infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/helk_install.sh

393 lines
14 KiB
Bash
Raw Normal View History

HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
#!/bin/bash
HELK - Alpha ELK 6.1.3 + ELK 6.1.3 version (Jun 30,2018 release) + Kafka Integration -- Bash, DockerFile & Docker Image + Replaced ELK DEB Install Packages for TAR packages (Easier deployement and more control) + Logstash: JVM Heap 2GB default + ELK (Init Files created) -- More control over service start + Left Linux DEB install bash script (deprecating it in next release) + ELK .yml files are not available to adjust deployment in an easier way. + Fixed Docker Run environment parameters to be call before pointing to the HELK image. + Edited every single file to have the right headers: -- ELK version 6.1.3 -- Aplha Version
2018-01-31 22:52:50 +00:00
# HELK script: helk_install.sh
HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
# HELK script description: Start
HELK - Alpha ELK 6.1.3 + ELK 6.1.3 version (Jun 30,2018 release) + Kafka Integration -- Bash, DockerFile & Docker Image + Replaced ELK DEB Install Packages for TAR packages (Easier deployement and more control) + Logstash: JVM Heap 2GB default + ELK (Init Files created) -- More control over service start + Left Linux DEB install bash script (deprecating it in next release) + ELK .yml files are not available to adjust deployment in an easier way. + Fixed Docker Run environment parameters to be call before pointing to the HELK image. + Edited every single file to have the right headers: -- ELK version 6.1.3 -- Aplha Version
2018-01-31 22:52:50 +00:00
# HELK build version: 0.9 (Alpha)
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
# HELK ELK version: 6.2.3
HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# License: BSD 3-Clause
# *********** Check if user is root ***************
if [[ $EUID -ne 0 ]]; then
echo "[HELK-INSTALLATION-INFO] YOU MUST BE ROOT TO RUN THIS SCRIPT!!!"
exit 1
fi
Added Official Docker install script -Using Official Docker install script known as convenience script - Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
2018-01-11 17:14:50 +00:00
LOGFILE="/var/log/helk-install.log"
echoerror() {
printf "${RC} * ERROR${EC}: $@\n" 1>&2;
}
HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
# *********** Check System Kernel Name ***************
systemKernel="$(uname -s)"
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
# ********** Check Minimum Requirements **************
check_min_requirements(){
echo "[HELK-INSTALLATION-INFO] HELK being hosted on a $systemKernel box"
if [ "$systemKernel" == "Linux" ]; then
Update helk_install.sh to read from available memory instead of free
2018-06-13 15:41:15 +00:00
<<<<<<< HEAD
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
AVAILABLE_MEMORY=$(free -hm | awk 'NR==2{printf "%.f\t\t", $4 }')
ES_MEMORY=$(free -hm | awk 'NR==2{printf "%.f", $4/2 }')
Fixed Disk Size conversion Addressed https://github.com/Cyb3rWard0g/HELK/issues/67 where I was grabbing Disk size in human readable format which was breaking the calculations when the HELK was being built on a computer with TB space.
2018-06-10 19:18:53 +00:00
AVAILABLE_DISK=$(df -m | awk '$NF=="/"{printf "%.f\t\t", $4 / 1024}')
Update helk_install.sh to read from available memory instead of free
2018-06-13 15:41:15 +00:00
=======
AVAILABLE_MEMORY=$(free -hm | awk 'NR==2{printf "%.f\t\t", $7 }')
ES_MEMORY=$(free -hm | awk 'NR==2{printf "%.f", $7/2 }')
AVAILABLE_DISK=$(df -h | awk '$NF=="/"{printf "%.f\t\t", $4}')
>>>>>>> e7e455e... Modify helk_install.sh to read available memory rather than free memory
05312018 Logstash - Added Local Pipeline to the build to allow custom local configurations - updated sysmon config to fix https://github.com/Cyb3rWard0g/HELK/issues/63 - removed port exposed in local logstash Dockerfile. It will be pushed to official docker image in the next update - removed logstash init file (not being used anymore) Zeppelin - not available yet - initial draft dockerfile - created spark-defaults file for future zeppelin dockerfile Install Script - incrased minimum memory size required
2018-05-31 06:08:15 +00:00
if [ "${AVAILABLE_MEMORY}" -ge "12" ] && [ "${AVAILABLE_DISK}" -ge "30" ]; then
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
echo "[HELK-INSTALLATION-INFO] Available Memory: $AVAILABLE_MEMORY"
echo "[HELK-INSTALLATION-INFO] Available Disk: $AVAILABLE_DISK"
else
echo "[HELK-INSTALLATION-ERROR] YOU DO NOT HAVE ENOUGH AVAILABLE MEMORY OR DISK SPACE"
echo "[HELK-INSTALLATION-ERROR] Available Memory: $AVAILABLE_MEMORY"
echo "[HELK-INSTALLATION-ERROR] Available Disk: $AVAILABLE_DISK"
echo "[HELK-INSTALLATION-ERROR] Check the requirements section in our installation Wiki"
echo "[HELK-INSTALLATION-ERROR] Installation Wiki: https://github.com/Cyb3rWard0g/HELK/wiki/Installation"
exit 1
fi
else
echo "[HELK-INSTALLATION-INFO] Make sure you have at least 12GB of available memory!!!!!!"
echo "[HELK-INSTALLATION-INFO] Make sure you have at least 50GB of available disk space!!!!!"
echo "[HELK-INSTALLATION-INFO] I could not calculate available memory or disk space for $systemKernel!!!!!"
fi
}
HELK ELK 6.2.0 & New features Elasticsearch + Deleted Docker elasticsearch config file (Duplicate) Logstash + Adjusted Batch size to 300 (Testing) + Renamed scripts to follow a standard naming convention + Added a fingerprint filter to all logs to help reduce duplicate logs + Removed ELK Version strings from all Logstash configs so that I dont have to update every single script every time ELK gets updated. + Added Document_id to every logstash output config to take the fingerprint value. Kibana + Renamed Index Patterns to standard naming convention. + Added experimental visualization vega setting. Enabling External URLs to use D3 libraries from their repos. This is grayed out in the Kibana config so user will have to enable it. + Updated name of index patterns across all visualizations and dashboards. Kafka + Log retention is now 24 hours and not 268 Hours + added auto_offset_reset => "earliest" to beats kafka input config Spark + updated es-hadoop version to 6.2.0 and added new spark jar packages: org.apache.spark:spark-sql-kafka-0-10_2.11:2.2.1 & databricks:spark-sklearn:0.2.3 + Created an init file to run spark and jupyter all together as a service. This will allow us to restart jupyter and pyspark gracefully. Winlogbeat + Updated Winlogbeat config to take PowerShell and Microsoft-Windows-WMI-Activity/Operational logs. New Features + Cerebro + Python packages: -scipy==1.0.0 scikit-learn==0.19.1 nltk==3.2.5 matplotlib==2.1.2 seaborn==0.8.1 datasketch==1.2.5 tensorflow==1.5.0 keras==2.1.3 pyflux==0.4.15 imbalanced-learn==0.3.2 lime==0.1.1.29 Docker Hub + New HELK image available
2018-02-15 08:28:48 +00:00
# *********** Getting Jupyter Token ***************
HELK 6.2.3-041018 Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 06:56:28 +00:00
get_jupyter_token(){
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
echo "[HELK-INSTALLATION-INFO] Waiting for HELK services and Jupyter Server to start.."
HELK ELK 6.2.0 & New features Elasticsearch + Deleted Docker elasticsearch config file (Duplicate) Logstash + Adjusted Batch size to 300 (Testing) + Renamed scripts to follow a standard naming convention + Added a fingerprint filter to all logs to help reduce duplicate logs + Removed ELK Version strings from all Logstash configs so that I dont have to update every single script every time ELK gets updated. + Added Document_id to every logstash output config to take the fingerprint value. Kibana + Renamed Index Patterns to standard naming convention. + Added experimental visualization vega setting. Enabling External URLs to use D3 libraries from their repos. This is grayed out in the Kibana config so user will have to enable it. + Updated name of index patterns across all visualizations and dashboards. Kafka + Log retention is now 24 hours and not 268 Hours + added auto_offset_reset => "earliest" to beats kafka input config Spark + updated es-hadoop version to 6.2.0 and added new spark jar packages: org.apache.spark:spark-sql-kafka-0-10_2.11:2.2.1 & databricks:spark-sklearn:0.2.3 + Created an init file to run spark and jupyter all together as a service. This will allow us to restart jupyter and pyspark gracefully. Winlogbeat + Updated Winlogbeat config to take PowerShell and Microsoft-Windows-WMI-Activity/Operational logs. New Features + Cerebro + Python packages: -scipy==1.0.0 scikit-learn==0.19.1 nltk==3.2.5 matplotlib==2.1.2 seaborn==0.8.1 datasketch==1.2.5 tensorflow==1.5.0 keras==2.1.3 pyflux==0.4.15 imbalanced-learn==0.3.2 lime==0.1.1.29 Docker Hub + New HELK image available
2018-02-15 08:28:48 +00:00
until curl -s localhost:8880 -o /dev/null; do
sleep 1
done
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
jupyter_token="$(docker exec -ti helk-jupyter jupyter notebook list | grep -oP '(?<=token=).*(?= ::)' | awk '{$1=$1};1')" >> $LOGFILE 2>&1
HELK ELK 6.2.0 & New features Elasticsearch + Deleted Docker elasticsearch config file (Duplicate) Logstash + Adjusted Batch size to 300 (Testing) + Renamed scripts to follow a standard naming convention + Added a fingerprint filter to all logs to help reduce duplicate logs + Removed ELK Version strings from all Logstash configs so that I dont have to update every single script every time ELK gets updated. + Added Document_id to every logstash output config to take the fingerprint value. Kibana + Renamed Index Patterns to standard naming convention. + Added experimental visualization vega setting. Enabling External URLs to use D3 libraries from their repos. This is grayed out in the Kibana config so user will have to enable it. + Updated name of index patterns across all visualizations and dashboards. Kafka + Log retention is now 24 hours and not 268 Hours + added auto_offset_reset => "earliest" to beats kafka input config Spark + updated es-hadoop version to 6.2.0 and added new spark jar packages: org.apache.spark:spark-sql-kafka-0-10_2.11:2.2.1 & databricks:spark-sklearn:0.2.3 + Created an init file to run spark and jupyter all together as a service. This will allow us to restart jupyter and pyspark gracefully. Winlogbeat + Updated Winlogbeat config to take PowerShell and Microsoft-Windows-WMI-Activity/Operational logs. New Features + Cerebro + Python packages: -scipy==1.0.0 scikit-learn==0.19.1 nltk==3.2.5 matplotlib==2.1.2 seaborn==0.8.1 datasketch==1.2.5 tensorflow==1.5.0 keras==2.1.3 pyflux==0.4.15 imbalanced-learn==0.3.2 lime==0.1.1.29 Docker Hub + New HELK image available
2018-02-15 08:28:48 +00:00
}
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
# ********** Install Curl ********************
install_curl(){
echo "[HELK-INSTALLATION-INFO] Checking if curl is installed first"
if [ -x "$(command -v curl)" ]; then
echo "[HELK-INSTALLATION-INFO] curl is already installed"
else
echo "[HELK-INSTALLATION-INFO] curl is not installed"
echo "[HELK-INSTALLATION-INFO] Installing curl before installing docker.."
apt-get install -y curl >> $LOGFILE 2>&1
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not install curl (Error Code: $ERROR)."
exit 1
fi
fi
}
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
# *********** Building and Running HELK Images ***************
HELK 6.2.3-041018 Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 06:56:28 +00:00
install_helk(){
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
echo "[HELK-INSTALLATION-INFO] Building HELK via docker-compose"
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
# ****** Building HELK ***********
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
docker-compose build >> $LOGFILE 2>&1
ERROR=$?
HELK - Alpha ELK 6.1.3 + ELK 6.1.3 version (Jun 30,2018 release) + Kafka Integration -- Bash, DockerFile & Docker Image + Replaced ELK DEB Install Packages for TAR packages (Easier deployement and more control) + Logstash: JVM Heap 2GB default + ELK (Init Files created) -- More control over service start + Left Linux DEB install bash script (deprecating it in next release) + ELK .yml files are not available to adjust deployment in an easier way. + Fixed Docker Run environment parameters to be call before pointing to the HELK image. + Edited every single file to have the right headers: -- ELK version 6.1.3 -- Aplha Version
2018-01-31 22:52:50 +00:00
if [ $ERROR -ne 0 ]; then
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
echoerror "Could not build HELK via docker-compose (Error Code: $ERROR)."
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
echo "get more details in /var/log/helk-install.log locally"
exit 1
fi
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
# ****** Running HELK ***********
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
echo "[HELK-INSTALLATION-INFO] Running HELK via docker-compose"
docker-compose up -d >> $LOGFILE 2>&1
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not run HELK via docker-compose (Error Code: $ERROR)."
HELK - Alpha ELK 6.1.3 + ELK 6.1.3 version (Jun 30,2018 release) + Kafka Integration -- Bash, DockerFile & Docker Image + Replaced ELK DEB Install Packages for TAR packages (Easier deployement and more control) + Logstash: JVM Heap 2GB default + ELK (Init Files created) -- More control over service start + Left Linux DEB install bash script (deprecating it in next release) + ELK .yml files are not available to adjust deployment in an easier way. + Fixed Docker Run environment parameters to be call before pointing to the HELK image. + Edited every single file to have the right headers: -- ELK version 6.1.3 -- Aplha Version
2018-01-31 22:52:50 +00:00
exit 1
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
fi
HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
}
HELK 6.2.3-041018 Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 06:56:28 +00:00
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
# ****** Installing via convenience script ***********
HELK 6.2.3-041018 Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 06:56:28 +00:00
install_docker(){
echo "[HELK-INSTALLATION-INFO] Installing docker via convenience script.."
curl -fsSL get.docker.com -o get-docker.sh >> $LOGFILE 2>&1
chmod +x get-docker.sh >> $LOGFILE 2>&1
./get-docker.sh >> $LOGFILE 2>&1
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not install docker via convenience script (Error Code: $ERROR)."
Added check to see if snap is installed
2018-05-15 04:29:54 +00:00
if [ -x "$(command -v snap)" ]; then
SNAP_VERSION=$(snap version | grep -w 'snap' | awk '{print $2}')
echo "[HELK-INSTALLATION-INFO] Snap v$SNAP_VERSION is available. Trying to install docker via snap.."
snap install docker >> $LOGFILE 2>&1
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not install docker via snap (Error Code: $ERROR)."
exit 1
fi
echo "[HELK-INSTALLATION-INFO] Docker successfully installed via snap."
else
echo "[HELK-INSTALLATION-INFO] Docker could not be installed. Check /var/log/helk-install.log for details."
