Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 三)

于 2020-03-18 11:24:08 发布
阅读量2k 收藏 3
点赞数
CC 4.0 BY-SA版权
分类专栏: Solutions Elastic Security 文章标签: elasticsearch 大数据
本文为博主原创文章,未经博主允许不得转载。
本文链接:https://blog.csdn.net/UbuntuTouch/article/details/104920571
本文详细介绍了在Ubuntu OS上安装配置Packetbeat和Auditbeat的过程,包括如何修改配置文件以增强事件处理能力,以及如何在Kibana中查看和分析收集到的数据。此外,还探讨了安装Filebeat和其他Beats的方法,以及在SIEM中展示数据的方式。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

这篇文章是我们之前文章 “Elastic SIEM - 适用于家庭和企业的安全防护”系列的续集。在今天的这篇文章中,我们接着来讲述数据的导入:Auditbeat 及 Packetbeat。我们系统的配置请参阅之前的文章 “Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 二)”。在今天的安装中,我们将把我们的 Auditbeat 及 Packetbeat 安装于 Ubuntu OS 之上。

 

安装 Packetbeat

我们可以参照文章 “Beats:如何安装 Packetbeat” 来在 Ubuntu OS 上安装 Packetbeat。根据一致性的需求,按照我们之前的文章 “Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 二)”,我们需要加入相应的 processors 到我们的 packetbeat.yml 文件中:

processors: 
  - add_host_metadata:
      netinfo.enabled: true
      geo: # These Geo configurations are optional
        location: 39.931854, 116.470528
        continent_name: Asia
        country_iso_code: CN
        region_name: Beijing
        region_iso_code: CN-BJ
        city_name: Beijing city
        name: myLocation
  - add_locale: ~ 
  - add_cloud_metadata: ~ 
  - add_fields: 
      when.network.source.ip: private 
      fields: 
        source.geo.location: 
          lat: 39.931854 
          lon: 116.470528
        source.geo.continent_name: Asia
        source.geo.country_iso_code: CN
        source.geo.region_name: Beijing
        source.geo.region_iso_code: CN-BJ
        source.geo.city_name: Beijing city
        source.geo.name: myLocation
      target: '' 
  - add_fields: 
      when.network.destination.ip: private 
      fields: 
        destination.geo.location: 
          lat: 39.931854 
          lon: 116.470528 
        destination.geo.continent_name: Asia
        destination.geo.country_iso_code: CN
        destination.geo.region_name: Beijing
        destination.geo.region_iso_code: CN-BJ
        destination.geo.city_name: Beijing city
        destination.geo.name: myLocation
      target: ''

我同时把 packetbeat.yml 里的 name 字段设置为 ubuntu。这样整个 packetbeat.yml 的文件如下:

#################### Packetbeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The packetbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/packetbeat/index.html

#============================== Network device ================================

# Select the network interface to sniff the data. On Linux, you can use the
# "any" keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: any

#================================== Flows =====================================

# Set `enabled: false` or comment out all options to disable flows reporting.
packetbeat.flows:
  # Set network flow timeout. Flow is killed if no packet is received before being
  # timed out.
  timeout: 30s

  # Configure reporting period. If set to -1, only killed flows will be reported
  period: 10s

#========================== Transaction protocols =============================

packetbeat.protocols:
- type: icmp
  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
  enabled: true

- type: amqp
  # Configure the ports where to listen for AMQP traffic. You can disable
  # the AMQP protocol by commenting out the list of ports.
  ports: [5672]

- type: cassandra
  #Cassandra port for traffic monitoring.
  ports: [9042]

- type: dhcpv4
  # Configure the DHCP for IPv4 ports.
  ports: [67, 68]

- type: dns
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
  ports: [53]

- type: http
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [80, 8080, 8000, 5000, 8002]

- type: memcache
  # Configure the ports where to listen for memcache traffic. You can disable
  # the Memcache protocol by commenting out the list of ports.
  ports: [11211]

- type: mysql
  # Configure the ports where to listen for MySQL traffic. You can disable
  # the MySQL protocol by commenting out the list of ports.
  ports: [3306,3307]

- type: pgsql
  # Configure the ports where to listen for Pgsql traffic. You can disable
  # the Pgsql protocol by commenting out the list of ports.
  ports: [5432]

