Setup with Docker - JPCERTCC/SysmonSearch GitHub Wiki

Precondition

The following instruction is optimized for Linux (Ubuntu).

Please install docker-compose before setup.

How to Set up

Clone SysmonSearch repository. Move to docker directory:

$ git clone https://github.com/JPCERTCC/SysmonSearch.git
$ cd SysmonSearch/docker/

Specify proxy server, if needed

$ vim docker-compose.yml

# Modify the lines as follows:
      args:
        - http_proxy=[proxy_server_URL]
        - https_proxy=[proxy_server_URL]

Run the setup.sh:

$ sh ./setup.sh

Start the Container

The container starts with the following command:

$ docker-compose up

Check the container's operation

elasticsearch

If the container is running on the port 9200 of the localhost:

$ curl localhost:9200

Kibana

Access [Server IP address]:5601 from a Web browser.

kibana compiles the plugin at the first startup. It takes several minutes to complete.

stixioc-import-server

If the container is running on the port 56020 of the localhost:

# If run in the docker directory:
$ curl localhost:56020/convert/ioc -F 'file=@../stixioc-import-server/data/sample.ioc.xml'

Cron Configuration

Configure as follows in the crontab on the host OS:

DATE=`date -d \"-1 day\" \"+%Y.%m.%d\"`
0,30 * * * * docker exec docker-stixioc-import-server python ../script/collection_statistical_data.py
0,30 * * * * docker exec docker-stixioc-import-server python ../script/collection_alert_data.py
0 1 * * * docker exec docker-stixioc-import-server python ../script/collection_statistical_data.py $DATE

Modify the configuration to make sure the script runs properly:

$ vim script/collection_statistical_data_setting.py

# For INDEX_NAME_ORG, use the index name without the year, month, and date information.
# If the index name is winlogbeat-yyyy.mm.dd:
INDEX_NAME_ORG = "winlogbeat"
# If the index name is winlogbeat-7.5.1-yyyy.mm.dd:
INDEX_NAME_ORG = "winlogbeat-7.5.1"

Client Setup

Refer to Client Setup