.go:148 level=info msg="Starting snmp_exporter" version="(version=0.21.0, branch=HEAD, revision=0d8c3527cac0>
 3월 22 14:33:22 tmplogsvr snmp_exporter[241313]: ts=2023-03-22T05:33:22.219Z caller=main.go:149 level=info build_context="(go=go1.19.3, user=root@51dfd4b1f59b, date=20221122-15:14:18)"
 3월 22 14:33:22 tmplogsvr snmp_exporter[241313]: ts=2023-03-22T05:33:22.299Z caller=tls_config.go:232 level=info msg="Listening on" address=[::]:9116
 3월 22 14:33:22 tmplogsvr snmp_exporter[241313]: ts=2023-03-22T05:33:22.299Z caller=tls_config.go:235 level=info msg="TLS is disabled." http2=false address=[::]:9116
 3월 22 14:33:24 tmplogsvr snmp_exporter[241313]: ts=2023-03-22T05:33:24.370Z caller=collector.go:282 level=info module=if_mib target=192.168.10.2 msg="Error scraping target" err="error getting tar>
lines 1-15/15 (END)

프로메테우스 다운로드

https://prometheus.io/download/

프로메테우스 설치

아래 매뉴얼을 따라하시면 별도로 다운로드를 하지 않으셔도 됩니다.

[root@tmplogsvr ~]# groupadd --system prometheus
[root@tmplogsvr ~]# useradd -s /sbin/nologin --system -g prometheus prometheus
[root@tmplogsvr ~]# mkdir /var/lib/prometheus
[root@tmplogsvr ~]# for i in rules rules.d files_sd; do mkdir -p /etc/prometheus/${i}; done
[root@tmplogsvr ~]# curl -s https://api.github.com/repos/prometheus/prometheus/releases/latest   | grep browser_download_url   | grep linux-amd64   | cut -d '"' -f 4   | wget -qi -
[root@tmplogsvr ~]# tar xvf prometheus-2.42.0.linux-amd64.tar.gz
prometheus-2.42.0.linux-amd64/
prometheus-2.42.0.linux-amd64/NOTICE
prometheus-2.42.0.linux-amd64/consoles/
prometheus-2.42.0.linux-amd64/consoles/index.html.example
prometheus-2.42.0.linux-amd64/consoles/node.html
prometheus-2.42.0.linux-amd64/consoles/prometheus-overview.html
prometheus-2.42.0.linux-amd64/consoles/node-disk.html
prometheus-2.42.0.linux-amd64/consoles/prometheus.html
prometheus-2.42.0.linux-amd64/consoles/node-overview.html
prometheus-2.42.0.linux-amd64/consoles/node-cpu.html
prometheus-2.42.0.linux-amd64/console_libraries/
prometheus-2.42.0.linux-amd64/console_libraries/menu.lib
prometheus-2.42.0.linux-amd64/console_libraries/prom.lib
prometheus-2.42.0.linux-amd64/prometheus.yml
prometheus-2.42.0.linux-amd64/LICENSE
prometheus-2.42.0.linux-amd64/promtool
prometheus-2.42.0.linux-amd64/prometheus
[root@tmplogsvr ~]# cd prometheus-2.42.0.linux-amd64/
[root@tmplogsvr prometheus-2.42.0.linux-amd64]# cp ./prometheus promtool /usr/local/bin
[root@tmplogsvr prometheus-2.42.0.linux-amd64]# cp -r prometheus.yml consoles/ console_libraries/ /etc/prometheus/
[root@tmplogsvr prometheus-2.42.0.linux-amd64]# cd
[root@tmplogsvr ~]# echo '
[Unit]
Description=Prometheus
Documentation=https://prometheus.io/docs/introduction/overview/
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
User=prometheus
Group=prometheus
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/prometheus \
  --config.file=/etc/prometheus/prometheus.yml \
  --storage.tsdb.path=/var/lib/prometheus \
  --web.console.templates=/etc/prometheus/consoles \
  --web.console.libraries=/etc/prometheus/console_libraries \
  --web.listen-address=0.0.0.0:9090 \
  --web.external-url=