- type: redis
  # Configure the ports where to listen for Redis traffic. You can disable
  # the Redis protocol by commenting out the list of ports.
  ports: [6379]

- type: thrift
  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
  # the Thrift-RPC protocol by commenting out the list of ports.
  ports: [9090]

- type: mongodb
  # Configure the ports where to listen for MongoDB traffic. You can disable
  # the MongoDB protocol by commenting out the list of ports.
  ports: [27017]

- type: nfs
  # Configure the ports where to listen for NFS traffic. You can disable
  # the NFS protocol by commenting out the list of ports.
  ports: [2049]

- type: tls
  # Configure the ports where to listen for TLS traffic. You can disable
  # the TLS protocol by commenting out the list of ports.
  ports:
    - 443   # HTTPS
    - 993   # IMAPS
    - 995   # POP3S
    - 5223  # XMPP over SSL

    - 8443
    - 8883  # Secure MQTT
    - 9243  # Elasticsearch

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: "ubuntu"

# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["ubuntu", "HomePC"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.43.220:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#============================= Elastic Cloud ==================================

# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.43.220:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors: 
  - add_host_metadata:
      netinfo.enabled: true
      geo: # These Geo configurations are optional
        location: 39.931854, 116.470528
        continent_name: Asia
        country_iso_code: CN
        region_name: Beijing
        region_iso_code: CN-BJ
        city_name: Beijing city
        name: myLocation
  - add_locale: ~ 
  - add_cloud_metadata: ~ 
  - add_fields: 
      when.network.source.ip: private 
      fields: 
        source.geo.location: 
          lat: 39.931854 
          lon: 116.470528
        source.geo.continent_name: Asia
        source.geo.country_iso_code: CN
        source.geo.region_name: Beijing
        source.geo.region_iso_code: CN-BJ
        source.geo.city_name: Beijing city
        source.geo.name: myLocation
      target: '' 
  - add_fields: 
      when.network.destination.ip: private 
      fields: 
        destination.geo.location: 
          lat: 39.931854 
          lon: 116.470528 
        destination.geo.continent_name: Asia
        destination.geo.country_iso_code: CN
        destination.geo.region_name: Beijing
        destination.geo.region_iso_code: CN-BJ
        destination.geo.city_name: Beijing city
        destination.geo.name: myLocation
      target: ''

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== X-Pack Monitoring ===============================
# packetbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
monitoring.enabled: true

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Packetbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

#================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

如果我们的 Packetbeat 安装正确的话,那么,我可以在 Kibana 的 Dashboard 中看到如下的画面:

安装 Auditbeat

我们可以参照之前的文章 “Beats:  Elastic 中的 Auditbeat 使用介绍” 来在 Ubuntu OS 上进行安装。针对 Auditbeat 的安装,我们需要做一点点小的修改。我们在 /etc/auditbeat/audit.rules.d 目录下,把默认的样本 rule 打开:

sudo mv sample-rules.conf.disabled rules.conf

这个 rules 的内容如下:

## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi

## Executions.
-a always,exit -F arch=b64 -S execve,execveat -k exec

## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity

## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

根据一致性的需求,按照我们之前的文章“Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 二)”,我们需要加入相应的processors到我们的auditbeat.yml文件中:修改后的auditbeat.yml文件为:

###################### Auditbeat Configuration Example #########################

# This is an example configuration file highlighting only the most common
# options. The auditbeat.reference.yml file from the same directory contains all
# the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html

#==========================  Modules configuration =============================
auditbeat.modules:

- module: auditd
  # Load audit rules from separate files. Same format as audit.rules(7).
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
    ## Define audit rules here.
    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
    ## examples or add your own rules.

    ## If you are on a 64 bit platform, everything should be running
    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
    ## because this might be a sign of someone exploiting a hole in the 32
    ## bit API.
    #-a always,exit -F arch=b32 -S all -F key=32bit-abi

    ## Executions.
    #-a always,exit -F arch=b64 -S execve,execveat -k exec

    ## External access (warning: these can be expensive to audit).
    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

    ## Identity changes.
    #-w /etc/group -p wa -k identity
    #-w /etc/passwd -p wa -k identity
    #-w /etc/gshadow -p wa -k identity

    ## Unauthorized access attempts.
    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information

  # How often datasets send state updates with the
  # current state of the system (e.g. all currently
  # running processes, all open sockets).
  state.period: 12h

  # Enabled by default. Auditbeat will read password fields in
  # /etc/passwd and /etc/shadow and store a hash locally to
  # detect any changes.
  user.detect_password_changes: true

  # File patterns of the login record files.
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

#==================== Elasticsearch template setting ==========================
setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: ubuntu

# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["ubuntu", "HomePC"] 

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.43.220:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#============================= Elastic Cloud ==================================

# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.43.220:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors: 
  - add_host_metadata:
      netinfo.enabled: true
      geo: # These Geo configurations are optional
        location: 39.931854, 116.470528
        continent_name: Asia
        country_iso_code: CN
        region_name: Beijing
        region_iso_code: CN-BJ
        city_name: Beijing city
        name: myLocation
  - add_locale: ~ 
  - add_cloud_metadata: ~ 
  - add_fields: 
      when.network.source.ip: private 
      fields: 
        source.geo.location: 
          lat: 39.931854 
          lon: 116.470528
        source.geo.continent_name: Asia
        source.geo.country_iso_code: CN
        source.geo.region_name: Beijing
        source.geo.region_iso_code: CN-BJ
        source.geo.city_name: Beijing city
        source.geo.name: myLocation
      target: '' 
  - add_fields: 
      when.network.destination.ip: private 
      fields: 
        destination.geo.location: 
          lat: 39.931854 
          lon: 116.470528 
        destination.geo.continent_name: Asia
        destination.geo.country_iso_code: CN
        destination.geo.region_name: Beijing
        destination.geo.region_iso_code: CN-BJ
        destination.geo.city_name: Beijing city
        destination.geo.name: myLocation
      target: ''

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== X-Pack Monitoring ===============================
# auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
monitoring.enabled: true

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

#================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

等我们的auditbeat已经被成功运行起来后,我们可以在Kibana的Dashboard中看到如下的画面:

安装 Filebeat 等其它的 Beats

在很多的情况下,我们还需要根据我们自己的需求安装更多的 beats,比如 Filebeat。这对于很多的情况下是非常有用的。我们可以打开我们的 Kibana:

我们点击 Add events 按钮:

在上面,它显示了许多的应用场景。我们可以根据自己的需求来按照上面的要求来进行安装。大多数情况下,都是安装 Filebeat,并启动相应的模块:

 

在 SIEM 里展示数据

我打开在 Kibana 中的 SIEM 应用:

我可以同时看到三个来源的数据:Auditbeat,Winlogbeat 及 Packetbeat。

我们点击 Hosts tab:

我们看见有三个 hosts。这其中的原因是在中途我修改了在配置文件 yml 文件里的 name 从默认值 liuxg 到 ubuntu:

 

我们点击上面的 ubuntu 超链接,我们可以看到如下的画面:

在上面,我们可以看到关于这个 ubuntu host 的统计情况。我们可以从下面的 Authentications, Uncommon processes, Events 及 External alerts 来进行搜索:

由于我们添加了 Packetbeat 和 Auditbeat,我们可以得到 Network 的情况:

在上面显示了我们电脑的位置。也显示了 Network 的所有的 events。

在上面,如果我们点击 “Detections”,我们会发现如下的错误:

我们点击上面的链接,可以看到对我们的配置有一定的要求

我们按照上面的需求来重新进行配置:

  • 在 elasticsearch.yml 中,我们添加 xpack.security.enabled,并且设置它为 true,也即:
    • xpack.security.enabled: true
    • 在 Basic 授权的情况下,我们必须也设置 xpack.security.transport.ssl.enabled 为 true,否则 elasticsearch 也启动不了。
    • 由于我们已经启动了Elasticsearch安全,我们必须安装 “Elasticsearch:设置Elastic账户安全” 来设置账户安全。
    • 同时,我们也必须配置 kibana.yml 启用安全访问
    • 同时,我们也必须配置我们的各个 beats 的 Elasticsearch 访问用户名及密码,然后重新启动 beats
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.43.220:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "changeme"
  • 在 kibana.yml 中,设置 xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'

