-
Notifications
You must be signed in to change notification settings - Fork 1
/
beats_install.sh
113 lines (97 loc) · 4.16 KB
/
beats_install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/bin/bash
CONFIG_REPOSITORY_URL="https://raw.githubusercontent.com/mrebeschini/elastic-zeek-workshop/master"
AUDITD_ATTACK_RULES_URL="$CONFIG_REPOSITORY_URL/auditd-attack.rules.conf"
echo "************************************************"
echo "* Elastic/Zeek BSides Workshop Beats Installer *"
echo "************************************************"
if [[ $EUID -ne 0 ]]; then
echo "Error: this script must be run as root."
exit 1
fi
echo "Enter your Elastic Cloud CLOUD_ID then press [ENTER]"
read CLOUD_ID
if [ -z "$CLOUD_ID" ]; then
echo "Error: CLOUD_ID must be set to a non-empty value!"
exit 1
fi
echo -e "Your CLOUD_ID is set to $CLOUD_ID\n"
echo "Enter you Elastic Cloud 'elastic' user password and then press [ENTER]"
read CLOUD_AUTH
if [ -z "$CLOUD_AUTH" ]; then
echo "Error: CLOUD_AUTH must be set to a non-empty value!"
exit 1
fi
echo -e "Your 'elastic' user password is set to $CLOUD_AUTH\n"
echo "Ready to Install? [y|n]"
read CONTINUE
case "$CONTINUE" in
[Yy]) echo -e "\nElastic Beats Installation Initiated";;
*) echo -e "\nInstallation aborted";exit;;
esac
echo -e "\nDownloading Elastic yum repo configuration..."
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
wget -q -N $CONFIG_REPOSITORY_URL/elastic-7.x.repo -P /etc/yum.repos.d/
function install_beat() {
BEAT_NAME=$1
echo -e "\n*** Installing $BEAT_NAME ****";
if [ $BEAT_NAME == "heartbeat" ]; then
BEAT_PKG_NAME="heartbeat-elastic"
else
BEAT_PKG_NAME=$BEAT_NAME
fi
yum -q list installed $BEAT_PKG_NAME &> /dev/null
if [ $? -eq 0 ]; then
echo "$BEAT_NAME was previously installed. Uninstalling first..."
yum -y -q remove $BEAT_PKG_NAME &> /dev/null
rm -Rf /etc/$BEAT_NAME /var/lib/$BEAT_NAME /var/log/$BEAT_NAME /usr/share/$BEAT_NAME
fi
yum -y install $BEAT_PKG_NAME
echo "Downloading $BEAT_NAME config file..."
wget -q -N $CONFIG_REPOSITORY_URL/$BEAT_NAME.yml -P /etc/$BEAT_NAME
chmod go-w /etc/$BEAT_NAME/$BEAT_NAME.yml
echo "Setting up $BEAT_NAME keystore with Elastic Cloud credentials"
$BEAT_NAME keystore create
echo $CLOUD_ID | $BEAT_NAME keystore add CLOUD_ID --stdin
echo $CLOUD_AUTH | $BEAT_NAME keystore add --stdin CLOUD_AUTH --force
if [ $? -ne 0 ]; then
echo "Invalid CLOUD_ID. Installation aborted!"
exit 2
fi
case $BEAT_NAME in
auditbeat)
wget -q $AUDITD_ATTACK_RULES_URL -N -O /etc/auditbeat/audit.rules.d/auditd-attack.rules.conf
echo "Stopping auditd deamon"
service auditd stop &> /dev/null
chkconfig auditd off &> /dev/null
;;
filebeat)
wget -q $CONFIG_REPOSITORY_URL/zeek.yml -O /etc/filebeat/modules.d/zeek.yml
$BEAT_NAME modules enable system
;;
esac
echo "Setting up $BEAT_NAME"
$BEAT_NAME setup
systemctl enable $BEAT_PKG_NAME
systemctl start $BEAT_PKG_NAME
$BEAT_NAME test output
echo -e "$BEAT_NAME setup complete"
}
function decode_cloud_id() { BASE64URL=`echo "$CLOUD_ID" | awk -F':' '{ print $2 }'` URL=`echo $BASE64URL | base64 --decode`
ES=`echo $URL | awk -F'$' '{ print $2 }'`
REGION=`echo $URL | awk -F'$' '{ print $1 }'`
ES_URL=https://$ES.$REGION
}
#Load up ingest pipelines
decode_cloud_id
echo -e "\nLoading MITRE/GEO Ingest Pipelines into ${ES_URL}"
wget -q -N $CONFIG_REPOSITORY_URL/pipeline_generic_geo.json
wget -q -N $CONFIG_REPOSITORY_URL/pipeline_mitre_geo_auditbeat.json
curl --silent --user elastic:$CLOUD_AUTH -XPUT "${ES_URL}/_ingest/pipeline/geoip-info" -H "Content-Type: application/json" -d @pipeline_generic_geo.json
curl --silent --user elastic:$CLOUD_AUTH -XPUT "${ES_URL}/_ingest/pipeline/mitre_auditbeat" -H "Content-Type: application/json" -d @pipeline_mitre_geo_auditbeat.json
rm -f pipeline_*.json
#Install Beats
install_beat "auditbeat"
install_beat "metricbeat"
install_beat "filebeat"
install_beat "heartbeat"
echo -e "\n\nSetup complete!"