Skip to content

Jump start with Docker

Jump to bottom
S03D4-164 edited this page Apr 30, 2020 · 6 revisions

Precondition

The following settings are assumed to build on Linux (Ubuntu).

How to Install

  1. Clone SysmonSearch git repository
$ git clone https://github.com/JPCERTCC/SysmonSearch-Private.git
  1. Move to docker directory
$ cd SysmonSearch/docker/
  1. Specify proxy server, if needed:
$ vi docker-compose.yml

modify the line as follows:

# 26, 38 lines
        args:
          - http_proxy=[proxy_server_URL]
          - https_proxy=[proxy_server_URL]
  1. Set Virtual Memory on host device:
$ sysctl -w vm.max_map_count=262144
  1. Run the setup.sh 
$ chmod +x setup.sh
$ ./setup.sh
  1. Build an image
$ docker-compose build

It may take upto 20 minutes to finish.

How to Start Container

$ docker-compose up -d

Kibana plugin is compiled only at the first startup. Therefore, you can not access Kibana until compiletion is finished.

Set scheduled tasks

Add following to your crontab:

0,30 * * * * docker exec -it docker_stixioc-import-server  sh -c "sh /root/script/exec_collection_statistical_data.sh"
0,30 * * * * docker exec -it docker_stixioc-import-server  sh -c "python /root/script/collection_alert_data.py"
0 1 * * * docker exec -it docker_stixioc-import-server  sh -c "DATE=`date -d \"-1 day\" \"+%Y.%m.%d\"`;sh /root/script/exec_collection_statistical_data.sh $DATE"

Loading the index template in Elasticsearch

Execute the following command to load the template

$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template1 -d@kibana/script/template1.json -H "Content-Type: application/json"
$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template2 -d@kibana/script/template2.json -H "Content-Type: application/json"
$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template3 -d@kibana/script/template3.json -H "Content-Type: application/json"

How to Stop Container

$ docker-compose stop

Accessing the Kibana

Access http://[Server IP address]:5601/ SysmonSearch search

Client Setup

Install Sysmon

Download URL (Sysmon)
Please reffer to the instruction on the Sysmon web site, and install it.

Install Winlogbeat

Download URL(Winlogbeat)
Please check the Winlogbeat web site and install Winlogbeat.

Winlogbeat configuration

Specify Elasticsearch IP address:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["Elasticserach IP address:9200"]

Sysmon's event logs to monitor:

winlogbeat.event_logs:
  - name: "Microsoft-Windows-Sysmon/Operational"
    ignore_older: 72h

Disable automatic template loading:

setup.template.enabled: false

Change the index name:

output.elasticsearch.index: "winlogbeat-%{+yyyy.MM.dd}"

Manual

  1. Install
    1. Elasticsearch Server Setup
    2. Kibana Server Setup
    3. StixIoc Server Setup
    4. Client Setup
  2. Setup with Docker
  3. Client Setup
  4. How to Use
    1. Start SysmonSearch
    2. Access Kibana

Appendix. Install the React version

マニュアル(日本語)

  1. インストール
    1. Elasticsearchサーバセットアップ
    2. Kibanaサーバセットアップ
    3. StixIocサーバセットアップ
    4. クライアントのセットアップ
  2. Dockerでの構築
  3. クライアントのセットアップ
  4. 使用方法
    1. SysmonSearchの起動
    2. Kibanaへアクセス

Appendix. Reactバージョンのインストール

Clone this wiki locally