gloria-sentinella/elk-centos-7.sh

## elk-centos-7.sh
vi /etc/ssh/sshd_config #Permitrootlogin  -> permitir acceso por ssh
su -
yum clean all && yum update -y && yum upgrade -y

sudo sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux
sudo yum install epel-release -y
sudo yum install wget curl net-tools lsof zip unzip iperf cabextract -y
sudo yum install mlocate xorg-x11-font-utils fontconfig libSM libICE libXrender libXext xorg-x11-fonts-Type1 xorg-x11-fonts-75dpi freetype libpng zlib libjpeg-turbo gcc ImageMagick ImageMagick-devel ImageMagick-perl samba-client lua lua-devel pkgconfig asciidoc -y
sudo yum remove mysql-server mysql-libs mysql-devel mysql* mariadb-libs mariadb* percona percona-* mysql mysql-* mariadb mariadb-* -y
sudo rm -rf /var/lib/mysql & rm -rf /etc/my.cnf
sudo setsebool -P httpd_can_network_connect 1
sudo systemctl disable firewalld
sudo systemctl stop firewalld

cd /tmp

wget --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz"

sudo mkdir -p /usr/lib/java
sudo tar -xzf jdk-8u121-linux-x64.tar.gz -C /usr/lib/java
sudo ln -s /usr/lib/java/jdk1.8.0_121 /usr/lib/java/jvm
sudo ln -s /usr/lib/java/jvm/bin/java /usr/bin/java
sudo ln -s /usr/lib/java/jvm/bin/javac /usr/bin/javac
sudo  ln -s /usr/lib/java/jvm/bin/javah /usr/bin/javah
sudo ln -s /usr/lib/java/jvm/bin/javadoc /usr/bin/javadoc
sudo  ln -s /usr/lib/java/jvm/bin/javaws /usr/bin/javaws
sudo ln -s /usr/lib/java/jvm/bin/jar /usr/bin/jar
sudo ln -s /usr/lib/java/jvm/bin/jconsole /usr/bin/jconsole

$ sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
$ echo '[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
' | sudo tee /etc/yum.repos.d/elasticsearch.repo
sudo yum -y install elasticsearch
sudo vi /etc/elasticsearch/elasticsearch.yml
network.host: localhost
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

sudo vi /etc/yum.repos.d/kibana.repo

[kibana-4.4]
name=Kibana repository for 4.4.x packages
baseurl=http://packages.elastic.co/kibana/4.4/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

sudo yum -y install kibana
sudo vi /opt/kibana/config/kibana.yml
server.host: "localhost"

sudo systemctl start kibana
sudo chkconfig kibana on

sudo yum -y install epel-release
sudo yum -y install nginx httpd-tools
sudo htpasswd -c /etc/nginx/htpasswd.users kibanaadmin

sudo vi /etc/nginx/nginx.conf

Find the default server block (starts with server {),
the last configuration block in the file, and delete it.
When you are done, the last two lines in the file should look like this:

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}


  sudo vi /etc/nginx/conf.d/kibana.

  server {
    listen 80;

    server_name example.com;

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/htpasswd.users;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
}

sudo systemctl start nginx
sudo systemctl enable nginx

sudo vi /etc/yum.repos.d/logstash.repo
[logstash-2.2]
name=logstash repository for 2.2 packages
baseurl=http://packages.elasticsearch.org/logstash/2.2/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1

sudo yum -y install logstash


sudo vi /etc/pki/tls/openssl.cnf
buscar sección v3_ca
y en subjectAltName

subjectAltName = IP: ELK_server_private_ip

ELK_server_private_ip, sustituirlo por tu ip privada.

cd /etc/pki/tls
sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

sudo vi /etc/logstash/conf.d/02-beats-input.conf
input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

sudo vi /etc/logstash/conf.d/10-syslog-filter.conf

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

sudo vi /etc/logstash/conf.d/30-elasticsearch-output.conf

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

sudo service logstash configtest

sudo systemctl restart logstash
sudo chkconfig logstash on

cd /tmp
curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip
unzip beats-dashboards-*.zip

cd beats-dashboards-*
./load.sh

curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json

curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json

Output:
{
  "acknowledged" : true
}

sudo systemctl daemon-reload
sudo systemctl start logstash
sudo systemctl enable logstash

En el servidor:
scp /etc/pki/tls/certs/logstash-forwarder.crt user@client_server_private_address:/tmp

En el cliente:
sudo mkdir -p /etc/pki/tls/certs
sudo cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/

sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
sudo vi /etc/yum.repos.d/elastic-beats.repo

