Skip to content

How to Install

Jump to bottom
wataru-takahashi edited this page Sep 20, 2018 · 3 revisions

1. Elasticsearch Setup
2. Kibana Setup
3. StixIoC Server Setup
4. Client Setup

Precondition

  • The following instruction is optimized for Linux (Ubuntu).
  • SysmonSearch supports Elasticsearch and Kibana for versions v6.X.
  • Please download Elasticsearch v6.X from this site, and extract it. This directry is referred to as $ES_HOME hereafter.
  • Download Kibana v6.X from this site, and extract it. This directry is referred to as $KIBANA_HOME hereafter.
  • Please clone SysmonSearch git repository.
$ git clone https://github.com/JPCERTCC/SysmonSearch.git

Elasticsearch Setup

  1. Install OpenJDK:
$ sudo apt install default-jre
  1. Set virtual memory:
$ sudo sysctl -w vm.max_map_count=262144
  1. Modify Elasticsearch configuration to allow remote access:
$ vi $ES_HOME/config/elasticsearch.yml

modify the line as follows:

network.host: 0
  1. Start Elasticsearch:
$ ./$ES_HOME/bin/elasticsearch

Kibana Setup

  1. Install OpenJDK and pip:
$ sudo apt install default-jre
$ sudo apt install python-pip
  1. Install Elasticsearch python module:
$ pip install elasticsearch
$ sudo pip install elasticsearch_dsl
  1. Modify Kibana configuration:
$ vi $KIBANA_HOME/config/kibana.yml

modify the line as follows:

server.host: "[Kibana IP address]"
elasticsearch.url: "http://[Elasticserach IP address]:9200"
  1. Start Kinaba:
$ ./$KIBANA_HOME/bin/kibana
  1. Execute the following commands to load the templates:
$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template1 -d@SysmonSearch/script/template1.json -H "Content-Type: application/json"
$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template2 -d@SysmonSearch/script/template2.json -H "Content-Type: application/json"
$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template3 -d@SysmonSearch/script/template3.json -H "Content-Type: application/json"
  1. Move to script/ directory, and create the logs sub-directory:
$ cd SysmonSearch/script/
$ mkdir logs
  1. Modify Statistical script configuration:
$ vi exec_collection_statistical_data.sh

modify the line as follows:

export JPCERT_HOME=[absolute path of script directory]

$ vi collection_statistical_data_setting.py

modify the line as follows:

ELASTICSEARCH_SERVER = "[Elasticserach IP address]"
  1. Modify Alert script configuration:
$ vi collection_alert_data_setting.py

modify the line as follows:

ELASTICSEARCH_SERVER = "[Elasticserach IP address]"
RULE_FILE_DIRECTORY = "[absolute path of script directory]/rule_files/*"
  1. Add following to crontab:
0,30 * * * * sh [absolute path of script directory]/exec_collection_statistical_data.sh
0,30 * * * * python [absolute path of script directory]/collection_alert_data.py
0 1 * * * DATE=`date -d "-1 day" "+%Y.%m.%d"` ; sh [absolute path of script directory]/exec_collection_statistical_data.sh $DATE
  1. Modify sysmon_search_plugin configuration:
$ vi sysmon_search_plugin/conf.js

modify the line as follows:

//elasticsearch server URL
"elasticsearch_url":"[Elasticsearch IP address]"
//elasticsearch server Port
"elasticsearch_port": "9200",
//monitor rule file path
"savepath": "[absolute path of script directory]/rule_files",
//stixioc import server URL
"import_server_url": "stixioc-import-server",
//stixioc server port
"import_server_port": "56020",
//internal time (hour)
"refine_time_range": "1",
//maximum object number
"max_object_num": "30"
  1. Copy sysmon_search_plugin/ directory to $KIBANA_HOME/plugins, delete files under $KIBANA_HOME/optimize directory:
$ cp -r sysmon_search_plugin/ $KIBANA_HOME/plugin/
$ rm -rf $KIBANA_HOME/optimize/*
  1. Restart Kibana.

StixIoc Server Setup

  1. Execute the following command to install pip:
$ sudo apt install python-pip
  1. Execute the following command to install python module:
$ sudo pip install tornado
$ sudo pip install openioc-to-stix
$ sudo pip install git+https://github.com/oasis-open/cti-stix-slider.git
$ sudo pip install virtualenv
$ sudo pip install virtualenvwrapper
  1. Add nessesary environment variable:
$ vi ~/.bashrc

add to the line as follows:

source /usr/local/bin/virtualenvwrapper.sh
export WORKON_HOME=~/.virtualenvs

Reload:

$ bash
  1. Move to stixioc-import-server directory:
$ cd SysmonSearch/stixioc-import-server/
  1. Create the logs directory:
$ mkdir logs
  1. Start stixioc-import-server:
$ virtualenv .env
$ source .env/bin/activate
$ python server.py

Client Setup

Install Sysmon

Download URL (Sysmon)
Please reffer to the instruction on the Sysmon web site, and install it.

Install Winlogbeat

Download URL(Winlogbeat)
Please check the Winlogbeat web site and install Winlogbeat.

Winlogbeat configuration

Specify Elasticsearch IP address:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["Elasticserach IP address:9200"]

Sysmon's event logs to monitor:

winlogbeat.event_logs:
  - name: "Microsoft-Windows-Sysmon/Operational"
    ignore_older: 72h

Disable automatic template loading:

setup.template.enabled: false

Change the index name:

output.elasticsearch.index: "winlogbeat-%{+yyyy.MM.dd}"

Manual

  1. Install
    1. Elasticsearch Server Setup
    2. Kibana Server Setup
    3. StixIoc Server Setup
    4. Client Setup
  2. Setup with Docker
  3. Client Setup
  4. How to Use
    1. Start SysmonSearch
    2. Access Kibana

Appendix. Install the React version

マニュアル(日本語)

  1. インストール
    1. Elasticsearchサーバセットアップ
    2. Kibanaサーバセットアップ
    3. StixIocサーバセットアップ
    4. クライアントのセットアップ
  2. Dockerでの構築
  3. クライアントのセットアップ
  4. 使用方法
    1. SysmonSearchの起動
    2. Kibanaへアクセス

Appendix. Reactバージョンのインストール

Clone this wiki locally