.

2021-04-20 12:34:43 -07:00
parent 2e8bdabea2
commit 10b9cbeead
22 changed files with 483 additions and 4 deletions
--- a/jails/config/elk/elasticsearch.yml
+++ b/jails/config/elk/elasticsearch.yml
@ -28,6 +28,7 @@ node.name: node-1

 xpack.security.audit.enabled: true
 xpack.security.enabled: true
+xpack.security.authc.api_key.enabled: true
 xpack.security.http.ssl.enabled: true
 xpack.security.transport.ssl.enabled: true
 xpack.security.http.ssl.key: certs/diyprivkeyr.pem
@ -36,6 +37,10 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
 xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
 xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
 xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
+
+xpack.monitoring.collection.enabled: true
+xpack.monitoring.elasticsearch.collection.enabled: false
+
 #
 # ----------------------------------- Paths ------------------------------------
 #
--- a/jails/config/elk/jvm.options
+++ b/jails/config/elk/jvm.options
@ -23,7 +23,7 @@
 -Xms8G
 -Xmx8G
 -XX:MaxMetaspaceSize=2G
-Xss2G
+-Xss1G

 -Xnoclassgc
 -XX:MaxDirectMemorySize=2G
--- a/jails/config/elk/kibana.yml
+++ b/jails/config/elk/kibana.yml
@ -58,6 +58,9 @@ server.ssl.key: /mnt/certs/diyprivkeyr.pem
 #elasticsearch.ssl.certificate: /path/to/your/client.crt
 #elasticsearch.ssl.key: /path/to/your/client.key

+xpack.security.enabled: true
+xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters_this_is_it"
+
 # Optional setting that enables you to specify a path to the PEM file for the certificate
 # authority for your Elasticsearch instance.
 elasticsearch.ssl.certificateAuthorities: [ "/mnt/certs/cacert.pem" ]
--- a/jails/config/elk/logstash.conf
+++ b/jails/config/elk/logstash.conf
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2021, diyIT.org
+# Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -18,6 +18,23 @@ input {
  }
 }

+filter {
+  if "suricata" in [tags] {
+    json {
+      source => "message"
+    }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    if ![geoip] and [src_ip] !~ /^(10\.|192\.168\.)/ { 
+      geoip {
+        add_tag => [ "GeoIP" ] 
+        source => "src_ip" 
+      }
+    }
+  }
+}
+
 output {
  elasticsearch {
    ssl => true
--- a/jails/config/elk/metricbeat.yml
+++ b/jails/config/elk/metricbeat.yml
@ -98,8 +98,8 @@ output.elasticsearch:

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
-  #username: "elastic"
-  #password: "changeme"
+  username: "demo"
+  password: "demo"

 # ------------------------------ Logstash Output -------------------------------
 #output.logstash: