Configurations - mata-elang-stable/MataElang-Platform GitHub Wiki
services:
snort:
environment:
- NETWORK_INTERFACE=eth1
snort-parser:
image: mataelang/snort3-parser:1.1
environment:
- MQTT_HOST=172.16.2.30
- MQTT_PORT=1883
- MQTT_USERNAME=mataelang
- MQTT_PASSWORD=mataelang
- MAX_PCAP_FILES=5
- SENSOR_ID=<machine-id>
- MQTT_TOPIC=mataelang/sensor/v3/<sensor-id>
- SNORT_ALERT_FILE_PATH=/var/log/snort/alert_json.txt
| Configuration | Description |
|---|---|
| NETWORK_INTERFACE | Network interface to be monitored by Snort. |
| snort-parser.image | Image name of snort-parser. |
| MQTT_HOST | IP address of MQTT server. |
| MQTT_PORT | Port number of MQTT server. |
| MQTT_USERNAME | Username for MQTT authentication. |
| MQTT_PASSWORD | Password for MQTT authentication. |
| MAX_PCAP_FILES | Maximum retention number of PCAP files. |
| SENSOR_ID | ID for identifying the sensor. If no ID is specified, <machine-id> is automatically replaced by the contents of /etc/machine-id. |
| MQTT_TOPIC | MQTT topic.<sensor-id> is replaced with content of environment variable SENSOR_ID. |
| SNORT_ALERT_FILE_PATH | Path to the snort alert file. |
---------------------------------------------------------------------------
-- 1. configure defaults
---------------------------------------------------------------------------
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = 'any'
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'
---------------------------------------------------------------------------
-- 7. configure outputs
---------------------------------------------------------------------------
alert_json = {
file = true,
limit = 100,
}
log_pcap = {
limit = 100, -- in MBytes
}
| Configuration | Description |
|---|---|
| HOME_NET |
any by default. Set the network address you are protecting. |
| EXTERNAL_NET |
any by default. Leave as any in most situations. |
| alert_json.file | If true, output to file instead of stdout. |
| alert_json.limit | Maximum size (MB) of the log file. 0 is unlimited. |
| log_pcap.limit | Maximum size (MB) of PCAP file. 0 is unlimited. |
Reference : https://github.com/snort3/snort3/blob/master/lua/snort.lua
# Your Snort oinkcode is required for snort/talos Subscription, Light_SPD, and Registered rulesets
oinkcode = <your-oinkcode>
| Configuration | Description |
|---|---|
| oinkcode | Specify the oinkcode you have. The oinkcode acts as an API key for downloading rule packages. |
Reference : What is an oinkcode?; How to find your oinkcode.
FROM mataelang/snort-base:3.1.47.0
| Configuration | Description |
|---|---|
| FROM | Set Snort base image name. |
source-directory /etc/network/interfaces.d
auto eth1
iface eth1 inet manual
address 0.0.0.0/0
up ip link set eth1 promisc on
down ip link set eth1 promisc off
auto eth2
iface eth2 inet static
address 172.16.2.10/24
| Configuration | Description |
|---|---|
| auto [network interface] | Specify the network interface to be brought up at system boot. The network interface can be found with ip a command. |
| iface [network interface] inet [static/manual] | Define the configuration method of the network interface.static is used to allocate a static IP address.manual is used to configure with up/down commands as shown below. |
| address [IP address] | Specify the IP address in CIDR format for the interface. One is for the monitoring interface and the other is for the DC side interface. Mata Elang normally uses IP address 0.0.0.0/0 for the monitoring interface. |
| [up/down] ip link set [network interface] promisc [on/off] | Enable/Disable promiscuous mode when the interface is up/down. A promiscuous mode makes a network interface pass all incoming traffic and is set on the monitoring interface. |
Reference : http://manpages.ubuntu.com/manpages/trusty/man5/interfaces.5.html
services:
mosquitto:
image: eclipse-mosquitto:2.0.15
ports:
- 1883:1883
| Configuration | Description |
|---|---|
| mosquitto.image | Docker image name of mosquitto. |
| mosquitto.ports | Exposed ports of host and container for mosquitto. |
listener 1883
allow_anonymous false
persistence true
persistence_location /mosquitto/data/
autosave_interval 60
queue_qos0_messages true
max_queued_messages 100000
max_inflight_messages 10000
connection_messages true
log_dest stdout
persistent_client_expiration 1h
password_file /mosquitto/config/password_file
| Configuration | Description |
|---|---|
| listener | Listen port for incoming network connection. |
| allow_anonymous | If true and password_file is undefined, the client can connect without authentication. If false, the client must authenticate with a username and password. |
| persistence | If true, data will be written to the disk in mosquitto.db. If false, data will be stored in memory only. Defaults to false. |
| persistence_location | Path where mosquitto.db should be stored. |
| autosave_interval | Seconds to wait for mosquitto to save the in-memory database to disk. If set to 0, the in-memory database will only be saved when mosquitto exits. |
| queue_qos0_messages | If true, incoming snort messages are queued. Defaults to false. |
| max_queued_messages | Maximum number of messages to hold in the queue. Defaults to 1000. Set to 0 for no maximum (not recommended). |
| max_inflight_messages | Maximum number of outgoing messages that can be sent simultaneously. Defaults to 20. Set to 0 for no maximum. If set to 1, this will guarantee in-order delivery of messages. |
| connection_messages | If set to true, the log will include entries when clients connect and disconnect. If set to false, these entries will not appear. |
| log_dest | Destination to send log messages. Possible destinations are: stdout stderr syslog topic file dlt. |
| persistent_client_expiration | Grace time for removing unconnected sessions. |
| password_file | Path to a password file. |
Reference : https://mosquitto.org/man/mosquitto-conf-5.html
| Item | Value |
|---|---|
| Mosquitto IP address | 172.16.2.30 |
| Kafka IP address | 172.16.2.40 |
| MQTT_USERNAME | (Username defined on Mosquitto) |
| MQTT_PASSWORD | (Password defined on Mosquitto) |
services:
mqtt-source:
image: mataelang/kafka-mqtt-source:1.1
container_name: mqtt-source
environment:
MQTT_HOST: 172.17.0.1
MQTT_PORT: 1883
MQTT_USERNAME: mataelang
MQTT_PASSWORD: mataelang
MQTT_TOPIC: mataelang/sensor/v3/+
KAFKA_BOOSTRAP_SERVERS: kafka:9092
KAFKA_PRODUCE_TOPIC: sensor_events
deploy:
resources:
limits:
cpus: '0.5'
memory: 64M
reservations:
cpus: '0.25'
memory: 32M
zookeeper:
image: confluentinc/cp-zookeeper:7.3.0
environment:
ZOOKEEPER_CLIENT_PORT: 2181
ZOOKEEPER_TICK_TIME: 2000
volumes:
- zookeeper_data:/var/lib/zookeeper/data
- zookeeper_log:/var/lib/zookeeper/log
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M
kafka:
image: confluentinc/cp-kafka:7.3.0
depends_on:
- zookeeper
ports:
- target: 9093
published: 9093
protocol: tcp
mode: host
environment:
KAFKA_BROKER_ID: 1
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,EXTERNAL://172.17.0.1:9093
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
KAFKA_LOG_SEGMENT_BYTES: 536870912 # 512MB