经过上面的修改后,我们再重新点击 “Detections”,我们可以看到如下的画面:

好了,今天我们就先讲到这里。在接下来的文章中,我们将着重介绍如何创建一个 rule。敬请阅读文章 “Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 四)”。

博客
Elastic 线下 Meetup 将于 2025 年 7 月 27 号下午在深圳举行
07-01 1211
2025ElasticMeetup深圳站将于7月27日在腾讯滨海大厦举行,聚焦AI驱动搜索技术前沿。活动邀请Elastic、腾讯云等专家分享向量搜索、RAG技术演进、百亿级AISearch优化实践等议题,涵盖搜索智能化、多模态检索、日志系统应用等热点。刘晓国、陈曦等资深技术人将深入解析行业趋势,活动还设有茶歇交流及抽奖环节。需提前实名报名并验证入场。
博客
Elastic:如何成为一名 Elastic 认证工程师,Elastic 认证分析师及 Elastic 认证可观测性工程师
10-28 2万+
Elasticsearch 无疑是是目前世界上最为流行的大数据搜索引擎。根据 DB - Engines 的统计,Elasticsearch 雄踞排行榜第一名,并且市场还在不断地扩大:能够成为一名 Elastic 认证工程师也是很多开发者的梦想。这个代表了 Elastic 的最高认证,在业界也得到了很高的认知度。得到认证的工程师,必须除了具有丰富的 Elastic Stack 知识,而且必须有丰富的操作及有效的解决问题的能力。拥有这个认证证书,也代表了个人及公司的荣誉。针对个人的好处是,你可以..
博客
Elastic:开发者上手指南
02-25 16万+
你们好,我是Elastic的刘晓国。如果大家想开始学习Elastic的话,那么这里将是你理想的学习园地。在我的博客几乎涵盖了你想学习的许多方面。在这里,我来讲述一下作为一个菜鸟该如何阅读我的这些博客文章。我们可以按照如下的步骤来学习:1)Elasticsearch简介:对Elasticsearch做了一个简单的介绍2)Elasticsearch中的一些重要概念:cluster,n..........................................................
博客
Elastic:培训视频 - ​在生产环境中配置 Fleet Server 和 Elastic Agent 之间的安全
01-06 1万+
在这篇文章中,我将会把我写的有些内容录制成视频,供大家参考。希望对大家有所帮助。优酷的视频频道地址在这里。Elastic 简介及Elastic Stack 安装:优酷,腾讯 Elastic Stack docker 部署:优酷,腾讯 Elasticsearch中的一些重要概念(Cluster/Shards/Replica/Document/Type/Index):优酷,腾讯 开始使用El...............
博客
Elasticsearch 简介
08-08 17万+
Elasticsearch是一个非常强大的搜索引擎。它目前被广泛地使用于各个IT公司。Elasticsearch是由Elastic公司创建并开源维护的。它的开源代码位于https://github.com/elastic/elasticsearch。同时,Elastic公司也拥有Logstash及Kibana开源项目。这个三个开源项目组合在一起,就形成了 ELK软件栈。他们三个共同形成了一个强大的...
博客
Elasticsearch 字符串包含子字符串:高级查询技巧
07-09 275
本文介绍了Elasticsearch中实现子字符串搜索的多种高级技术。主要内容包括:1)使用query_string、match_phrase和wildcard查询进行子字符串匹配;2)通过自定义分析器和n-gram分词器提升搜索准确性;3)ES|QL提供的LOCATE、MATCH等字符串处理函数;4)区间查询和跨度查询等高级匹配方法。文章对比了不同技术的适用场景,并指出前缀通配符可能影响性能等问题,为开发人员提供了全面的Elasticsearch子字符串搜索解决方案。
博客
Elasticsearch:使用 Significant Terms Aggregation 识别被盗信用卡的常见交易
07-08 270
使用 Significant Terms Aggregation 识别被盗信用卡的常见交易。
博客