Added snap as fallback installation method for Docker
2018-05-15 02:40:10 +00:00
exit 1
fi
HELK 6.2.3-041018 Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 06:56:28 +00:00
fi
}
install_docker_compose(){
echo "[HELK-INSTALLATION-INFO] Installing docker-compose.."
curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose >> $LOGFILE 2>&1
chmod +x /usr/local/bin/docker-compose >> $LOGFILE 2>&1
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not install docker-compose (Error Code: $ERROR)."
exit 1
fi
}
get_host_ip(){
# *********** Getting Host IP ***************
# https://github.com/Invoke-IR/ACE/blob/master/ACE-Docker/start.sh
echo "[HELK-INSTALLATION-INFO] Obtaining current host IP.."
case "${systemKernel}" in
Linux*) host_ip=$(ip route get 1 | awk '{print $NF;exit}');;
Darwin*) host_ip=$(ifconfig en0 | grep inet | grep -v inet6 | cut -d ' ' -f2);;
*) host_ip="UNKNOWN:${unameOut}"
esac
}
set_helk_ip(){
# *********** Accepting Defaults or Allowing user to set HELK IP ***************
local ip_choice
local read_input
read -t 30 -p "[HELK-INSTALLATION-INFO] Set HELK IP. Default value is your current IP: " -e -i ${host_ip} ip_choice
read_input=$?
ip_choice="${ip_choice:-$host_ip}"
if [ $ip_choice != $host_ip ]; then
host_ip=$ip_choice
fi
HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
}
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
prepare_helk(){
Install CLI Option
2018-06-04 02:15:24 +00:00
echo "[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}"
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
if [ "$systemKernel" == "Linux" ]; then
# Reference: https://get.docker.com/
echo "[HELK-INSTALLATION-INFO] HELK identified Linux as the system kernel"
echo "[HELK-INSTALLATION-INFO] Checking distribution list and version"
# *********** Check distribution list ***************
lsb_dist="$(. /etc/os-release && echo "$ID")"
lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
# *********** Check distribution version ***************
case "$lsb_dist" in
ubuntu)
if [ -x "$(command -v lsb_release)" ]; then
dist_version="$(lsb_release --codename | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
fi
;;
debian|raspbian)
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
9)
dist_version="stretch"
;;
8)
dist_version="jessie"
;;
7)
dist_version="wheezy"
Added Official Docker install script -Using Official Docker install script known as convenience script - Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
2018-01-11 17:14:50 +00:00
;;
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
esac
;;
centos)
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
rhel|ol|sles)
ee_notice "$lsb_dist"
exit 1
Added Official Docker install script -Using Official Docker install script known as convenience script - Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
2018-01-11 17:14:50 +00:00
;;
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
*)
if [ -x "$(command -v lsb_release)"]; then
dist_version="$(lsb_release --release | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
esac
echo "[HELK-INSTALLATION-INFO] You're using $lsb_dist version $dist_version"
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not verify distribution or version of the OS (Error Code: $ERROR)."
fi
Added Official Docker install script -Using Official Docker install script known as convenience script - Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
2018-01-11 17:14:50 +00:00
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
# *********** Check if docker is installed ***************
if [ -x "$(command -v docker)" ]; then
echo "[HELK-INSTALLATION-INFO] Docker already installed"
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
else
echo "[HELK-INSTALLATION-INFO] Docker is not installed"
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
# ****** Install Curl if it is not installed *********
install_curl
HELK 6.2.3-041018 Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 06:56:28 +00:00
# ****** Installing Docker if it is not installed *********
install_docker
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
fi
# ********** Check if docker-compose is installed *******
if [ -x "$(command -v docker-compose)" ]; then
echo "[HELK-INSTALLATION-INFO] Docker-compose already installed"
else
echo "[HELK-INSTALLATION-INFO] Docker-compose is not installed"
# ****** Install Curl if it is not installed *********
install_curl
