一、Logstash
1.1 logstash容器安装(加入safeline-ce容器网)
docker run -di --restart=always --log-driver json-file -p 5044:5044 -p 9600:9600 --name logstash --net safeline-ce logstash:8.8.1
1.2 logstash配置
注意事项:
1.jdbc_driver_library的jar包需要单独下载;
2.waf的日志根据id进行增量更新,id递增则logstash进行output。其中记录id号的user.metadata空文件需要单独创建。其中查询的SQL语句statement 最后需要写明增量条件 > :sql_last_value;
3.日志量较大的话,分页进行配置;
4.Output模块中理论上可以直接通过http的发送给数据给企业微信机器人的webhook,不过这边是通过发送到本地的webhook做了相关makedown的格式调整以及颜色和超链接的优化,再由本地webhook发送至企业微信机器人的webhook。;
5.在38行output中pushwechatalert为后文webhook配置waf.json的id,需要一致。
input {
jdbc {
jdbc_connection_string => "jdbc:[postgresql://169.254.0.2:5432/safeline-ce]()"
jdbc_user => "safeline-ce"
jdbc_password => "F6epaIfxxxxxxxxxxxxxxx64dKbUhhc"
jdbc_driver_library => "/usr/share/logstash/jdk/bin/pgsql/postgresql-42.6.0.jar"
jdbc_driver_class => "org.postgresql.Driver"
jdbc_paging_enabled => "true"
jdbc_page_size => "300000"
use_column_value => "true"
tracking_column => "id"
tracking_column_type => "numeric"
record_last_run => "true"
clean_run => false
last_run_metadata_path => "/usr/share/logstash/jdk/bin/pgsql/user.metadata"
statement => "SELECT mgt_detect_log_basic.id as id,timestamp,host,url_path,src_ip,method,query_string,mgt_detect_log_basic.event_id as event_id FROM mgt_detect_log_basic,mgt_detect_log_detail where 1=1 and mgt_detect_log_basic.id = mgt_detect_log_detail.id and mgt_detect_log_basic.id > :sql_last_value"
schedule => "* * * * *"
type => "jdbc"
jdbc_default_timezone =>"Asia/Shanghai"
}
}
filter {
json {
source => "message"
}
ruby {
code => "event.timestamp.time.localtime"
}
mutate {
remove_field => [ "@timestamp","@version","type" ]
}
}
output {
http {
http_method => "post"
format => "json"
url => "<http://127.0.0.1:8888/hooks/pushwechatalert>"
content_type => "application/json"
}
stdout {
codec => rubydebug {}
}
}
1.3 logstash配置启动(主容器已经起了一个logstsh进程,单独再起一个要指定--path.data)
nohup logstash -f /usr/share/logstash/jdk/bin/pgsql/logstas-pgsql.conf --path.data=/usr/share/logstash/jdk/bin/pgsql/data > /dev/null 2>&1 &
二、自建webhook
2.1 webhook安装(写者是安装在logstash所在的容器里)
wget https://github.com/adnanh/webhook/releases/download/2.8.1/webhook-linux-amd64.tar.gz
tar -zxvf webhook-linux-amd64.tar.gz -C ./
cp webhook-linux-amd64/webhook /usr/bin/
2.2 webhook配置(三个配置文件)
waf.json(execute-command执行推送企业微信报警脚本)
[
{
"id": "pushwechatalert",
"execute-command" : "/usr/share/logstash/jdk/bin/pgsql/webhook/ctwaf.sh",
"pass-arguments-to-command":
[
{
"source":"entire-payload",
#"name":"parameter-name"
}
]
}
]
ctwaf.sh(6-11行提取logstash output过来的日志,提取出字段,12-17行对企业微信报警模板文件alert-waf.json进行字段替换。18行微信机器人webhook地址,19行更新模板。)
#!/bin/bash
PAYLOAD= $1
echo $1 >> /var/log/test.log
PAYLOAD2=echo $1
echo $PAYLOAD2 >> /var/log/payload2.log
CT_Event=echo $PAYLOAD2 | awk -F ',' {'print $1'} | awk -F ':' {'print $2'} | sed 's/"\(.*\)"/\1/g'
CT_Time=echo $PAYLOAD2 | awk -F ',' {'print $7'} | awk -F ':' {'print $2'} | xargs -I {} date -d @{} +"%Y-%m-%d %H:%M:%S"
CT_Method=echo $PAYLOAD2 | awk -F ',' {'print $4'} | awk -F ':' {'print $2'} | sed 's/"\(.*\)"/\1/g'
CT_Server=echo $PAYLOAD2 | awk -F ',' {'print $2'} | awk -F ':' {'print $2'} | sed 's/"\(.*\)"/\1/g'
CT_Url=echo $PAYLOAD2 | awk -F ',' {'print $8'} | awk -F '"' {'print $4'}
CT_Sip=echo $PAYLOAD2 | awk -F ',' {'print $6'} | awk -F ':' {'print $2'} | sed 's/"\(.*\)"/\1/g'
sed -i "s/CT_Event/$CT_Event/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s/CT_Time/$CT_Time/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s/CT_Method/$CT_Method/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s#CT_Url#$CT_Url#g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s/CT_Server/$CT_Server/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s#CT_Sip#$CT_Sip#g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
curl -H "Content-Type: application/json" -X POST -d @/usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxxxx
cp -f /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json.tm /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
alert-waf.json(11-12行的192.168.1.1地址非WAF地址,为另外一台nginx,用来增加用户的cookie头并代理waf实现免登录查看报警。)
{
"msgtype": "markdown",
"markdown": {
"content": "报警类型:<font color=\"info\">长亭</font>,请注意。\n>
报警时间:<font color=\"comment\">CT_Time</font>\n>
请求方法:<font color=\"comment\">CT_Method</font>\n>
请求路径:<font color=\"comment\">CT_Url</font>\n>
请求域名:<font color=\"comment\">CT_Server</font>\n>
攻击IP:<font color=\"comment\">CT_Sip</font>\n>
[攻击报文](http://192.168.1.1:8888/api/DetectLogDetail?event_id=CT_Event)\n>
[免登录查看攻击详情](http://192.168.1.1:8888/logs?page=1&size=20¶ms=%7B%7D)\n>"
}
}
2.3 启动webhook
nohup webhook -hooks waf.json -port 8888 --verbose > /dev/null 2>&1 &
三、NGINX免登录查看WAF日志。
单独安装了一个nginx容器,其中proxy_pass为waf登录地址,proxy_pass_header为用户cookie),并配置定时任务去访问waf,防止cookie失效。
来源:热心雷池社区版用户