揭示独特模式:Elasticsearch 中 significant terms 聚合指南
07-08 869
摘要:Elasticsearch的significantterms聚合功能能够通过统计分析方法发现数据中非显而易见的有价值洞察。与普通terms聚合不同,它会比较子数据集与整体数据集的词项分布,识别出统计上显著异常的关联模式。文章通过手机销售数据分析的具体案例,展示了如何发现不同职业群体对iPhone16的独特偏好,以及如何结合语义搜索识别与"good performance"评价显著相关的机型。这种聚合方法在消费者行为分析、欺诈检测、质量评价等多个领域都有重要应用价值,能够揭示数据背后
博客
使用 collapse 和 cardinality 实现高效分页在 Elasticsearch 中
07-05 855
本文介绍了在Elasticsearch中使用collapse功能对产品变体进行分组时遇到的分页挑战。通过示例展示了如何将collapse与cardinality聚合结合使用,以获取真实的唯一分组数量,从而解决分页问题。文章指出,单独使用collapse时返回的hits.total.value反映的是原始文档数量而非分组后数量,会导致分页显示错误。解决方案是在collapse查询中添加针对相同字段的cardinality聚合,准确计算唯一值数量,实现可靠分页。这种方法特别适用于电商等需要展示产品变体的场景。
博客
APM 最佳实践:从业者指南中的注意事项与禁忌
07-04 648
《高效应用性能管理(APM)实践指南》摘要 应用性能管理(APM)是现代软件系统维护的关键实践,通过持续监控应用程序的前后端性能,确保业务连续性和用户体验。本文系统性地阐述了APM的核心原则、实施策略和最佳实践。 核心要点包括: 现代APM需整合追踪(traces)、指标(metrics)和日志(logs)三类数据,采用自动检测与关键业务手动检测相结合的方案; 有效策略应包含性能监控、错误跟踪、基础设施监控和用户体验指标四个维度; 实施时应遵循端到端可见性、实时监控、以用户为中心等原则,避免过度检测(建议控
博客
Elasticsearch:异常检测入门
07-03 715
本文介绍了在Elastic Stack 9.0.2中使用机器学习进行异常检测的实践方法。通过Kibana自带的示例数据,展示了如何创建三种不同类型的异常检测作业:单指标作业、多指标作业和群体作业。文章详细讲解了数据探索、作业配置、结果分析等关键步骤,并演示了如何使用SingleMetricViewer和AnomalyExplorer工具查看检测结果。此外,还介绍了利用机器学习模型进行未来行为预测的方法。整个过程突出了机器学习在运维场景中的价值,能够自动识别异常事件,减轻人工监控负担,帮助运维人员提前发现潜在
博客
祝贺我们首批通过 Elastic 认证的生成式 AI 销售合作伙伴
07-02 948
摘要:Elastic推出生成式AI合作伙伴认证计划,首批认证的合作伙伴包括GIOS、KPMG等6家欧洲和中东企业。这些合作伙伴已完成严格的ElasticAI培训,具备开发RAG解决方案等能力。Elastic通过向量数据库和AI集成,简化企业AI应用开发流程。认证合作伙伴将帮助客户克服AI试点到规模化应用的挑战,提供专业技术支持和创新方案。Elastic强调合作伙伴在推动AI解决方案落地中的关键作用,同时提醒用户注意第三方AI工具的数据安全风险。(149字)
博客
使用 JavaScript、Mastra 和 Elasticsearch 构建一个具备代理能力的 RAG 助手
07-02 1131
​在这篇文章中,我们将探索如何使用 Mastra 和一个轻量级的 JavaScript Web 应用来构建一个具备代理能力的 RAG 助手,并与它进行交互。通过将这个代理连接到 Elasticsearch,我们为它提供了访问结构化球员数据的能力,并能执行实时统计聚合,从而为你提供基于球员数据的推荐。前往 GitHub 仓库查看详情;README 文件提供了如何克隆并在本地运行该应用的说明。
博客
Elastic 构建 Elastic Cloud Serverless 的历程
07-01 661
摘要:Elastic团队分享了构建Elastic Cloud Serverless无服务器平台的经验。该平台通过云原生架构重构,将Elastic Stack从有状态系统转变为按需扩展的无服务器服务,利用对象存储替代本地磁盘,并采用Kubernetes实现跨云部署。文章详细介绍了架构演进、性能优化、自动扩缩容机制和定价模型设计,强调通过解耦搜索/索引层、减少API调用等技术突破,在AWS/GCP/Azure三大云上实现了高可用性。平台采用细胞式架构确保韧性,并通过统一控制平面管理分布式资源,最终实现了运维简化