[beats]
name=Elastic Beats Repository
baseurl=https://packages.elastic.co/beats/yum/el/$basearch
enabled=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
gpgcheck=1

sudo yum -y install filebeat

sudo vi /etc/filebeat/filebeat.yml

 paths:
        - /var/log/secure
        - /var/log/messages
#        - /var/log/*.log

document_type: syslog


 ### Logstash as output
  logstash:
    # The Logstash hosts
    hosts: ["ELK_server_private_IP:5044"]


El archivo debe verse más o menos así, como es yaml, es muy sensible a errores de identación:
https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/de660ffdd3decacdcaf88109e5683e1eef75c01f/filebeat.yml-centos

sudo systemctl start filebeat
sudo systemctl enable filebeat

Revisar la instalacion de filebeat:
curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'


Sample Output:
...
{
      "_index" : "filebeat-2016.01.29",
      "_type" : "log",
      "_id" : "AVKO98yuaHvsHQLa53HE",
      "_score" : 1.0,
      "_source":{"message":"Feb  3 14:34:00 rails sshd[963]: Server listening on :: port 22.","@version":"1","@timestamp":"2016-01-29T19:59:09.145Z","beat":{"hostname":"topbeat-u-03","name":"topbeat-u-03"},"count":1,"fields":null,"input_type":"log","offset":70,"source":"/var/log/auth.log","type":"log","host":"topbeat-u-03"}
    }
...
	vi /etc/ssh/sshd_config #Permitrootlogin -> permitir acceso por ssh
	su -
	yum clean all && yum update -y && yum upgrade -y

	sudo sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux
	sudo yum install epel-release -y
	sudo yum install wget curl net-tools lsof zip unzip iperf cabextract -y
	sudo yum install mlocate xorg-x11-font-utils fontconfig libSM libICE libXrender libXext xorg-x11-fonts-Type1 xorg-x11-fonts-75dpi freetype libpng zlib libjpeg-turbo gcc ImageMagick ImageMagick-devel ImageMagick-perl samba-client lua lua-devel pkgconfig asciidoc -y
	sudo yum remove mysql-server mysql-libs mysql-devel mysql* mariadb-libs mariadb* percona percona-* mysql mysql-* mariadb mariadb-* -y
	sudo rm -rf /var/lib/mysql & rm -rf /etc/my.cnf
	sudo setsebool -P httpd_can_network_connect 1
	sudo systemctl disable firewalld
	sudo systemctl stop firewalld

	cd /tmp

	wget --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz"

	sudo mkdir -p /usr/lib/java
	sudo tar -xzf jdk-8u121-linux-x64.tar.gz -C /usr/lib/java
	sudo ln -s /usr/lib/java/jdk1.8.0_121 /usr/lib/java/jvm
	sudo ln -s /usr/lib/java/jvm/bin/java /usr/bin/java
	sudo ln -s /usr/lib/java/jvm/bin/javac /usr/bin/javac
	sudo ln -s /usr/lib/java/jvm/bin/javah /usr/bin/javah
	sudo ln -s /usr/lib/java/jvm/bin/javadoc /usr/bin/javadoc
	sudo ln -s /usr/lib/java/jvm/bin/javaws /usr/bin/javaws
	sudo ln -s /usr/lib/java/jvm/bin/jar /usr/bin/jar
	sudo ln -s /usr/lib/java/jvm/bin/jconsole /usr/bin/jconsole

	$ sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
	$ echo '[elasticsearch-2.x]
	name=Elasticsearch repository for 2.x packages
	baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
	gpgcheck=1
	gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
	enabled=1
	' \| sudo tee /etc/yum.repos.d/elasticsearch.repo
	sudo yum -y install elasticsearch
	sudo vi /etc/elasticsearch/elasticsearch.yml
	network.host: localhost
	sudo systemctl start elasticsearch
	sudo systemctl enable elasticsearch

	sudo vi /etc/yum.repos.d/kibana.repo

	[kibana-4.4]
	name=Kibana repository for 4.4.x packages
	baseurl=http://packages.elastic.co/kibana/4.4/centos
	gpgcheck=1
	gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
	enabled=1

	sudo yum -y install kibana
	sudo vi /opt/kibana/config/kibana.yml
	server.host: "localhost"

	sudo systemctl start kibana
	sudo chkconfig kibana on

	sudo yum -y install epel-release
	sudo yum -y install nginx httpd-tools
	sudo htpasswd -c /etc/nginx/htpasswd.users kibanaadmin

	sudo vi /etc/nginx/nginx.conf

	Find the default server block (starts with server {),
	the last configuration block in the file, and delete it.
	When you are done, the last two lines in the file should look like this:

	# For more information on configuration, see:
	# * Official English Documentation: http://nginx.org/en/docs/
	# * Official Russian Documentation: http://nginx.org/ru/docs/

	user nginx;
	worker_processes auto;
	error_log /var/log/nginx/error.log;
	pid /run/nginx.pid;

	# Load dynamic modules. See /usr/share/nginx/README.dynamic.
	include /usr/share/nginx/modules/*.conf;

	events {
	worker_connections 1024;
	}

	http {
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# Load modular configuration files from the /etc/nginx/conf.d directory.
	# See http://nginx.org/en/docs/ngx_core_module.html#include
	# for more information.
	include /etc/nginx/conf.d/*.conf;

