Adding ELK to ESXi config · certrik/DetectionLab_Test@df166df
@@ -525,6 +525,163 @@
525525 register: install_guacamole
526526failed_when: "'error' in install_guacamole.stderr"
527527528+- name: Install ELK
529+args:
530+executable: /bin/bash
531+become: yes
532+shell: |
533+ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
534+ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
535+ echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian stable main" | sudo tee -a /etc/apt/sources.list.d/curator-5.list
536+ apt-get -qq update
537+ apt-get -qq install elasticsearch -y # 1st install elasticseatch to get JDK
538+ export JAVA_HOME=/usr/share/elasticsearch/jdk && echo export JAVA_HOME=/usr/share/elasticsearch/jdk >>/etc/bash.bashrc
539+ apt-get -qq install kibana filebeat elasticsearch-curator -y
540+541+ (
542+ crontab -l 2>/dev/null
543+ echo 0 0 \* \* \* curator_cli --host 192.168.38.105 delete_indices --filter_list \'{\"filtertype\": \"age\", \"source\": \"name\", \"timestring\": \"\\%Y.\\%m.\\%d\", \"unit\": \"days\", \"unit_count\": 2, \"direction\": \"older\"}\' \> /tmp/cron.log 2\>\&1
544+ ) | crontab -
545+546+ cat >/etc/elasticsearch/elasticsearch.yml <<EOF
547+ network.host: _eth1:ipv4_
548+ discovery.type: single-node
549+ cluster.name: cydef-es-cluster
550+ node.name: \${HOSTNAME}
551+ path.data: /var/lib/elasticsearch
552+ path.logs: /var/log/elasticsearch
553+ EOF
554+555+ cat >/etc/default/elasticsearch <<EOF
556+ ES_PATH_CONF=/etc/elasticsearch
557+ ES_STARTUP_SLEEP_TIME=5
558+ MAX_OPEN_FILES=65536
559+ MAX_LOCKED_MEMORY=unlimited
560+ EOF
561+562+ mkdir /etc/systemd/system/elasticsearch.service.d/
563+ cat >/etc/systemd/system/elasticsearch.service.d/override.conf <<EOF
564+ [Service]
565+ LimitMEMLOCK=infinity
566+ EOF
567+568+ cat >/etc/security/limits.conf <<EOF
569+ elasticsearch soft nofile 65536
570+ elasticsearch hard nofile 65536
571+ elasticsearch soft memlock unlimited
572+ elasticsearch hard memlock unlimited
573+ EOF
574+575+ /bin/systemctl daemon-reload
576+ /bin/systemctl enable elasticsearch.service
577+ /bin/systemctl start elasticsearch.service
578+579+ #kibana
580+ touch /var/log/kibana.log
581+ chown kibana:kibana /var/log/kibana.log
582+ echo server.host: \"192.168.38.105\" >>/etc/kibana/kibana.yml
583+ echo elasticsearch.hosts: \[\"http://192.168.38.105:9200\"\] >>/etc/kibana/kibana.yml
584+ echo logging.dest: \"/var/log/kibana.log\" >>/etc/kibana/kibana.yml
585+ /bin/systemctl enable kibana.service
586+ /bin/systemctl start kibana.service
587+588+ #Logstash
589+ # echo "http.host: \"192.168.38.105\"" >>/etc/logstash/logstash.yml
590+ # cat >/etc/logstash/conf.d/beats-input.conf <<EOF
591+ # input {
592+ # beats {
593+ # host => "192.168.38.105"
594+ # port => 5044
595+ # }
596+ # }
597+ # EOF
598+599+ # cat >/etc/logstash/conf.d/syslog-filter.conf <<EOF
600+ # filter {
601+ # if [type] == "syslog" {
602+ # grok {
603+ # match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
604+ # add_field => [ "received_at", "%{@timestamp}" ]
605+ # add_field => [ "received_from", "%{host}" ]
606+ # }
607+ # syslog_pri { }
608+ # date {
609+ # match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
610+ # }
611+ # }
612+ # }
613+ # EOF
614+615+ # cat >/etc/logstash/conf.d/elasticsearch-output.conf <<EOF
616+ # output {
617+ # elasticsearch {
618+ # hosts => ["192.168.38.105:9200"]
619+ # sniffing => true
620+ # manage_template => false
621+ # index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
622+ # #document_type => "%{[@metadata][type]}"
623+ # }
624+ # }
625+ # EOF
626+627+ # echo JAVA_HOME="/usr/share/elasticsearch/jdk" >>/etc/default/logstash
628+629+ # /bin/systemctl enable logstash.service
630+ # /bin/systemctl start logstash.service
631+632+ cat >/etc/filebeat/filebeat.yml <<EOF
633+ filebeat.inputs:
634+ - type: log
635+ enabled: false
636+ paths:
637+ - /var/log/auth.log
638+ - /var/log/syslog
639+640+ filebeat.config.modules:
641+ path: \${path.config}/modules.d/*.yml
642+ reload.enabled: true
643+ reload.period: 10s
644+645+ setup.kibana:
646+ host: "192.168.38.105:5601"
647+ setup.dashboards.enabled: true
648+649+ output.elasticsearch:
650+ hosts: ["192.168.38.105:9200"]
651+652+ # output.logstash:
653+ # hosts: ["192.168.38.105:5044"]
654+ EOF
655+656+ cat >/etc/filebeat/modules.d/osquery.yml.disabled <<EOF
657+ - module: osquery
658+ result:
659+ enabled: true
660+661+ # Set custom paths for the log files. If left empty,
662+ # Filebeat will choose the paths depending on your OS.
663+ var.paths: ["/opt/kolide-quickstart/osquery_result"]
664+ EOF
665+ filebeat --path.config /etc/filebeat modules enable osquery
666+667+ #sed -i 's/enabled: true/enabled: true\n var.paths: ["\/opt\/zeek\/logs\/current\/"]/' /etc/filebeat/modules.d/zeek.yml.disabled
668+ mkdir /var/log/bro/; ln -s /opt/zeek/logs/current/ /var/log/bro/current
669+ filebeat --path.config /etc/filebeat modules enable zeek
670+671+ # filebeat --path.config /etc/filebeat modules enable system
672+ filebeat --path.config /etc/filebeat modules enable suricata
673+674+ # make sure kibana is up and running
675+ while true; do
676+ result=$(curl --silent 192.168.38.105:5601/api/status)
677+ if echo $result | grep -q logger; then break; fi
678+ sleep 1
679+ done
680+ /bin/systemctl enable filebeat.service
681+ /bin/systemctl start filebeat.service
682+ register: install_ELK
683+failed_when: "'error' in install_ELK.stderr"
684+528685- name: Postinstall Tasks
529686args:
530687executable: /bin/bash