博客
Elasticsearch 排序性能提升高达 900 倍
07-01 1062
Elasticsearch 9.0.1和即将发布的9.1版本大幅提升了排序性能,float/half_float排序速度提升83-920倍,integer排序延迟改善41-531倍。优化采用BKD树与distance查询结合的新方法,通过跳过无效数据块显著提高效率。这些改进已应用于Elastic Cloud Serverless,并回溯至8.19版本。性能提升在NYCTaxis和http_logs基准测试中得到验证,将大幅降低Observability、Security等场景的搜索延迟和基础设施成本。Ela
博客
你以为 Elastic 只做 SIEM?再好好想想!
06-28 1001
Elastic重新定义XDR安全防护,通过收购Endgame技术深度整合EDR能力,打造原生统一的安全平台。该方案突破传统EDR的数据处理瓶颈,支持PB级端点、网络、云端数据的实时关联分析,提供跨厂商的无缝防护。平台包含获奖级恶意软件防护、勒索软件防御和行为检测能力,支持Windows/macOS/Linux全平台。创新采用"数据湖"付费模式,仅按实际使用数据计费,包含无限端点授权。通过开源检测规则、AI辅助分析和自动故障排查等功能,实现透明化安全运营。在AV-Comparatives测
博客
使用 Elasticsearch 构建一个用于真实健康数据的 MCP 服务器
06-27 1000
摘要:本文介绍了如何使用FastMCP框架和Elasticsearch构建一个MCP(Model Context Protocol)服务器来管理和分析Apple Health健康数据。文章详细讲解了MCP的三个核心组件(Resources、Tools和Prompts)的实现方法,展示了如何将Elasticsearch作为数据存储后端,并通过Claude Desktop实现自然语言交互查询。该解决方案支持动态数据查询、趋势分析和可视化展示,为LLM代理提供了实时健康数据访问能力。文中包含完整的代码实现、测试方
博客
Elastic:AI,开箱即用!
06-26 1173
Elastic宣布其AI功能现已在Elastic Cloud中默认启用,消除了传统AI部署的复杂流程。该解决方案提供了开箱即用的托管LLM,支持安全、可观测性和搜索领域的AI应用,包括威胁检测、根因分析和自然语言查询等功能。Elastic独特的优势在于将AI深度集成到现有工作流中,支持检索增强生成(RAG)技术,并能统一访问各类数据源。同时平台保持开放架构,允许用户连接第三方LLM。该方案显著降低了AI使用门槛,使企业能立即获得AI驱动的安全防护和运维洞察,无需额外配置或签署第三方合同。
博客
Elastic 被《Forrester Wave™:2025 年第二季度安全分析平台》评为领导者
06-26 1009
Elastic入选Forrester 2025年Q2安全分析平台领导者象限。报告指出,Elastic以工程驱动方式解决安全问题,整合SIEM、XDR和云安全于统一平台,提供AI驱动的检测、开放架构和灵活部署。其优势包括:RAG技术加速警报处理、透明AI增强分析、MITRE ATT&CK规则库,以及混合部署支持。客户数据显示,该平台可缩短99%平均修复时间。Elastic Security将多种安全功能整合,支持SaaS/本地部署,所有检测规则开源。近期与AWS达成战略合作,持续强化安全创新。
博客
在 Logstash 中使用 Ruby 脚本
06-25 1413
摘要:本文介绍了Logstash中Ruby filter插件的使用方法,用于实现高级数据转换。Ruby filter允许在Logstash管道中执行自定义Ruby代码,适用于标准过滤器无法处理的复杂场景,如深度嵌套数据处理、高级字符串处理和复杂业务逻辑实现。文章通过基础示例展示了内联Ruby代码和外部脚本的使用方法,并通过高级示例演示了如何操作嵌套数据结构、拆分事件、执行外部命令解析输出以及使用Ruby内置库。Ruby filter为Logstash管道提供了强大的扩展能力,能够满足各种复杂数据处理需求。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值