SyslogIdentifier=prometheus
Restart=always

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/prometheus.service
[root@tmplogsvr ~]# chown -R prometheus:prometheus /etc/prometheus
[root@tmplogsvr ~]# chmod -R 775 /etc/prometheus/
[root@tmplogsvr ~]# chown -R prometheus:prometheus /var/lib/prometheus/
[root@tmplogsvr ~]# systemctl daemon-reload
[root@tmplogsvr ~]# systemctl enable prometheus
Created symlink /etc/systemd/system/multi-user.target.wants/prometheus.service → /etc/systemd/system/prometheus.service.
[root@tmplogsvr ~]#

프로메테우스 실행

[root@tmplogsvr ~]# systemctl start prometheus.service
[root@tmplogsvr ~]# systemctl status prometheus.service
● prometheus.service - Prometheus
   Loaded: loaded (/etc/systemd/system/prometheus.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-03-22 10:04:33 KST; 4s ago
     Docs: https://prometheus.io/docs/introduction/overview/
 Main PID: 233870 (prometheus)
    Tasks: 13 (limit: 99645)
   Memory: 20.5M
   CGroup: /system.slice/prometheus.service
           └─233870 /usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus --web.console.templates=/etc/prometheus/consoles --web.console.lib>

 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.564Z caller=head.go:685 level=info component=tsdb msg="WAL segment loaded" segment=1 maxSegment=3
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.565Z caller=head.go:685 level=info component=tsdb msg="WAL segment loaded" segment=2 maxSegment=3
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.565Z caller=head.go:685 level=info component=tsdb msg="WAL segment loaded" segment=3 maxSegment=3
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.565Z caller=head.go:722 level=info component=tsdb msg="WAL replay completed" checkpoint_replay_duration=19.402µs wal_replay_dur>
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.566Z caller=main.go:1014 level=info fs_type=EXT4_SUPER_MAGIC
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.566Z caller=main.go:1017 level=info msg="TSDB started"
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.566Z caller=main.go:1197 level=info msg="Loading configuration file" filename=/etc/prometheus/prometheus.yml
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.568Z caller=main.go:1234 level=info msg="Completed loading of configuration file" filename=/etc/prometheus/prometheus.yml total>
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.568Z caller=main.go:978 level=info msg="Server is ready to receive web requests."
 3월 22 10:04:33 tmplogsvr prometheus[233870]: ts=2023-03-22T01:04:33.568Z caller=manager.go:974 level=info component="rule manager" msg="Starting rule manager..."
lines 1-20/20 (END)

웹페이지 접근

http://{서버IP}:9090

elastalert 웹 방식으로 설치 하신 후에는 반드시 아래 명령어를 실행 해 주셔야 합니다.

RAW 데이터의 에러로그를 수집 못했는데, 에러 로그는 아래와 같이 출력됩니다.

No mapping found for [alert_time] in order to sort on

그래서 아래와 같은 방식으로 alert_time은 type이 date 로 선언을 해주어야 elasticsearch에서 수집되는 @timestamp를 인식하게 됩니다.

put elastalert_status/_mapping
{
  "properties": {
    "alert_time": {
      "type": "date"
    }
  }
}

룰 샘플입니다.

반드시 아래의 항목들을 지켜주시는게 좋습니다.

name, type, index, filter, doc_type

기본 항목들이 없으면 에러가 발생하네요.

cli 방식으로 할때는 name과 doc_type이 없어도 작동이 되었는데....

#name
name: ap_login_success

# 로그는 탐지하는 타입
type: any

# logstash에서 설정한 log의 index 값
index: "logstash-ap*"

# 필터 grok 패턴 지정한 필드의 값에 같은 값이 들어올 경우
filter:
- query_string:
    query: access_result:"successfully"

# document type
doc_type: _doc

# 알람 전송 매체 지정
alert:
- "slack"

# 알람 전송 옵션
slack:
# 슬랙 웹훅 주소
slack_webhook_url: "https://hooks.slack.com/services/---------------------------------------"
# 슬랙 채널에 메시지 전달할 이름
slack_username_override: "ElastAlert-Bot"
# 슬랙 메시지를 보낼 채널
slack_channel_override: "#security_alert"
# 슬랙 메시지에 타이틀 지정
# 지정하지 않을 경우 rule의 절대 경로 명이 찍힘: /opt/elastalert/ruls/ap_login_fail.yaml
slack_title: AP_LOGIN_SUCCESS
# 슬랙 메시지 색
slack_msg_color: "good"