KAFKA_LOG_RETENTION_BYTES: 536870912 # 512MB
KAFKA_LOG_RETENTION_MS: 86400000 # 1 day
volumes:
- kafka_data:/var/lib/kafka/data
deploy:
mode: replicated
replicas: 1
resources:
limits:
cpus: '0.5'
memory: 2G
reservations:
cpus: '0.25'
memory: 1G
control-center:
image: provectuslabs/kafka-ui
container_name: control-center
depends_on:
- zookeeper
- kafka
- mqtt-source
ports:
- "9021:8080"
environment:
KAFKA_CLUSTERS_0_NAME: MataElangKafkaCluster
KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9092
KAFKA_CLUSTERS_0_ZOOKEEPER: zookeeper:2181
deploy:
resources:
limits:
cpus: '0.50'
memory: 768M
reservations:
cpus: '0.25'
memory: 384M
| Configuration | Description |
|---|---|
| MQTT_HOST | Host name of MQTT server. |
| MQTT_PORT | Port number of MQTT server. |
| MQTT_USERNAME | Username for MQTT authentication. |
| MQTT_PASSWORD | Password for MQTT authentication. |
| MQTT_TOPIC | MQTT topic.<sensor-id> is replaced with content of environment variable SENSOR_ID. |
| KAFKA_BOOSTRAP_SERVERS | Host name and port of kafka instances. |
| KAFKA_PRODUCE_TOPIC | Name of topic of messages to be queued in kadfa. |
| Configuration | Description |
|---|---|
| ZOOKEEPER_CLIENT_PORT | Port number for connections by clients. |
| ZOOKEEPER_TICK_TIME | This is used to do heartbeats and the minimum session timeout will be twice the tickTime[ms]. |
Reference : https://docs.confluent.io/platform/current/installation/docker/config-reference.html
| Configuration | Description |
|---|---|
| KAFKA_BROKER_ID | ID of this kafka instance. |
| KAFKA_ZOOKEEPER_CONNECT | Host name and port number of zookeeper. |
| KAFKA_LISTENER_SECURITY_PROTOCOL_MAP | Defines key/value pairs for the security protocol to use, per listener name. |
| KAFKA_ADVERTISED_LISTENERS | A comma-separated list of listeners with their the host/IP and port. This is the metadata that is passed back to clients. |
| KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR | The number of the replication factor of the topic used to store the consumers offset. |
| KAFKA_TRANSACTION_STATE_LOG_MIN_ISR | The minimum number of replicas that must acknowledge a write for the write to be considered successful. |
| KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR | The replication factor for the transaction topic. Internal topic creation will fail until the cluster size meets this replication factor requirement. |
| KAFKA_LOG_SEGMENT_BYTES | This configuration controls the segment file size for the log. Retention and cleaning is always done a file at a time so a larger segment size means fewer files but less granular control over retention. |
| KAFKA_LOG_RETENTION_BYTES | This configuration controls the maximum size a partition can grow to before we will discard old log segments to free up space. |
| KAFKA_LOG_RETENTION_MS | This configuration controls the maximum time we will retain a log before we will discard old log segments to free up space. If set to -1, no time limit is applied. |
Reference : https://kafka.apache.org/documentation/#brokerconfigs
Reference : https://docs.confluent.io/platform/current/installation/configuration/topic-configs.html
Reference : https://docs.confluent.io/platform/current/kafka/multi-node.html#configure-multi-node-environment
| Configuration | Description |
|---|---|
| KAFKA_CLUSTERS_0_NAME | Cluster name. |
| KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS | Host name and port of boostrap server where to connect. |
| KAFKA_CLUSTERS_0_ZOOKEEPER | Host name and port of zookeeper where to connect. |
