先上最终的效果图:防火墙NAT日志在GrayLogServer4.1的呈现的效果
下面细说具体的步骤
一、EVE-NG下模拟网络设备syslog日志
使用的是EVE-NG社区懒人版,测试使用hillstone山石网科防火墙
链接: https://pan.baidu.com/s/15G_ONhBD7TpZo3w0vKmU0g 提取码: xucy
搭建的拓扑也很简单(典型的简单企业园区网)
1、Hillstone防火墙
E0/0 DHCP 桥接PC本地网卡作为外网WAN 192.168.31.163
E0/1 10.10.10.253 与三层交换机G0/0互联
2、Cisco Switch三层交换机
G0/0 VLAN100 VLAN IP 10.10.10.254
G0/1 VLAN200 VLAN IP 10.10.200.1
3、测试PC
IP 10.10.200.200 VLAN200
拓扑如下
这里就不详细描述园区网各设备的具体配置过程了
主要就是模拟山石网科防火墙的日志发送
二、GrayLogServer 4.1版本的搭建
之前有搭建过GraryLog,链接如下
GrayLogServer 4.1版本的搭建步骤大同小异
1、配置yum源,安装jdk+pwgen
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum install -y java-1.8.0-openjdk-headless.x86_64 yum install -y pwgen
2、安装MongoDB4.4
vi /etc/yum.repos.d/mongodb-org.repo #修改成如下行 [mongodb-org] name=MongoDB Repository baseurl=https://mirrors.aliyun.com/mongodb/yum/redhat/$releasever/mongodb-org/4.4/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
yum install mongodb-org systemctl daemon-reload systemctl enable mongod.service systemctl start mongod.service systemctl --type=service --state=active | grep mongod
3、安装Elasticsearch7.14版本
先创建Elasticsearch数据存储和日志目录,建议要使用磁盘分区容量较大的目录
mkdir -p /opt/elasticsearch/data mkdir -p /opt/elasticsearch/logs chown -R elasticsearch:elasticsearch /opt/elasticsearch
腾讯云镜像站Elastic源中下载elasticsearch的rpm包,进行本地rpm安装
https://mirrors.cloud.tencent.com/elasticstack/yum/elastic-7.x/7.14.0/elasticsearch-7.14.0-x86_64.rpm
rpm -ihv elasticsearch-7.14.0-x86_64.rpm systemctl daemon-reload systemctl enable elasticsearch.service systemctl restart elasticsearch.service
cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml_default 并修改配置文件 vi/etc/elasticsearch/elasticsearch.yml #添加或修改如下行 cluster.name:graylog action.auto_create_index:false path.data: /opt/elasticsearch/data path.logs: /opt/elasticsearch/logs
4、安装GrayLogServer4.1
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.rpm yum install graylog-server
5、修改Graylog相关配置文件
cp /etc/graylog/server/server.conf /etc/graylog/server/server.conf_default pwgen -N 1 -s 96 Joznyj3G5p13hwaIwdvZVJ9TfiPcb4PINOdSPH3uq5GKFaG9jvgsgjQNGVrUwy4F057PTYBmP7dJP6Svx8t8w1h61hVhVUcX echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 Enter Password: Graylog@2021 10dfabb9595634675701865aa1c6e774d89d59f4a104ab128fbffcdaa3cf8f7b
修改graylogserver配置文件
vim /etc/graylog/server/server.conf root_timezone = Asia/Shanghai allow_highlighting = true http_bind_address = 0.0.0.0:9000
1)、admin帐号
2)、时区设置
3)、查询结果高亮
4)、http绑定的IP与端口
5)、重启服务并防火墙开放9000端口
systemctl daemon-reload systemctl enable graylog-server.service systemctl start graylog-server.service firewall-cmd --zone=public --add-port=9000/tcp --permanent firewall-cmd --reload
