OssecIDS+Logash+Elasticsearch+Kibana安装部署环境类型操作系统IP软件包服务端Centos6.5X6410.10.51.50ossec-hids-2.8.2、JDK1.8、Logstash-1.5.2、elasticsearch-1.4.4、Kibana-4.0.2客户端Centos6.5X6410.10.51.51ossec-hids-2.8.2注:Logash、Elasticsearch、Kibana运行需要JDKOsseclogstashelasticsearchkibana流程图Ossec介绍OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows,Linux,OpenBSD/FreeBSD,以及MacOS等操作系统中。官方网站:四大功能文件目录检测日志分析入侵检测自动响应Ossec逻辑图Ossec常用进程说明ossec-maild#邮件通知ossec-execd#主动响应ossec-analysisd#分析日志,匹配规则,触发报警ossec-logcollector#检测ossec配置文件ossec-remoted#远程接收日志,开放udp:1514端口,给Agent使用ossec-syscheckd#检测文件/目录权限及变化ossec-monitord#检测agent端日志连接,压缩日志Ossecserver安装#tarzxvfossec-hids-2.8.2.tar.gz#cdossec-hids-2.8.2#./install.sh选择安装语言选择安装类型注:server为服务端agent为代理端,可向server端注册local为本地端,如果只有一台服务器,可以选择local自己监控自己设置相关功能安装完成OssecServer启动#/etc/init.d/ossecstartOssec目录介绍#tree/opt/ossec//var/ossec/├──active-response#ossec自动响应脚本目录├──agentless#代理目录,主要用于不能安装client设置,如交换机├──bin#ossec程序执行目录├──etc#ossec配置目录├──logs#ossec日志目录├──queue#ossec队列目录,用于系统检测,文件对比├──rules#ossec规则目录├──stats#ossec统计目录├──tmp#ossec临时目录└──var#ossecpid目录OssecClient客户端安装#tarzxvfossec-hids-2.8.2.tar.gz#cdossec-hids-2.8.2#./install.sh选择安装语言选择安装类型,agent客户端设置相关功能安装完成Ossecclient启动#/etc/init.d/ossecstartOssecClient认证注册OssecServer端,生成客户端密钥[root@localhostbin]#/var/ossec/bin/manage_agents*****************************************OSSECHIDSv2.8Agentmanager.**Thefollowingoptionsareavailable:*****************************************(A)ddanagent(A).#添加客户端(E)xtractkeyforanagent(E).#提取客户端密钥(L)istalreadyaddedagents(L).#查看已注册认证客户端(R)emoveanagent(R).#移除客户端(Q)uit.#退出Chooseyouraction:A,E,L,RorQ:A-Addinganewagent(use'\q'toreturntothemainmenu).Pleaseprovidethefollowing:*Anameforthenewagent:web-10-10-51-51#客户端名称*TheIPAddressofthenewagent:10.10.51.51#客户端IP地址*AnIDforthenewagent[001]:#ID号,默认即可Agentinformation:ID:001Name:web-10-10-51-51IPAddress:10.10.51.51Confirmaddingit?(y/n):y#确认是否添加Agentadded.提取客户端密钥*****************************************OSSECHIDSv2.8Agentmanager.**Thefollowingoptionsareavailable:*****************************************(A)ddanagent(A).(E)xtractkeyforanagent(E).(L)istalreadyaddedagents(L).(R)emoveanagent(R).(Q)uit.Chooseyouraction:A,E,L,RorQ:E#提取客户端密钥Availableagents:ID:001,Name:web-10-10-51-51,IP:10.10.51.51ProvidetheIDoftheagenttoextractthekey(or'\q'toquit):001#输入客户端IDAgentkeyinformationfor'001'is:#客户端密钥MDAxIHdlYi0xMC0xMC01MS01MSAxMC4xMC41MS41MSBkZDNmZWExOTBlMGNjMmJjYzY2YjYzOGZiYzEwMTc2YmI1MDljNGViZGVmNDA3YmE5Zjg2ZTE3MmIzNTQyNjIz**PressENTERtoreturntothemainmenu.ossecClient端,导入密钥[root@web-10-10-51-51bin]#/var/ossec/bin/manage_agents*****************************************OSSECHIDSv2.8Agentmanager.**Thefollowingoptionsareavailable:*****************************************(I)mportkeyfromtheserver(I).(Q)uit.Chooseyouraction:IorQ:I#导入密钥*ProvidetheKeygeneratedbytheserver.*Thebestapproachistocutandpasteit.***OBS:Donotincludespacesornewlines.Pasteithere(or'\q'toquit):#输入密钥,ossecserver端生成时的密钥MDAxIHdlYi0xMC0xMC01MS01MSAxMC4xMC41MS41MSBkZDNmZWExOTBlMGNjMmJjYzY2YjYzOGZiYzEwMTc2YmI1MDljNGViZGVmNDA3YmE5Zjg2ZTE3MmIzNTQyNjIzAgentinformation:ID:001Name:web-10-10-51-51IPAddress:10.10.51.51Confirmaddingit?(y/n):yAdded.**PressENTERtoreturntothemainmenu.导入成功后,会在ossec目录后成client.keys文件#cat/var/ossec/etc/client.keys001web-10-10-51-5110.10.51.51dd3fea190e0cc2bcc66b638fbc10176bb509c4ebdef407ba9f86e172b3542623查看agentclient端是否激活[root@ossec-server-10-10-51-50]#/var/ossec/bin/agent_control-lOSSECHIDSagent_control.Listofavailableagents:ID:000,Name:ossec-server-10-10-51-50(server),IP:127.0.0.1,Active/LocalID:002,Name:web-10-10-51-51,IP:10.10.51.51,ActiveOssec配置说明Ossec配置文件#/var/ossec/etc/ossec.conf配置邮件通知globalemail_notificationyes/email_notification#是否接收邮件通知email_toinfo@163.com/email_to#收件人地址smtp_serversmtp.163.com./smtp_server#发邮件smtp地址email_fromsend@163.com/email_from#发件人地址/global加载自定义规则rulesincludetest_rules_config.xml/include#加载test_rules_config规则/rules文件目录检测syscheck!--Frequencythatsyscheckisexecuted-defaulttoevery22hours--frequency79200/frequency#检测时间!--Directoriestocheck(performallpossibleverifications)--directoriescheck_all=yes/etc,/usr/bin,/usr/sbin/directoriesdirectoriescheck_all=yes/bin,/sbin/directories#检测目录directoriescheck_all=yes/opt/web/upload/directories!--Files/directoriestoignore--ignore/etc/mtab/ignore#忽略检测目录/syscheck注:check_all=”yes”检测以下所有类型检测类型有:check_sum=“yes”#MD5和SHA1check_sha1sum=“yes”#SHA1check_md5sum=“yes”#MD5check_size=“yes”#文件大小check_owner=“yes”#文件所有者check_group=“yes”#文件组check_pem=“yes”#文件权限restrict=“string”#文件字符串,文件内容中包含文件名的字符串限制检查type=sregex#支持正则realtime=yes#启用实时监控report_changes=yes#发送文件变化比较报告入侵检测rootcheckrootkit_files/var/ossec/etc/shared/rootkit_files.txt/rootkit_files#后门,蠕虫,嗅探检测rootkit_trojans/var/ossec/etc/shared/rootkit_trojans.txt/rootkit_trojans#木马检测system_audit/var/ossec/etc/shared/system_audit_rcl.txt/system_audit/rootcheck白名单globalwhite_list127.0.0.1/white_listwhite_list8.8.8.8/white_listwhite_list10.10.51.50/white_list