Reference : https://github.com/provectus/kafka-ui
| Item | Value |
|---|---|
| Hadoop IP address (network interface) | 172.16.2.50 |
| Hadoop IP address (docker0 interface) | 172.17.0.1 |
| User who runs Hadoop service | ubuntu |
### Append to the end of the file.
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
export HADOOP_HOME=/usr/local/hadoop
export PATH=$PATH:$HADOOP_HOME/sbin:$HADOOP_HOME/bin
### Line 55: Change JAVA_HOME.
# export JAVA_HOME=
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>fs.defaultFS</name>
<value>hdfs://172.17.0.1:9000</value>
</property>
<property>
<name>io.file.buffre.size</name>
<value>65536</value>
</property>
</configuration>
| Parameter | Description |
|---|---|
| fs.defaultFS | URI of NameNode(hdfs://host:port/). |
| io.file.buffer.size | Size of read/write buffer used in SequenceFiles. |
Reference: https://hadoop.apache.org/docs/r3.1.4/hadoop-project-dist/hadoop-common/ClusterSetup.html
Reference: https://hadoop.apache.org/docs/r3.1.4/hadoop-project-dist/hadoop-common/core-default.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>dfs.namenode.name.dir</name>
<value>/home/ubuntu/hadoop/dfs/name</value>
</property>
<property>
<name>dfs.datanode.data.dir</name>
<value>/home/ubuntu/hadoop/dfs/data</value>
</property>
<property>
<name>dfs.replication</name>
<value>1</value>
</property>
<property>
<name>dfs.namenode.rpc-bind-host</name>
<value>0.0.0.0</value>
</property>
</configuration>
| Parameter | Description |
|---|---|
| dfs.namenode.name.dir | Path on the local filesystem where the NameNode stores the namespace and transactions logs persistently. |
| dfs.datanode.data.dir | Comma separated list of paths on the local filesystem of a DataNode where it should store its blocks. |
| dfs.replication | Default block replication. The actual number of replications can be specified when the file is created. |
| dfs.namenode.rpc-bind-host | The actual address the RPC server will bind to. If this optional address is set, it overrides only the hostname portion of dfs.namenode.rpc-address. |
Reference: https://hadoop.apache.org/docs/r3.1.4/hadoop-project-dist/hadoop-common/ClusterSetup.html
Reference: https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml
| Item | Value |
|---|---|
| Spark IP address | 172.16.2.50 |
| Hadoop IP address (docker0 interface) | 172.17.0.1 |
| Kafka IP address | 172.16.2.40 |
| Hadoop user | ubuntu |
HADOOP_USER_NAME=ubuntu
SPARK_EVENTLOG_DIR=hdfs://172.17.0.1:9000/user/ubuntu/spark/spark-events
SPARK_APP_JAR_PATH=hdfs://172.17.0.1:9000/user/ubuntu/kaspacore/files/kaspacore.jar
SPARK_HISTORY_OPTS="-Dspark.history.fs.logDirectory=hdfs://172.17.0.1:9000/user/ubuntu/spark/spark-events"
| Configuration | Description |
|---|---|
| SPARK_EVENTLOG_DIR | Directory where Spark events are logged. |
| SPARK_APP_JAR_PATH | File path where app.properties is added. |
| SPARK_HISTORY_OPTS | Configuration options for the history server (default: none). |
| spark.history.fs.logDirectory | For the filesystem history provider, the URL to the directory containing application event logs to load. |
Reference : https://spark.apache.org/docs/latest/spark-standalone.html
Reference : https://spark.apache.org/docs/3.3.1/monitoring.html
SPARK_MASTER=spark://spark-master:7077
SPARK_CHECKPOINT_PATH=hdfs://172.17.0.1:9000/user/ubuntu/kafka-checkpoint
TIMEZONE=UTC
KAFKA_BOOTSTRAP_SERVERS=172.17.0.1:9093
KAFKA_INPUT_STARTING_OFFSETS=latest
SENSOR_STREAM_INPUT_TOPIC=sensor_events
SENSOR_STREAM_OUTPUT_TOPIC=sensor_events_with_geoip
MAXMIND_DB_PATH=hdfs://172.17.0.1:9000/user/ubuntu/kaspacore/files/GeoLite2-City.mmdb
MAXMIND_DB_FILENAME=GeoLite2-City.mmdb
| Configuration | Description |
|---|---|
| SPARK_MASTER | URL(host name and port) of the environment in which the application is to be run. |
