This repository has been archived by the owner on Jun 2, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathinstall_strelka
67 lines (54 loc) · 2.58 KB
/
install_strelka
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/bin/bash
# Install Strelka on Security Onion
# Author: Wes Lambert, [email protected]
# This script is currently only supported for use in Standalone deployments
# Clone Strelka repo and build Docker container
git clone https://github.com/target/strelka /opt/strelka
#git clone https://github.com/target/strelka.git /opt/strelka/
#cd /opt/strelka/ && docker build -t so-strelka .
# Clone Security Onion stuff
git clone -b master https://github.com/weslambert/securityonion-strelka.git /opt/securityonion-strelka
# Install docker-compose
apt-get install -y docker-compose
# Create dirs and set perms
echo "Creating directories and setting permissions..."
mkdir -p /var/log/strelka/ /etc/strelka /nsm/strelka/processed
chown -R 1001:1001 /var/log/strelka /etc/strelka /nsm/strelka
# Copy stuff over
echo "Copying Strelka config..."
cp -av /opt/securityonion-strelka/etc/strelka/* /etc/strelka
cp /opt/securityonion-strelka/etc/cron.d/* /etc/cron.d
cp /opt/securityonion-strelka/usr/sbin/so-* /usr/sbin/
# Install Filebeat
echo "Getting Filebeat ready..."
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.2-amd64.deb
dpkg -i filebeat-6.4.2-amd64.deb
cp /opt/securityonion-strelka/etc/filebeat/filebeat.yml /etc/filebeat/
service filebeat start
systemctl enable filebeat.service
# Copy Logstash config into place
echo "Copying Logstash config..."
cp /opt/securityonion-strelka/etc/logstash/* /etc/logstash/custom/
# Copy stock Logstash config to /etc/logstash/custom and modify for Strelka
cp /etc/logstash/logstash-template.json /etc/logstash/custom
sed -i 's/]/, "logstash-strelka-*"]/' /etc/logstash/custom/logstash-template.json
# Modify securityonion.conf so that it mounts the new template file
if grep -q "strelka" /etc/nsm/securityonion.conf; then
echo "Strelka config already present in securityonion.conf, so skipping..."
else
sed -i 's/^LOGSTASH_OPTIONS=*/LOGSTASH_OPTIONS="-v \/etc\/logstash\/logstash-strelka-template.json:\/logstash-strelka-template.json:ro"/' /etc/nsm/securityonion.conf
fi
# Load Stelka dashboards
for i in /opt/securityonion-strelka/dashboards/*.json; do
curl -XPOST localhost:5601/api/kibana/dashboards/import?force=true -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @$i
done
# Restarting Logstash..."
so-logstash-restart
# Start Strelka
echo "Starting Strelka..."
so-strelka-start
# Add service file and enable the service so Strelka starts on boot
echo "Configuring Strelka to start on boot..."
cp /opt/securityonion-strelka/etc/systemd/system/strelka.service /etc/systemd/system/strelka.service
systemctl enable strelka.service
echo "Done!"