HELK 6.2.3-041018 Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafka
2018-04-10 06:56:28 +00:00
# ****** Installing Docker-Compose *******************
install_docker_compose
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
fi
else
# *********** Check if docker is installed ***************
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
if [ -x "$(command -v docker)" ] && [ -x "$(command -v docker-compose)" ]; then
echo "[HELK-INSTALLATION-INFO] Docker & Docker-compose already installed"
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
else
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
echo "[HELK-INSTALLATION-INFO] Install Docker & Docker-compose for $systemKernel"
HELK 6.2.2 - 022518 HELK Design + moved everything to docker-compose approach for a more modular design. + separated the HELK in 3 services: ++helk-elk, helk-kafka, helk-analytics + Updated Design picture to show WEF ideas and also show Jupyter Lab integrations. HELK Docker-Compose + Added ESDATA volume to keep logs after contaners get stopped + Services restart automatically after reboot + created blank env file for Kafka service. This allows the host to pass its own local IP to Kafka. This is needed for advertised listener configs on each broker. HELK-ELK Version - Updated to 6.2.2 ELasticsearch - Added local docker network as part of the network.host option. This allows the HELK-ELK service to publish its docker local IP to other services/images in the docker compose environment. Logstash + minimal updates to certain configs (Mainly renaming files and replacing certain strings) Kibana + enableExternalUrls set to true for Vega visualization that need external libraries. Spark - Analytics + Renamed service to Analytics + Integrated Apache Toree to allow Scala kernel in Jupyter + Pyspark, Scala and SQL are now available in Jupyter Jupyter + Jupyter LAB has been enabled
2018-02-25 07:59:44 +00:00
exit 1
Added Official Docker install script -Using Official Docker install script known as convenience script - Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
2018-01-11 17:14:50 +00:00
fi
fi
HELK 6.2.3 - 032218 Docker-Compose file + Updated Image versions ++ helk-elk:6.2.3 ++ helk-kafka:1.0.1 ++ helk-analytics:0.0.2 HELK-ANALYTICS + Upgraded spark to version 2.3.0 ++ Check release notes: https://spark.apache.org/releases/spark-release-2-3-0.html + Upgraded Jupyter Lab to 0.31.12 + Downgraded Tornado to version 4.* This is due to an error in dependencies happening in version 5.0 with python 3. + Upgraded ES-Hadoop package to version 6.2.3 ++ Check release notes: https://www.elastic.co/guide/en/elasticsearch/hadoop/6.2/eshadoop-6.2.3.html HELK-ELK + Upgraded elastic components to 6.2.3 ++ Check elasticsearch release notes: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.3.html ++ No changes for Kibana ++ Check Logstash release notes: https://www.elastic.co/guide/en/logstash/6.2/logstash-6-2-3.html + Logstash kafka input now adds metadata from kafka. Topic name, etc. + Fingerprint plugin in logstash config 09-all-filter.con is applied to only events with the message field. + logstash config 11-winevent-sysmon-filter.conf ++ removed field "user". This was causing issues when parsing events with Spark. HELK-KAFKA + Upgraded Kafka to version 2.11-1.0.1 ++ Check kafka release notes: https://www.apache.org/dist/kafka/1.0.1/RELEASE_NOTES.html + Removed sleep time for kafka init file + updated kafka entrypoint updating version values HELK helk_install main script + Fixed docker & docker-compose installation steps. This fixes issue https://github.com/Cyb3rWard0g/HELK/issues/33 HELK Winlogbeat install script + Updated beat version to 6.2.3
2018-03-22 07:32:21 +00:00
echo "[HELK-INSTALLATION-INFO] Dockerizing HELK.."
Added Official Docker install script -Using Official Docker install script known as convenience script - Saved a copy of the convenience script (Edge version) locally just in case (Script needs to be modified if it is intended to use in production.
2018-01-11 17:14:50 +00:00
echo "[HELK-INSTALLATION-INFO] Checking local vm.max_map_count variable and setting it to 262144"
MAX_MAP_COUNT=262144
if [ -n "$MAX_MAP_COUNT" -a -f /proc/sys/vm/max_map_count ]; then
sysctl -q -w vm.max_map_count=$MAX_MAP_COUNT >> $LOGFILE 2>&1
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not set vm.max_map_count to 262144 (Error Code: $ERROR)."