| SPARK_CHECKPOINT_PATH | File path where the system will write all the checkpoint information. |
| TIMEZONE | TIMEZONE. |
| KAFKA_BOOTSTRAP_SERVERS | Host name and port of Kafka instances. |
| KAFKA_INPUT_STARTING_OFFSETS | The start point when a query is started, either "earliest" which is from the earliest offsets, "latest" which is just from the latest offsets, or a json string specifying a starting offset for each TopicPartition. In Mata-elang, "latest" will miss some messages but it can alert on the Dashboard in real time. On the other hand, "earliest" avoids loss of data, but takes longer to process the data, so real-time performance is lost. |
| SENSOR_STREAM_INPUT_TOPIC | Name of the topic to be parsed. This must be same as KAFKA_PRODUCE_TOPIC. |
| SENSOR_STREAM_OUTPUT_TOPIC | Name of the topic to be subscribed to Kafka after parsing. |
| MAXMIND_DB_PATH | File path in which GeoLite2 binary databases is added. |
| MAXMIND_DB_FILENAME | File name of GeoLite2 binary databases. |
Reference : https://spark.apache.org/docs/latest/structured-streaming-programming-guide.html
# Worker
spark.worker.cleanup.enabled=true
spark.worker.cleanup.interval=1800
spark.worker.cleanup.appDataTtl=14400
# History Server
spark.history.ui.port=18080
spark.history.retainedApplications=10
spark.history.fs.update.interval=10s
spark.history.fs.cleaner.enabled=true
spark.history.fs.cleaner.interval=1d
spark.history.fs.cleaner.maxAge=7d
# App Configuration
spark.master=spark://spark-master:7077
spark.eventLog.enabled=true
| Configuration | Description |
|---|---|
| spark.worker.cleanup.enabled | Enable periodic cleanup of worker or application directories. |
| spark.worker.cleanup.interval | Controls the interval, in seconds, at which the worker cleans up old application work dirs on the local machine. |
| spark.worker.cleanup.appDataTtl | The number of seconds to retain application work directories on each worker. |
| spark.history.ui.port | The port to which the web interface of the history server binds. |
| spark.history.retainedApplications | The number of applications to retain UI data for in the cache. |
| spark.history.fs.update.interval | The period at which the filesystem history provider checks for new or updated logs in the log directory. |
| spark.history.fs.cleaner.enabled | Specifies whether the History Server should periodically clean up event logs from storage. |
| spark.history.fs.cleaner.interval | How often the filesystem job history cleaner checks for files to delete. |
| spark.history.fs.cleaner.maxAge | History files older than this will be deleted when the filesystem history cleaner runs. |
| spark.master | URL(host name and port) of the environment in which the application is to be run. |
| spark.eventLog.enabled | Specifies whether to log Spark events. |
Reference : https://spark.apache.org/docs/latest/spark-standalone.html
Reference : https://spark.apache.org/docs/latest/monitoring.html
log4j.rootLogger=ERROR, console
# set the log level for these components
log4j.logger.com.test=DEBUG
log4j.logger.org=ERROR
log4j.logger.org.apache.spark=ERROR
log4j.logger.org.spark-project=ERROR
log4j.logger.org.apache.hadoop=ERROR
log4j.logger.io.netty=ERROR
log4j.logger.org.apache.zookeeper=ERROR
# add a ConsoleAppender to the logger stdout to write to the console
log4j.appender.console=org.apache.log4j.ConsoleAppender
log4j.appender.console.layout=org.apache.log4j.PatternLayout
# use a simple message format
log4j.appender.console.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n
| Configuration | Description |
|---|---|
| log4j.rootLogger | Level of log output and where it will be output. |
| log4j.appender.console | Specify the appender class. |
| log4j.appender.console.layout | Specify the layout class. |
| log4j.appender.console.layout.ConversionPattern | Specify the layout pattern. See here for detail. |
