Libellux

Appearance

OpenSearch

OpenSearch is an open-source, distributed search and analytics engine. It offers powerful search capabilities, including full-text search, real-time analytics, and visualization tools. With its modular architecture and extensive plugin ecosystem, OpenSearch is widely used for log analytics, monitoring, and other data-intensive applications in diverse industries.

Buy Me a Coffee at ko-fi.com

Install OpenSearch

We will set up OpenSearch and its dashboard, integrating Fluentd into our OSSEC server to seamlessly forward alerts for comprehensive analysis. Our main emphasis will be on the efficient integration of Fluentd into our OSSEC server for alert forwarding to OpenSearch, rather than extensive exploration of OpenSearch itself.

INFO

Supported distributions:

  • Ubuntu 22.04 (Jammy Jellyfish)

TIP

For a more comprehensive guide on how to install and configure OpenSearch visit the official website.

sudo apt-get update --assume-yes

shellsession
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.12.0/opensearch-2.12.0-linux-x64.deb

INFO

Password must be minimum 10 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character.

sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD="<PASSWORD>" dpkg -i opensearch-2.12.0-linux-x64.deb

sudo systemctl enable opensearch

sudo systemctl start opensearch

Install OpenSearch Dashboard

TIP

For a more comprehensive guide on how to install and configure OpenSearch Dashboard visit the official website.

fail2ban temp

Open the Fail2Ban configuration file. Typically, this file is located at /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local.

Search for the section related to the jail you want to modify. Jails are defined with square brackets, for example [sshd] for the SSH jail.

Within the jail definition, look for the banaction parameter. This parameter specifies the action to take when a rule is triggered. The default action is usually iptables-multiport or similar.

Change the value of the banaction parameter to %(banaction_allports)s, which is a non-blocking action that only logs the intrusion attempt without taking any active response.

Save the file and close it.

Restart the Fail2Ban service to apply the changes. You can do this by running:

Install Fluent Bit

xml
<match debug.**>
  @type stdout
  @id output_stdout
</match>
<source>
  @type tail
  path /var/ossec/logs/alerts/alerts.json
  pos_file /var/ossec/tmp/pos.alerts.json
  tag ossec_alert
  emit_unmatched_lines true
  <parse>
    @type json
  </parse>
</source>
<match ossec_alert>
 @type opensearch
 @id out_os
 @log_level info
  host "opensearch-node1"
  port "9200"
  scheme "https"
  ssl_verify "false"
  suppress_type_name true
  retry_limit False
  reconnect_on_error true
  reload_on_failure true
  include_timestamp true
  logstash_format true
  logstash_prefix atomicorp-alerts-4.0
  user admin
  password ADMIN_PASSWORD
  <buffer>
    @type file
    path /var/log/calyptia-fluentd/buffer
  </buffer>
</match>

wget https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.12.0/opensearch-dashboards-2.12.0-linux-x64.tar.gz tar -zxf opensearch-dashboards-2.12.0-linux-x64.tar.gz

cd opensearch-dashboards-2.12.0/ ./bin/opensearch-dashboards

wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.12.0/opensearch-2.12.0-linux-x64.tar.gz

tar -xvf opensearch-2.12.0-linux-x64.tar.gz

sudo swapoff -a

sudo nano /etc/sysctl.conf

vm.max_map_count=262144

sudo sysctl -p

cat /proc/sys/vm/max_map_count

nano opensearch-2.12.0/config/opensearch.yml

nano opensearch-2.12.0/config/jvm.options

cd opensearch-2.12.0/config/

openssl genrsa -out root-ca-key.pem 2048 openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730

openssl genrsa -out admin-key-temp.pem 2048 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730

openssl genrsa -out node1-key-temp.pem 2048 openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem

openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record" -out node1.csr

echo 'subjectAltName=DNS:node1.dns.a-record' > node1.ext openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext

rm *temp.pem *csr *ext

#! /bin/bash

Before running this script, make sure to replace the /path/to your OpenSearch directory,

and remember to replace the CN in the node's distinguished name with a real

DNS A record.

echo "plugins.security.ssl.transport.pemcert_filepath: /home/toothpick/opensearch-2.12.0/config/node1.pem" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.ssl.transport.pemkey_filepath: /home/toothpick/opensearch-2.12.0/config/node1-key.pem" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.ssl.transport.pemtrustedcas_filepath: /home/toothpick/opensearch-2.12.0/config/root-ca.pem" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.ssl.http.enabled: true" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.ssl.http.pemcert_filepath: /home/toothpick/opensearch-2.12.0/config/node1.pem" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.ssl.http.pemkey_filepath: /home/toothpick/opensearch-2.12.0/config/node1-key.pem" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.ssl.http.pemtrustedcas_filepath: /home/toothpick/opensearch-2.12.0/config/root-ca.pem" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.allow_default_init_securityindex: true" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.authcz.admin_dn:" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo " - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.nodes_dn:" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo " - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.audit.type: internal_opensearch" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.enable_snapshot_restore_privilege: true" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.check_snapshot_restore_write_privileges: true" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml echo "plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]" | sudo tee -a /home/toothpick/opensearch-2.12.0/config/opensearch.yml

chmod 755 ~/opensearch-2.12.0/plugins/opensearch-security/tools/*.sh

OPENSEARCH_JAVA_HOME=~/opensearch-2.12.0/jdk ./hash.sh

** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 **

[Password:] $2y$12$qzZAKdSDdjntgS9EMzo7r.C0tEvdS/oR87bjWGYhXHN5ovlYIK3yq

nano ~/opensearch-2.12.0/config/opensearch-security/internal_users.yml

This is the internal user database

The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

_meta: type: "internalusers" config_version: 2

Define your internal users here

admin: hash: "$2y$1EXAMPLEQqwS8TUcoEXAMPLEeZ3lEHvkEXAMPLERqjyh1icEXAMPLE." reserved: true backend_roles:

  • "admin" description: "Admin user"

cd ~/opensearch-2.12.0/bin

./opensearch

cd ~/opensearch-2.12.0/plugins/opensearch-security/tools

OPENSEARCH_JAVA_HOME=~/opensearch-2.12.0/jdk ./securityadmin.sh -cd ~/opensearch-2.12.0/config/opensearch-security/ -cacert ~/opensearch-2.12.0/config/root-ca.pem -cert ~/opensearch-2.12.0/config/admin.pem -key ~/opensearch-2.12.0/config/admin-key.pem -icl -nhnv

Install Filebeat

Install Vector

Install Vector as an agent.

bash -c "$(curl -L https://setup.vector.dev)"

sudo dnf install --assume-yes vector

INFO

Supported distributions:

  • Ubuntu 22.04 (Jammy Jellyfish)
  • Debian 12 (Bookworm)
  • Rocky Linux 9 (Blue Onyx)
shellsession
sudo apt-get update --assume-yes
shellsession
sudo dnf update --assumeyes
sudo dnf install --assumeyes dnf-utils
sudo dnf install --assumeyes epel-release
sudo dnf install --assumeyes epel-next-release
sudo dnf upgrade --assumeyes
sudo yum config-manager --set-enabled powertools

Better Uptime Website Monitoring