fi
fi
HELK 6.2.4-050318 ## Overall + Removed the Init files dependencies on all containers + Added more resources to the resources folder (papers and presentations) + Updated to-do list on main README + Removed Static Network setting. Addressing overlapping network issues (https://github.com/Cyb3rWard0g/HELK/issues/43) + Updated WIki and added new images to it + Started documenting potential error messages or bugs with a few quick fixes ## Helk Install Script + Script now collects information about Available Memory and Disk size for LINUX host ONLY. it only continues if the box hosting the HELK has at least 12GB of RAM and 50GB of Disk Available. (This can be overwritten manually by just editing the helk_install script before installing the HELK) ## ELK Stack + Started using Elastic Docker Images as a base + Updated ELK stack to 6.2.4 version + X-Pack Basic Free License attached to build automatically + Monitoring capabilities are now enabled in the build (Reason why Cerebro went away) ## Spark + Integrated Spark Standalone Cluster Manager + Spark Node running with Jupyter Notebook now points to the Helk-Spark-Master container for any execution of code + Added Spark Master and Worker Docker Images + Build runs now with 2 Workers and 1 Master by default. + Apache Arrow is enabled for Pandas Dataframe optimization + Created Spark-Base Docker Image (Applied to the Jupyter Image) ## Kafka + Kafka Container was split in Kafka Brokers and one Zookeeper + Helk runs with 2 Kafka Brokers and 1 Zookeeper by default ## Jupyter Container + Preparing to add Zeppelin Notebook. the Analytics container is now named Jupyter. It uses the Spark-Base image to build on the top and install the necessary packagess + New packages were added: ++ nxviz ++ hiveplot ++ pyarrow + Apache Arrow is not enabled on the Jupyter node to be able to optimize the use of Pandas DataFrames
2018-05-03 19:54:12 +00:00
echo "[HELK-INSTALLATION-INFO] Setting KAFKA ADVERTISED_LISTENER value..."
# ****** Setting KAFKA ADVERTISED_LISTENER environment variable ***********
sed -i "s/ADVERTISED_LISTENER=HOSTIP/ADVERTISED_LISTENER=$host_ip/g" docker-compose.yml
echo "[HELK-INSTALLATION-INFO] Setting ES_JAVA_OPTS value..."
# ****** Setting ES JAVA OPTS environment variable ***********
Update 06112018 Updated several errors that I got after testing a few configurations. Logstash - Updated Field Names for Sysmon and Security Logs - Updated Logstash Templates to maintain consistency - Updated Dockerfile to directly use official Centos Elastic Docker Image - Updated Logstash main config file to update pipeline batch value and the Kafka input config to fix https://github.com/Cyb3rWard0g/HELK/issues/73 - Updated Logstash Security parser to fix: -- https://github.com/Cyb3rWard0g/HELK/issues/71 -- https://github.com/Cyb3rWard0g/HELK/issues/72 Kibana & Elasticsearch - Updated Docker files to directly use Official Centos Elastic Docker images with only a few updates. Docker Compose File - Updated file to mount Logstash, Kibana and Elasticsearch config files, dashboards and output_templates. This will simplify utilization of custom pipes, visualizations and dashboards. User can now just replace those the local folder and HELK will use those configurations. - ES_JAVA_OPTS is now set to 6GB by default. No more MEM string. It confuses the user. helk_install.sh script - Updated the string that it replaces when setting ES JAVA OPTS. It went from looking for the string "MEME" to "6GB".