Reference : https://logging.apache.org/log4j/2.x/
| Item | Value |
|---|---|
| Kafka IP address | 172.16.2.40 |
| OpenSearch IP address | 172.16.2.60 |
| OpenSearch user | (user and password will be set below) |
### Append to the end of the file.
vm.max_map_count=262144
| Configuration | Description |
|---|---|
| vm.max_map_count | The maximum number of memory map areas a process may have. |
Reference : https://opensearch.org/docs/2.4/install-and-configure/install-opensearch/index/
input {
kafka {
bootstrap_servers => "172.17.0.1:9093"
topics => "event_all_10s"
}
}
filter {
json {
source => "message"
remove_field => ["message", "event"]
}
}
output {
opensearch {
hosts => ["https://opensearch-node1:9200", "https://opensearch-node2:9200"]
index => "event-all-10s-%{+YYYY.MM.dd}"
user => "admin"
password => "admin"
ssl => true
ssl_certificate_verification => false
}
}
| Configuration | Description |
|---|---|
| bootstrap_servers | A list of URLs of Kafka instances to use for establishing the initial connection to the cluster. This list should be in the form of host1:port1,host2:port2
|
| topics | A list of topics to subscribe to. Topic can be an array like ["event_all_10s", "event_all"]. |
| Configuration | Description |
|---|---|
| source | The field of JSON to be parsed. This is a required setting. There is no default value for this setting. Value type is string. |
| remove_field | If this filter is successful, remove the fields from this event. Value type is array. |
| Configuration | Description |
|---|---|
| hosts | Sets the host(s) of the remote instance. If given an array it will load balance requests across the hosts specified in the hosts. Value type is uri. Default value is [//127.0.0.1]. |
| index | The index to write events to. Value type is string. |
| user | Username for authentication. Value type is string. There is no default value for this setting. |
| password | Password for authentication. Value type is password. There is no default value for this setting. |
| ssl | Enable SSL/TLS secured communication. Value type is boolean. There is no default value for this setting. |
| ssl_certificate_verification | Option to validate the server’s certificate. Disabling this severely compromises security. Value type is boolean. Default value is true. |
Reference : https://www.elastic.co/guide/en/logstash/current/index.html
You don't need to configure or change by yourself, you can use the provided file as it is.
| Item | Value |
|---|---|
| Zabbix server | 172.16.2.110 |
| Zabbix agent | (Installed on all sensors and servers) |
| Zabbix user | Admin (default password is zabbix) |
| MySQL root user | root (password will be set below) |
| MySQL zabbix user | zabbix (password will be set below) |
You don't need to configure or change by yourself, you can use the provided file as it is.
### Line 117: Set the IP or DNS names of the Zabbix server
#Server=127.0.0.1
Server=<ZABBIX_SERVER_IP_OR_NAME (e.g. 172.16.2.110)>,172.16.238.0/24
### Line 182: Set the hostname of the Zabbix agent.
#Hostname=Zabbix server
Hostname=<HOSTNAME_OF_AGENT (e.g. zabbix)>
| Configuration | Value | Description |
|---|---|---|
| NTP | 0.id.pool.ntp.org (for Internet available network) or 172.20.1.188 (for closed network) |
Specifies the NTP server. |
Reference : http://manpages.ubuntu.com/manpages/bionic/man5/timesyncd.conf.5.html
| Configuration | Value | Description |
|---|---|---|
| restrict [network address] mask [netmask] [options] | restrict 172.20.1.0 mask 255.255.255.0 notrap nomodify | Allows the specified network to access NTP server. - notrap: denies control message trap service. - nomodify: responds to time queries, but ignores requests to change the time. |
| server [NTP server] prefer | server 127.127.1.0 prefer | Specifies the preferred NTP server. 127.127.1.0 is a pseudo IP address to refer myself used in NTP. |
| fudge [clock server] stratum 10 | fudge 127.127.1.0 stratum 10 | Reads the hardware clock of the specified host (usually itself), with stratum set to the 10th lowest priority. If you want to refer to an external NTP server, you can comment it out. |
Reference : http://manpages.ubuntu.com/manpages/bionic/man5/ntp.conf.5.html