Erinevus lehekülje "Itx8071-graded-lab" redaktsioonide vahel
(ei näidata sama kasutaja 13 vahepealset redaktsiooni) | |||
1. rida: | 1. rida: | ||
=== Description of the graded lab === | === Description of the graded lab === | ||
− | During the graded lab, a Kibana dashboard has to be created which contains at least | + | During the graded lab, a Kibana dashboard has to be created which contains '''at least 10 visualizations''' that display different data. Note that the created dashboard must feature '''at least 5 different visualization types''' (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboard '''must''' be created for '''syslog events of one type received with Logstash''', for example: |
+ | |||
+ | * Apache web server events | ||
+ | * Suricata IDS alerts | ||
+ | * Iptables events | ||
+ | |||
+ | Dashboards created for events received from Filebeat are '''not accepted'''. | ||
=== Instructions for setting up the course virtual machine for the graded lab === | === Instructions for setting up the course virtual machine for the graded lab === | ||
23. rida: | 29. rida: | ||
In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content: | In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content: | ||
+ | global(maxMessageSize="1024k") | ||
*.* @127.0.0.1:10514 | *.* @127.0.0.1:10514 | ||
+ | |||
+ | The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB. | ||
After creating that file, don't forget to restart rsyslog: | After creating that file, don't forget to restart rsyslog: | ||
37. rida: | 46. rida: | ||
* after setting the above fields, select "Save data view to Kibana" | * after setting the above fields, select "Save data view to Kibana" | ||
− | Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that | + | Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries: |
− | |||
program:apache | program:apache | ||
+ | |||
program:sshd | program:sshd | ||
Viimane redaktsioon: 10. detsember 2024, kell 13:45
Description of the graded lab
During the graded lab, a Kibana dashboard has to be created which contains at least 10 visualizations that display different data. Note that the created dashboard must feature at least 5 different visualization types (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboard must be created for syslog events of one type received with Logstash, for example:
- Apache web server events
- Suricata IDS alerts
- Iptables events
Dashboards created for events received from Filebeat are not accepted.
Instructions for setting up the course virtual machine for the graded lab
Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.
Start Elasticsearch:
systemctl start elasticsearch
Start Kibana:
systemctl start kibana
Start Logstash:
systemctl start logstash
Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.
In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:
global(maxMessageSize="1024k") *.* @127.0.0.1:10514
The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.
After creating that file, don't forget to restart rsyslog:
systemctl restart rsyslog
In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!
Then go to Kibana->Data Views, and select Create Data View:
- for "Name", select logstash*
- for "Index pattern", select logstash*
- for "Timestamp field", select @timestamp
- after setting the above fields, select "Save data view to Kibana"
Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:
program:apache
program:sshd
After verifying that the web server and SSH events have been received by Kibana, you can create dashboards for these events under the "Dashboard" selection of the Kibana pull-down menu.
In order to create a dashboard for Suricata events, you can run Suricata in IDS mode as follows for creating events for that dashboard:
suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8
If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!
You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata events:
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:4000002; rev:1;)
Also, you can use other signatures from Suricata lab for generating events.
Already existing Logstash configuration is parsing all Suricata events, and you can search these events in Kibana with the following query:
program:suricata AND suricata.event_type:alert