snort3搭配Promtail拋json到loki

我改用snort3搭配Promtail拋json到loki就成功了

Promtail跟snort3都安裝在kali-linux上

snort3的安裝跟設定方式略過，參考snort3 alloy loki 那一篇

安裝promtail跟設定

sudo apt-get update //更新套件清單

sudo apt-get install -y apt-transport-https software-properties-common wget //安裝必要的套件

sudo mkdir -p /etc/apt/keyrings //建立key的目錄

wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null //下載並加入 Grafana GPG 金鑰

echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | sudo tee /etc/apt/sources.list.d/grafana.list  //加入來源

sudo apt-get update //更新套件清單

sudo apt-get install promtail //安裝promtail

跟alloy一樣，有一個設定檔

sudo nano /etc/promtail/config.yml

sudo usermod -aG adm promtail //將adm使用者加入到該群組中

sudo mkdir -p /var/lib/promtail //建立目錄

sudo groupadd promtail //建立promtail群組

sudo usermod -aG promtail promtail //將promtail使用者加入到該群組中

sudo chown -R promtail:promtail /var/lib/promtail //修改目錄所有權

sudo chmod 755 /var/lib/promtail //確保權限正確

sudo systemctl start promtail //啟動Promtail

sudo systemctl enable promtail //設定開機自動啟動

sudo systemctl status promtail //檢查狀態顯示 active (running)就成功了

sudo -u promtail ls -l /var/log/snort/alert_json.txt //檢查檔案是否可讀

sudo chmod 644 /var/log/snort/alert_json.txt //修改權限

sudo chmod 755 /var/log/snort/  //修改權限

journalctl -u promtail -f //追蹤日誌觀察

/etc/promtail/config.yml  以下是內容，一開始文件內容需清空，語法不能重複

------------------------------------------------------------------------------------------------------------------------

server:

  http_listen_port: 9080

  grpc_listen_port: 0

 

positions:

  filename: /var/lib/promtail/positions.yaml

 

clients:

  - url: http://localhost:3100/loki/api/v1/push        #localhost要指到容器的IP

 

scrape_configs:

  - job_name: snort3_json_pipeline

    static_configs:

      - targets:

          - localhost

        labels:

          job: snort3        

          env: production    

          __path__: /var/log/snort/alert_json.txt

    pipeline_stages:

      - json:

          expressions:

            timestamp: timestamp

            action: action

            class: class

            msg: msg

            proto: proto

            src_addr: src_addr

            dst_addr: dst_addr

            src_port: src_port

            dst_port: dst_port

 

      - labels:

          action:

          class:

          proto:

 

      - template:

          source: output_msg

          template: '[{{.action}}] {{.proto}} {{.src_addr}}:{{.src_port}} -> {{.dst_addr}}:{{.dst_port}} | {{.msg}}'

 

      - output:

          source: output_msg

-----------------------------------------------------------------------------------------------------------------------------

建立容器

docker-compose.yml

-----------------------------------------------------------------------------------------------------------------------------

services:

  # Loki:

  loki:

    image: "grafana/loki:latest"

    ports:

      - "3100:3100"

    command: -config.file=/etc/loki/local-config.yaml

    restart: always

 

  # Grafana:

  grafana:

    image: "grafana/grafana:latest"

    ports:

      - "3000:3000"

    environment:

      - GF_SECURITY_ADMIN_PASSWORD=admin    #admin/admin

    restart: always

 

-----------------------------------------------------------------------------------------------------------------------------

 job: snort3 //在 Grafana 搜尋時的主要標籤