2018-06-11 05:56:28 +00:00
sed -i "s/ES_JAVA_OPTS\=\-Xms6g \-Xmx6g/ES_JAVA_OPTS\=\-Xms${ES_MEMORY}g \-Xmx${ES_MEMORY}g/g" docker-compose.yml
HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
}
Install CLI Option
2018-06-04 02:15:24 +00:00
show_banner(){
# *********** Showing HELK Docker menu options ***************
echo " "
echo "**********************************************"
echo "** HELK - THE HUNTING ELK **"
echo "** **"
echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **"
echo "** HELK build version: 0.9 (Alpha) **"
echo "** HELK ELK version: 6.2.4 **"
echo "** License: BSD 3-Clause **"
echo "**********************************************"
echo " "
}
show_final_information(){
echo " "
echo " "
echo "***********************************************************************************"
echo "** [HELK-INSTALLATION-INFO] YOUR HELK IS READY **"
echo "** [HELK-INSTALLATION-INFO] USE THE FOLLOWING SETTINGS TO INTERACT WITH THE HELK **"
echo "***********************************************************************************"
echo " "
echo "HELK KIBANA URL: http://${host_ip}"
echo "HELK KIBANA & ELASTICSEARCH USER: helk"
echo "HELK KIBANA & ELASTICSEARCH PASSWORD: hunting"
echo "HELK JUPYTER CURRENT TOKEN: ${jupyter_token}"
echo "HELK JUPYTER LAB URL: http://${host_ip}:8880/lab"
echo "HELK SPARK Pyspark UI: http://${host_ip}:4040"
echo "HELK SPARK Cluster Master UI: http://${host_ip}:8080"
echo "HELK SPARK Cluster Worker1 UI: http://${host_ip}:8081"
echo "HELK SPARK Cluster Worker2 UI: http://${host_ip}:8082"
echo " "
echo "IT IS HUNTING SEASON!!!!!"
echo " "
echo " "
echo " "
}
manual_install(){
show_banner
check_min_requirements
get_host_ip
set_helk_ip
prepare_helk
install_helk
get_jupyter_token
sleep 180
show_final_information
}
ip_set_install(){
show_banner
check_min_requirements
prepare_helk
install_helk
get_jupyter_token
sleep 180
show_final_information
}
usage(){
echo "Usage: $0 [option...]" >&2
echo
echo " -i set HELKs IP address"
echo " -q quiet -> not output to the console"
echo
echo "Examples:"
echo " $0 Install HELK manually"
echo " $0 -ip 192.168.64.131 Install HELK with an IP address set"
echo " $0 -ip 192.168.64.131 -q Install HELK with an IP address set without sending output to the console"
exit 1
}
# ************ Command Options **********************
while getopts ":i:q" opt; do
case ${opt} in
i )
host_ip=$OPTARG
;;
q )
quiet="TRUE"
;;
\? )
echo "Invalid option: $OPTARG" 1>&2
usage
;;
: )
echo "Invalid option: $OPTARG requires an argument" 1>&2
usage
;;
esac
done
shift $((OPTIND -1))
HELK_UpdatedBeta_Version - Added Jupyter Notebook example - Created Install Script with Menu options - Bashscript, Docker & Pull Docker image is now stable
2018-01-08 21:32:13 +00:00
Install CLI Option
2018-06-04 02:15:24 +00:00
if [ $# -gt 0 ]; then
echo "Invalid option"
usage
fi
HELK - Alpha ELK 6.1.3 + ELK 6.1.3 version (Jun 30,2018 release) + Kafka Integration -- Bash, DockerFile & Docker Image + Replaced ELK DEB Install Packages for TAR packages (Easier deployement and more control) + Logstash: JVM Heap 2GB default + ELK (Init Files created) -- More control over service start + Left Linux DEB install bash script (deprecating it in next release) + ELK .yml files are not available to adjust deployment in an easier way. + Fixed Docker Run environment parameters to be call before pointing to the HELK image. + Edited every single file to have the right headers: -- ELK version 6.1.3 -- Aplha Version
2018-01-31 22:52:50 +00:00
Install CLI Option
2018-06-04 02:15:24 +00:00
if [ -z "$host_ip" ] && [ -z "$quiet" ]; then
manual_install
else
if [[ "$host_ip" =~ ^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$ ]]; then
for i in 1 2 3 4; do
if [ $(echo "$host_ip" | cut -d. -f$i) -gt 255 ]; then
echo "$host_ip is not a valid IP Address"
usage
fi
done
if [ -z "$quiet" ]; then
ip_set_install
else
ip_set_install >> $LOGFILE 2>&1
fi
else
echo "Invalid option"
usage
fi
fi