# 슬랙에 전송할 메시지
# 슬랙에 전송할 메시지 중 배열 입력시 맨 아랫줄의 순서에 따라 숫자 입력
# 숫자 위치는 바뀌어도 됨
alert_text: "AP_LOGIN_SUCESS: {0} / 접속자:{1} / 접속자IP: {2}"
# 슬랙에 전송할 메시지 타입
alert_text_type: "alert_text_only"
# 슬랙에 전송할 메시지 중 탐지된 메시지에 대한 배열 입력
alert_text_args: ["ip_or_host", "user", "source_ip"]

룰 입력 후 저장을 누르면 아래와 같은 화면을 볼 수 있습니다.

웹페이지 상에서 룰을 생성할 경우, 서버에서도 마찬가지로 자동으로 생성됩니다.

[root@tmplogsvr rules]# pwd
/opt/elastalert/rules
[root@tmplogsvr rules]# ls -al
합계 16
drwxr-xr-x.  2 root root 4096  3월 16 18:08 .
drwxr-xr-x. 13 root root 4096  3월 16 18:09 ..
-rw-r--r--.  1 root root  574  3월 16 18:17 ap_login_fail.yaml
-rw-r--r--.  1 root root 1383  3월 16 18:17 ap_login_success.yaml
[root@tmplogsvr rules]#
[root@tmplogsvr rules]# cat ./ap_login_success.yaml
#name
name: ap_login_success

# 로그는 탐지하는 타입
type: any

# logstash에서 설정한 log의 index 값
index: "logstash-ap*"


# 필터 grok 패턴 지정한 필드의 값에 같은 값이 들어올 경우
filter:
- query_string:
    query: access_result:"successfully"

doc_type: _doc

# 알람 전송 매체 지정
alert:
- "slack"

# 알람 전송 옵션
slack:
# 슬랙 웹훅 주소
slack_webhook_url: "https://hooks.slack.com/services/---------------------------------"
# 슬랙 채널에 메시지 전달할 이름
slack_username_override: "ElastAlert-Bot"
# 슬랙 메시지를 보낼 채널
slack_channel_override: "#security_alert"
# 슬랙 메시지에 타이틀 지정
# 지정하지 않을 경우 rule의 절대 경로 명이 찍힘: /opt/elastalert/ruls/ap_login_fail.yaml
slack_title: AP_LOGIN_SUCCESS
# 슬랙 메시지 색
slack_msg_color: "good"

# 슬랙에 전송할 메시지
# 슬랙에 전송할 메시지 중 배열 입력시 맨 아랫줄의 순서에 따라 숫자 입력
# 숫자 위치는 바뀌어도 됨
alert_text: "AP_LOGIN_SUCESS: {0} / 접속자:{1} / 접속자IP: {2}"
# 슬랙에 전송할 메시지 타입
alert_text_type: "alert_text_only"
# 슬랙에 전송할 메시지 중 탐지된 메시지에 대한 배열 입력
alert_text_args: ["ip_or_host", "user", "source_ip"]
[root@tmplogsvr rules]#

아래의 게시글을 확인하여 kibana에 plugin을 설치하시면 됩니다.

단, 설치하실때에는 elastalert-plugin이 지원하는 kibana 버전을 확인하시고, 지원하는 버전으로 맞춰서 설치해야 합니다.

예) elastalertKibanaPlugin-1.6.1-8.6.2.zip 이라면 kibana 버전 8.6.2을 설치하셔야 합니다.

elastalert plugin 설치하기: https://dirt-spoon.tistory.com/57

설치는 아주아주 간단합니다.

이제 웹페이지에서 보도록 하겠습니다.

kibana에 접속을 해보시면 아래와 같이 새로운 매뉴가 있을 것입니다.

혹시나 매뉴가 보이지 않는다면, kibana를 재시작 해 주세요.