	# Settings for a TLS enabled server.
	#
	# server {
	# listen 443 ssl http2 default_server;
	# listen [::]:443 ssl http2 default_server;
	# server_name _;
	# root /usr/share/nginx/html;
	#
	# ssl_certificate "/etc/pki/nginx/server.crt";
	# ssl_certificate_key "/etc/pki/nginx/private/server.key";
	# ssl_session_cache shared:SSL:1m;
	# ssl_session_timeout 10m;
	# ssl_ciphers HIGH:!aNULL:!MD5;
	# ssl_prefer_server_ciphers on;
	#
	# # Load configuration files for the default server block.
	# include /etc/nginx/default.d/*.conf;
	#
	# location / {
	# }
	#
	# error_page 404 /404.html;
	# location = /40x.html {
	# }
	#
	# error_page 500 502 503 504 /50x.html;
	# location = /50x.html {
	# }
	# }

	}


	sudo vi /etc/nginx/conf.d/kibana.

	server {
	listen 80;

	server_name example.com;

	auth_basic "Restricted Access";
	auth_basic_user_file /etc/nginx/htpasswd.users;

	location / {
	proxy_pass http://localhost:5601;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection 'upgrade';
	proxy_set_header Host $host;
	proxy_cache_bypass $http_upgrade;
	}
	}
	}

	sudo systemctl start nginx
	sudo systemctl enable nginx

	sudo vi /etc/yum.repos.d/logstash.repo
	[logstash-2.2]
	name=logstash repository for 2.2 packages
	baseurl=http://packages.elasticsearch.org/logstash/2.2/centos
	gpgcheck=1
	gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
	enabled=1

	sudo yum -y install logstash


	sudo vi /etc/pki/tls/openssl.cnf
	buscar sección v3_ca
	y en subjectAltName

	subjectAltName = IP: ELK_server_private_ip

	ELK_server_private_ip, sustituirlo por tu ip privada.

	cd /etc/pki/tls
	sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

	sudo vi /etc/logstash/conf.d/02-beats-input.conf
	input {
	beats {
	port => 5044
	ssl => true
	ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
	ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
	}
	}

	sudo vi /etc/logstash/conf.d/10-syslog-filter.conf

	filter {
	if [type] == "syslog" {
	grok {
	match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{host}" ]
	}
	syslog_pri { }
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	}
	}

	sudo vi /etc/logstash/conf.d/30-elasticsearch-output.conf

	output {
	elasticsearch {
	hosts => ["localhost:9200"]
	sniffing => true
	manage_template => false
	index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
	document_type => "%{[@metadata][type]}"
	}
	}

	sudo service logstash configtest

	sudo systemctl restart logstash
	sudo chkconfig logstash on

	cd /tmp
	curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip
	unzip beats-dashboards-*.zip

	cd beats-dashboards-*
	./load.sh

	curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json

	curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json

	Output:
	{
	"acknowledged" : true
	}

	sudo systemctl daemon-reload
	sudo systemctl start logstash
	sudo systemctl enable logstash

	En el servidor:
	scp /etc/pki/tls/certs/logstash-forwarder.crt user@client_server_private_address:/tmp

	En el cliente:
	sudo mkdir -p /etc/pki/tls/certs
	sudo cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/

	sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
	sudo vi /etc/yum.repos.d/elastic-beats.repo

	[beats]
	name=Elastic Beats Repository
	baseurl=https://packages.elastic.co/beats/yum/el/$basearch
	enabled=1
	gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
	gpgcheck=1

	sudo yum -y install filebeat

	sudo vi /etc/filebeat/filebeat.yml

	paths:
	- /var/log/secure
	- /var/log/messages
	# - /var/log/*.log

	document_type: syslog


	### Logstash as output
	logstash:
	# The Logstash hosts
	hosts: ["ELK_server_private_IP:5044"]



	El archivo debe verse más o menos así, como es yaml, es muy sensible a errores de identación:
	https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/de660ffdd3decacdcaf88109e5683e1eef75c01f/filebeat.yml-centos

	sudo systemctl start filebeat
	sudo systemctl enable filebeat

	Revisar la instalacion de filebeat:
	curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'


	Sample Output:
	...
	{
	"_index" : "filebeat-2016.01.29",
	"_type" : "log",
	"_id" : "AVKO98yuaHvsHQLa53HE",
	"_score" : 1.0,
	"_source":{"message":"Feb 3 14:34:00 rails sshd[963]: Server listening on :: port 22.","@version":"1","@timestamp":"2016-01-29T19:59:09.145Z","beat":{"hostname":"topbeat-u-03","name":"topbeat-u-03"},"count":1,"fields":null,"input_type":"log","offset":70,"source":"/var/log/auth.log","type":"log","host":"topbeat-u-03"}
	}
	...