FIL ROUGE

Configuration ELK Stack

Centralisation et Analyse des Logs (Elasticsearch, Logstash, Kibana).

1. Configuration Réseau & Installation

Configuration IP (Netplan)

Option 1 : Commande temporaire

Bash
sudo ip addr add 192.168.50.10/25 dev ens33
sudo ip route add default via 192.168.50.1
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

Option 2 : Configuration Persistante

/etc/netplan/00-installer-config.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      addresses:
        - 192.168.50.10/25
      routes:
        - to: default
          via: 192.168.50.1
      nameservers:
        addresses: [8.8.8.8]

Appliquer avec : sudo netplan apply

Installation ELK

Bash
# 1. Clé GPG et Dépôt
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

# 2. Installation
sudo apt-get update
sudo apt-get install -y elasticsearch logstash kibana openjdk-11-jre
2. Configuration Kibana

Fichier : /etc/kibana/kibana.yml

/etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.50.10"
elasticsearch.hosts: ["http://localhost:9200"]
3. Montage NFS (Réception des Logs)

Pour lire les logs stockés sur le Honeypot.

Bash
# 1. Installer le client NFS
sudo apt-get install -y nfs-common

# 2. Créer le point de montage
sudo mkdir -p /mnt/cowrie_logs

# 3. Monter le partage (Temporaire)
sudo mount 192.168.50.140:/home/cowrie/cowrie/log /mnt/cowrie_logs

# 4. Montage Persistant (/etc/fstab)
echo "192.168.50.140:/home/cowrie/cowrie/log /mnt/cowrie_logs nfs defaults,auto,nofail 0 0" | sudo tee -a /etc/fstab
4. Pipeline Logstash (Cowrie)

Fichier : /etc/logstash/conf.d/02-cowrie.conf

02-cowrie.conf
input {
  file {
    path => "/mnt/cowrie_logs/cowrie.json*"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => "json_lines"
    type => "cowrie"
  }
}

filter {
  geoip { source => "src_ip" }
  date { match => [ "timestamp", "ISO8601" ] }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "cowrie-%{+YYYY.MM.dd}"
  }
}

Démarrer les services :

Bash
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch kibana logstash
sudo systemctl start elasticsearch kibana logstash