드디어~~ 저도 처음 웹으로 확인하게 되었습니다.

kibana 웹페이지에서 elastalert을 사용하기 위해서는 실행방법이 기존과는 다릅니다.

bitsensor 버전의 elastalert은 기본 경로가 /opt/elastalert 입니다.

해당 위치에서 npm의 설정들을 진행하였기에 아래 화면을 따르면 됩니다.

[root@tmplogsvr elastalert]# pwd
/opt/elastalert

방법 1. 프로세스가 끊기지 않고 지속적으로 로그를 확인하고 싶을 때

[root@tmplogsvr elastalert]# npm start <- 이렇게 실행할 경우 프로세스가 끊기지 않고 계속적으로 로그가 보일 것입니다.

> @bitsensor/elastalert@3.0.0-beta.0 start /opt/elastalert
> sh ./scripts/start.sh

02:12:53.493Z  INFO elastalert-server: Config:  No config.dev.json file was found in /opt/elastalert/config/config.dev.json.
02:12:53.494Z  INFO elastalert-server: Config:  Proceeding to look for normal config file.
02:12:53.494Z  INFO elastalert-server: Config:  A config file was found in /opt/elastalert/config/config.json. Using that config.
02:12:53.500Z  INFO elastalert-server: Router:  Listening for GET request on /.
02:12:53.500Z  INFO elastalert-server: Router:  Listening for GET request on /status.
02:12:53.500Z  INFO elastalert-server: Router:  Listening for GET request on /status/control/:action.
02:12:53.500Z  INFO elastalert-server: Router:  Listening for GET request on /status/errors.
02:12:53.500Z  INFO elastalert-server: Router:  Listening for GET request on /rules.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for GET request on /rules/:id.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for POST request on /rules/:id.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for DELETE request on /rules/:id.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for GET request on /templates.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for GET request on /templates/:id.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for POST request on /templates/:id.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for DELETE request on /templates/:id.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for POST request on /test.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for GET request on /config.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for POST request on /config.
02:12:53.501Z  INFO elastalert-server: Router:  Listening for POST request on /download.
02:12:53.502Z  INFO elastalert-server: Router:  Listening for GET request on /metadata/:type.
02:12:53.502Z  INFO elastalert-server: Router:  Listening for GET request on /mapping/:index.
02:12:53.502Z  INFO elastalert-server: Router:  Listening for POST request on /search/:index.
02:12:53.504Z  INFO elastalert-server: ProcessController:  Starting ElastAlert
02:12:53.504Z  INFO elastalert-server: ProcessController:  Creating index
02:12:53.697Z  INFO elastalert-server:
    ProcessController:  Elastic Version: 8.6.2
    Reading Elastic 6 index mappings:
    Reading index mapping 'es_mappings/6/silence.json'
    Reading index mapping 'es_mappings/6/elastalert_status.json'
    Reading index mapping 'es_mappings/6/elastalert.json'
    Reading index mapping 'es_mappings/6/past_elastalert.json'
    Reading index mapping 'es_mappings/6/elastalert_error.json'
    Index elastalert_status already exists. Skipping index creation.

02:12:53.697Z  INFO elastalert-server: ProcessController:  Index create exited with code 0
02:12:53.698Z  INFO elastalert-server: ProcessController:  Starting elastalert with arguments [none]
02:12:53.701Z  INFO elastalert-server: ProcessController:  Started Elastalert (PID: 107223)
02:12:53.702Z  INFO elastalert-server: Server:  Server listening on port 3030
02:12:53.702Z  INFO elastalert-server: Server:  Websocket listening on port 3333
02:12:53.703Z  INFO elastalert-server: Server:  Server started

방법2: 실행 후 백그라운드로 실행하기 (터미널을 끊어도 프로세스가 살아 있습니다.)

