目前大多数公司都在逐步的迁移到elastic static 套件(以前我们习气称呼为ELK) 实现网站的数据剖析, 这几天一贯在搞线上做事的日志报警功能(紧张是在运用的日志层面来实现的),以是在这里先容一下一个非常好用的python报警框架elastalert 结合我们的elastic stack套件

说到报警一样平常我们要知足这 3个条件

第一是 : 及时性

phpalertElastic stack番外篇之elastalert告警 RESTful API

第二是:准确性

第三是: 智能报警频率限定性

那么这几个功能这个框架都是知足的.

​好啦终于轮到我们的主角–ElastAlert出来了,其他的告警工具还有 Alert Management、Elasticsearch watch ,请读者们自行确定须要利用哪个。

ElastAlert利用python编写,具有随意马虎上手、文档全等特点,虽然这个工具拥有如此多的优点,在搭建过程还是碰着了很多很多的未知缺点,紧张缘故原由是网上的资料大多是针对es5.x以前的版本而没什么现成的资料可供参考。

1.1 安装elastalert

git clone https://github.com/Yelp/elastalert.git cd elastalert python setup.py install //可能须要sudo Pip install -r requirements.txt //可能须要sudo cp config.yaml.example config.yaml

​ 详细的功能本文就不一一先容了,请自行前往官方文档理解

1.2 创建索引

​ 安装完成后会系统中会自带三个命令:

​ elastalert-create-index、elastalert-rule-from-kibana 、elastalert-test-rule

​ 利用elastalert-create-index,根据提示设置es后按回车默认即可。

​ 配置完索引及配置文件后,可以利用elastalert-test-rule进行测试。
这里有个bug,如果涌现TransportError(400, u'search_phase_execution_exception', u'No mapping found for [alert_time] in order to sort on')之类的缺点,在确认没有其他的问题时,可以先删除索引curl -XDELETE http://localhost:9200/,再利用elastalert-create-index重新天生索引。

1.3 配置config.yaml

rules_folder: example_rules # How often ElastAlert will query Elasticsearch # The unit can be anything from weeks to seconds run_every: seconds: 3 #每三秒向es要求数据 # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time buffer_time: minutes: 15 #日志会延迟进入es,这里是配置query的向前的韶光范围,这是15分钟,即查询 time[now-15m, now] # The Elasticsearch hostname for metadata writeback # Note that every rule can have its own Elasticsearch host es_host: 188.88.88.88 # The Elasticsearch port es_port: 9200 # Optional URL prefix for Elasticsearch #es_url_prefix: elasticsearch # Connect with TLS to Elasticsearch #use_ssl: True # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass 'GET', 'POST' or 'source'. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for Elasticsearch #es_username: someusername #es_password: somepassword # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: days: 1

以上各字段的阐明:

Rules_folder:用来加载下一阶段rule的设置,默认是example_rules

Run_every:用来设置定时向elasticsearch发送要求

Buffer_time:用来设置要求里韶光字段的范围,默认是45分钟

Es_host:elasticsearch的host地址

Es_port:elasticsearch 对应的端口号

Use_ssl:可选的,选择是否用SSL连接es,true或者false

Verify_certs:可选的,是否验证TLS证书,设置为true或者false,默认为- true

Es_username:es认证的username

Es_password:es认证的password

Es_url_prefix:可选的,es的url前缀(我的理解是https或者http)

Es_send_get_body_as:可选的,查询es的办法,默认的是GET

Writeback_index:elastalert产生的日志在elasticsearch中的创建的索引

Alert_time_limit:失落败重试的韶光限定

1.4 告警配置先容

​ 在example_rules目录中新建yaml配置文件 webattack_frequency.yaml,下面分开先容这个配置文件的内容(下个小节将分享我的配置文件,此小节仅阐明个中的必要设置项):