[root@tmplogsvr elastalert]# npm start &
[1] 107293
[root@tmplogsvr elastalert]#
> @bitsensor/elastalert@3.0.0-beta.0 start /opt/elastalert
> sh ./scripts/start.sh

02:17:42.163Z  INFO elastalert-server: Config:  No config.dev.json file was found in /opt/elastalert/config/config.dev.json.
02:17:42.164Z  INFO elastalert-server: Config:  Proceeding to look for normal config file.
02:17:42.164Z  INFO elastalert-server: Config:  A config file was found in /opt/elastalert/config/config.json. Using that config.
02:17:42.170Z  INFO elastalert-server: Router:  Listening for GET request on /.
02:17:42.170Z  INFO elastalert-server: Router:  Listening for GET request on /status.
02:17:42.170Z  INFO elastalert-server: Router:  Listening for GET request on /status/control/:action.
02:17:42.170Z  INFO elastalert-server: Router:  Listening for GET request on /status/errors.
02:17:42.170Z  INFO elastalert-server: Router:  Listening for GET request on /rules.
02:17:42.171Z  INFO elastalert-server: Router:  Listening for GET request on /rules/:id.
02:17:42.171Z  INFO elastalert-server: Router:  Listening for POST request on /rules/:id.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for DELETE request on /rules/:id.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for GET request on /templates.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for GET request on /templates/:id.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for POST request on /templates/:id.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for DELETE request on /templates/:id.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for POST request on /test.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for GET request on /config.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for POST request on /config.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for POST request on /download.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for GET request on /metadata/:type.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for GET request on /mapping/:index.
02:17:42.172Z  INFO elastalert-server: Router:  Listening for POST request on /search/:index.
02:17:42.174Z  INFO elastalert-server: ProcessController:  Starting ElastAlert
02:17:42.174Z  INFO elastalert-server: ProcessController:  Creating index
02:17:42.366Z  INFO elastalert-server:
    ProcessController:  Elastic Version: 8.6.2
    Reading Elastic 6 index mappings:
    Reading index mapping 'es_mappings/6/silence.json'
    Reading index mapping 'es_mappings/6/elastalert_status.json'
    Reading index mapping 'es_mappings/6/elastalert.json'
    Reading index mapping 'es_mappings/6/past_elastalert.json'
    Reading index mapping 'es_mappings/6/elastalert_error.json'
    Index elastalert_status already exists. Skipping index creation.

02:17:42.366Z  INFO elastalert-server: ProcessController:  Index create exited with code 0
02:17:42.367Z  INFO elastalert-server: ProcessController:  Starting elastalert with arguments [none]
02:17:42.370Z  INFO elastalert-server: ProcessController:  Started Elastalert (PID: 107325)
02:17:42.371Z  INFO elastalert-server: Server:  Server listening on port 3030
02:17:42.371Z  INFO elastalert-server: Server:  Websocket listening on port 3333
02:17:42.371Z  INFO elastalert-server: Server:  Server started

[root@tmplogsvr elastalert]#

실행 시킨 터미널 창을 닫은 후 아래와 같이 프로세스를 검색하시면 작동 여부를 알 수 있습니다.

[root@tmplogsvr elasticsearch]# ps -ef | grep elastalert
root      107325  107305  0 11:17 ?        00:00:00 python -m elastalert.elastalert
root      107378   79433  0 11:19 pts/2    00:00:00 grep --color=auto elastalert
[root@tmplogsvr elasticsearch]#

kibana에서 elastalert 구성 시 필수사항

python 3.6 (3.7, 3.8은 해보지 않아서 모르겠지만, 3.9 이상은 절대 설치 불가)

centos 9에서는 해당 방법 사용이 불가능 합니다.

그래서 centos 8버전으로 downgrade를 하였고, python 3.6 버전을 확인하고 설치 진행했습니다.

아래 URL은 참고 URL 주소입니다.

   elastalert install_1: https://github.com/Yelp/elastalert

   elastalert install_2: https://github.com/bitsensor/elastalert

   elastalert-plugin: https://github.com/karql/elastalert-kibana-plugin/releases

부연 설명을 하자면, kibana에서 elastalert 사용은 docker를 기준으로 만들어진 것 같습니다. (elastalert install_2 URL 참조)

서버에 일반 설치방식으로 설치하려니, 정말 많은 시도로 간신히 설치가 되었습니다.

그래서 아래 사용했던 설치한 내역으로도 실행이 제대로 안될 수가 있습니다.

댓글로라도 로그를 남겨주시면 에러를 같이 찾아보도록 하겠습니다.

elastalert 설치 명령어 정리