1、告警规则

ElastAlert支持11种告警规则,本文不一一先容了,为相应web攻击行为,本文选用的告警规则是frequency。

name: web attack# (Required)# Type of alert.# the frequency rule type alerts when num_events events occur with timeframe timetype: frequency# (Required, frequency specific)# Alert when this many documents matching the query occur within a timeframenum_events: 10# (Required, frequency specific)# num_events must occur within this amount of time to trigger an alerttimeframe: minutes: 1 # (Required)# Index to search, wildcard supportedindex: logstash- #对应logstash的配置文件中output的elasticsearch index前缀filter:- query_string:# sql insert xss detect query: \"大众request: select.+(from|limit) OR request: union(.?)select OR request: into.+(dump|out)file \"大众上述配置文件的意图即是:在一分钟内将匹配query里面的sql注入规则,若匹配次数达到10次,即进行报警。
2、利用邮箱进行告警

ElastAlert供应了 10 多种关照的类型,本文选用的是邮箱告警,还有微信告警、钉钉告警,若有须要,请自行配置。

smtp_host: smtp.qiye.163.comsmtp_port: 25smtp_auth_file: /Users/qy/Downloads/work/elastalert/example_rules/smtp_auth_file.yaml#回答给那个邮箱email_reply_to: xxx@163.com#从哪个邮箱发送from_addr: xxx@163.com# (Required)# The alert is use when a match is foundalert:- \"大众email\公众# (required, email specific)# a list of email addresses to send alerts toemail:- \"大众shystartree@163.com\"大众alert_subject: \"大众web attack may be by {} at @{}\"大众alert_subject_args: - remote_addr - timealert_text_type: alert_text_onlyalert_text: | 你好,做事器({})可能正在受到web攻击,请采纳手段阻挡!



### 截止发邮件前匹配到的要求数:{} > 发生韶光: {} > timestamp:{} > attacker's ip: {} > request: {} > status:{} > UA头:{} >>> 参考来源:{}alert_text_args: - host - num_hits - time - \"大众@timestamp\"大众 - remote_addr - request - status - http_user_agent - source

smtp_auth_file.yaml的配置内容会不才个小节给出,在这个配置中,我自定义了 alert 的内容,更为精确地突出了攻击者ip、受攻击的做事器、攻击事宜等信息。

3、减少重复告警的频率

在实际的利用中,若利用上述的配置,受到攻击的时候邮箱将不断地收到邮件,而这些邮件都对应着同一个攻击实例,根本没必要重复收取,于是,我利用了如下的配置:

# 用来区分报警,跟 realert 合营利用,在这里意味着, # 5 分钟内如果有重复报警,那么当 name 不同时,会当做不同的报警处理,可以是数组 query_key: - name # 5 分钟内相同的报警不会重复发送 realert: minutes: 5 # 指数级扩大 realert 韶光,中间如果有报警, # 则按照 5 -> 10 -> 20 -> 40 -> 60 不断增大报警韶光到制订的最大韶光, # 如果之后报警减少,则会逐步恢复原始 realert 韶光 exponential_realert: hours: 1

在本人实际测试的攻击场景中,创造利用了exponential_realert后,会错过很多告警(这些告警并不是同一个攻击实例),暂时不愿定缘故原由,还请读者们自行确定是否开启该设置。

1.5webattack_frequency.yaml及smtp_auth_file.yaml配置文件内容

上述的1.4小节中对每个配置都作了大略的先容,这里就直接放出web攻击预警的配置文件供各位读者参考。

webattack_frequency.yaml:

# Alert when the rate of events exceeds a threshold# (Optional)# Elasticsearch host#es_host: 188.88.88.88# (Optional)# Elasticsearch port#es_port: 9200# (OptionaL) Connect with SSL to Elasticsearch#use_ssl: True# (Optional) basic-auth username and password for Elasticsearch#es_username: someusername#es_password: somepassword# (Required)# Rule name, must be uniquename: web attackrealert: minutes: 5# (Required)# Type of alert.# the frequency rule type alerts when num_events events occur with timeframe timetype: frequency# (Required)# Index to search, wildcard supportedindex: logstash-# (Required, frequency specific)# Alert when this many documents matching the query occur within a timeframenum_events: 10# (Required, frequency specific)# num_events must occur within this amount of time to trigger an alerttimeframe: #hours: 4 minutes: 1# (Required)# A list of Elasticsearch filters used for find events# These filters are joined with AND and nested in a filtered query# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html#filter:#- term:# some_field: \公众some_value\"大众filter:- query_string:# sql insert xss detect query: \"大众request: select.+(from|limit) OR request: union(.?)select OR request: into.+(dump|out)file OR request: (base64_decode|sleep|benchmark|and.+1=1|and.+1=2|or%20|exec|information_schema|where%20|union%20|%2ctable_name%20|cmdshell|table_schema) OR request: (iframe|script|body|img|layer|div|meta|style|base|object|input|onmouseover|onerror|onload) OR request: .+etc.+passwd OR http_user_agent:(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench) OR status: (400|404|500|501) NOT (request:_health.html OR remote_addr:222.222.222.222 ) \公众smtp_host: smtp.qiye.163.comsmtp_port: 25smtp_auth_file: /Users/qy/Downloads/work/elastalert/example_rules/smtp_auth_file.yaml#回答给那个邮箱email_reply_to: xxx@163.com#从哪个邮箱发送from_addr: xxx@163.com# (Required)# The alert is use when a match is foundalert:- \公众email\"大众# (required, email specific)# a list of email addresses to send alerts toemail:- \"大众shystartree@163.com\公众alert_subject: \公众web attack may be by {} at @{}\"大众alert_subject_args: - remote_addr - timealert_text_type: alert_text_onlyalert_text: | 你好,做事器({})可能正在受到web攻击,请采纳手段阻挡!



### 截止发邮件前匹配到的要求数:{} > 发生韶光: {} > timestamp:{} > attacker's ip: {} > request: {} > status:{} > UA头:{} >>> 参考来源:{}alert_text_args: - host - num_hits - time - \公众@timestamp\"大众 - remote_addr - request - status - http_user_agent - source

smtp_auth_file.yaml:

user: xxx@163.compassword: password

1.6 运行elastalert

在成功配置完ElastAlert后将天生三个配置文件:config.yaml、webattack_frequency.yaml、smtp_auth_file.yaml启动elastalert做事,监听elasticsearch:nohup python -m elastalert.elastalert --verbose --rule webattack_frequency.yaml >/dev/null 2>&1 &为实现守护进程的浸染,可以合营supervisor进行利用,本文不再阐述。

1.7 运行效果:

当匹配到自定义攻击规则的时候,ElastAlert将会以邮件办法发送告警信息:

web attack may be by 104.38.13.21 at @[13/Jan/2018:16:06:58 +0800]xxx 发给 shystartree 你好,做事器(199.222.36.31)可能正在受到web攻击,请采纳手段阻挡!



### 截止发邮件前匹配到的要求数:20> 发生韶光: [13/Jan/2018:16:06:58 +0800]> timestamp:2018-01-13T08:07:04.930Z> attacker's ip: 184.233.9.121> request: GET /dbadmin/scripts/setup.php HTTP/1.0> status:200> UA头:ZmEu>>> 参考来源:/log/localhost_access_log.2018-01-13.txt

五、总结

ElastAlert除了本文先容的告警web攻击行为外,还能进行非常告警等。
利用了frequency的规则后,基本能达到识别web攻击的目的。
在实际的利用中,elastalert能稳定运行,且能根据自定义配置文件精确告警,缺陷是告警的格式不足都雅和须要频繁地修正配置文件。

至于目前比较主流告警----微信告警,大家可以访问我的github项目,里面先容了详细的利用方法项目地址: https://github.com/Hello-Linux/elastalert_wechat_plugin

下面是我目前利用的一个微信报警截图

末了说一句主要的话: 记得关注我一下 关注 关注 关注