0

SOF-ELK®配置文件

SANS FOR572 中使用的 SOF-ELK 虚拟机的配置文件。SOF-ELK® 是一个 "大数据分析" 平台,侧重于计算机取证调查员/分析师和信息安全操作人员的典型需求。SOF-ELK® 平台最初是为 SANS FOR572《高级网络取证与分析》而开发的。「Configuration files for the SOF-ELK VM, used in SANS FOR572. SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The SOF-ELK® platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis. 」

Github repo
Main metrics

Github stars Tracking Chart

SOF-ELK® 配置文件

该资源库包含 SOF-ELK® VM 设备的配置和支持文件。

SOF-ELK® 是一个 "大数据分析" 平台,侧重于计算机取证调查员/分析师和信息安全操作人员的典型需求。该平台是对开源 Elastic 堆栈的定制,包括 Elasticsearch 存储和搜索引擎、Logstash 摄取和丰富系统、Kibana 仪表盘前端和 Elastic Beats 日志运输工具(特别是 filebeat)。通过大量的定制和持续的开发,SOF-ELK® 用户可以避免 Elastic 堆栈通常需要的漫长而复杂的设置过程。相反,他们可以简单地下载预先建立的、随时可用的 SOF-ELK® 虚拟设备,该设备消耗各种源数据类型(许多日志类型以及 NetFlow),解析出最关键的数据,并在几个库存仪表板上进行可视化。高级用户可以建立适合他们自己的调查或操作要求的可视化,可以选择将这些数据贡献给主代码库。

SOF-ELK® 平台最初是为 SANS FOR572《高级网络取证与分析》而开发的,现在已经用于 SANS 的其他几门课程,并正在考虑其他课程的整合。最重要的是,该平台还作为一种免费的开源资源向广大社区分发,使用该平台不需要特定的课程要求或配合。

关于预包装虚拟机的更多细节可在这里找到:https://for572.com/sof-elk-readme。

分支

  • main: 这个分支被认为适合广泛使用,但不应在 FOR572 班本身使用。教室实验室的版本是锁定的,但这个仓库的工作正在进行。
  • public/*: 这些分支将与虚拟机的公共版本相联系,允许在部署后对内容进行版本锁定控制。
  • class/*: 当虚拟机准备在 SANS 课程(如 FOR572)中发布时,将在 "class "分支下创建一个新的子分支,名称与虚拟机版本相对应。(例如,"class/v20170629")。
  • develop: 这个分支包含的代码应该是功能性的,但有时可能会出现故障(并保持故障)。当然,我们会尽量避免这种情况,但应该明确的是,这不是一个适合在 "现实世界 "使用的分支。
  • 其他分支可能会被用于主要的版本更新,等等。这些分支在部署到主流使用时将被合并到主干。

使用

目前,这些文件只推荐在 SOF-ELK 虚拟机发行中使用。要使用这些文件,需要大量的系统级配置和配合。对于在通过 readme 发布的 SOF-ELK VM 之外使用这些文件,我们无法提供支持。

按目录分类的内容

  • /configfiles/: 这些文件包含解析/标签/格式化/等逻辑,用于单个文件类型以及输出配置。
  • /configfiles-UNSUPPORTED/: 这些配置文件要么没有准备好供操作使用,要么在测试中,要么以其他方式暂存/隐藏。
  • /doc/: 文档。总是一个正在进行的工作。
  • /grok-patterns/: 在 /configfiles/ 目录中的文件使用的自定义解析模式。
  • /kibana/: 这些文件定义了各个数据类型的 Kibana 仪表盘和相关文件。这些文件与 /configfiles/ 目录中的 Logstash 文件完成的解析相对应,所以如果不做一些调整,它们可能不会在你自己的 Logstash 实例上工作。要将这些加载到Kibana界面,运行 /supporting-scripts/load_all_dashboards.sh 脚本。
  • /lib/: 支持文件,包括弹性搜索映射、YAML 查找文件和图像。
  • /supporting-scripts/: SOF-ELK VM运行所需的大量脚本和支持文件。任何可能需要用户功能的脚本都被符号链接到elk_user的$PATH中。

问题/bug报告/等等

所有的 bug 和功能请求都应该通过 github 问题追踪器来记录:https://github.com/philhagen/sof-elk/issues/。

在开始任何开发工作之前,请查看拉动请求提交指南 - 这在文件中。

管理通知/免责声明/法律/无聊的东西

本资源库的内容是 "按原样 "提供的,对准确性和可访问性没有任何明示或暗示的保证。

SOF-ELK® 是 Lewes Technology Consulting, LLC 的注册商标。内容的版权由其各自的贡献者拥有。SOF-ELK 标志是 Lewes 技术咨询有限公司的全资财产,经许可使用。

 

 

Main metrics

Overview
Name With Ownerphilhagen/sof-elk
Primary LanguageShell
Program languageShell (Language Count: 4)
Platform
License:GNU General Public License v3.0
所有者活动
Created At2014-12-30 15:24:39
Pushed At2025-04-01 19:20:56
Last Commit At
Release Count12
Last Release Name2017-05-18 (Posted on 2017-05-18 17:36:06)
First Release Name2014-12-02 (Posted on 2015-01-19 17:11:05)
用户参与
Stargazers Count1.6k
Watchers Count109
Fork Count291
Commits Count2.2k
Has Issues Enabled
Issues Count311
Issue Open Count28
Pull Requests Count38
Pull Requests Open Count3
Pull Requests Close Count9
项目设置
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private

SOF-ELK® Configuration Files

SOF-ELK Logo

This repository contains the configuration and support files for the SOF-ELK® VM Appliance.

SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source Elastic stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, and Elastic Beats log shipper (specifically filebeat). With a significant amount of customization and ongoing development, SOF-ELK® users can avoid the typically long and involved setup process the Elastic stack requires. Instead, they can simply download the pre-built and ready-to-use SOF-ELK® virtual appliance that consumes various source data types (numerous log types as well as NetFlow), parsing out the most critical data and visualizing it on several stock dashboards. Advanced users can build visualizations the suit their own investigative or operational requirements, optionally contributing those back to the primary code repository.

The SOF-ELK® platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and is now used in several other SANS courses, with additional course integrations being considered. Most importantly, the platform is also distributed as a free and open source resource for the community at large, without a specific course requirement or tie-in required to use it.

More details about the pre-packaged VM are available here: http://for572.com/sof-elk-readme.

Branches

  • master: This branch is considered suitable for widespread use, but should not be used in the FOR572 class itself. The classroom labs are version-locked, but work on this repository is ongoing.
  • public/*: These branches will be tied to public releases of the VM, allowing version-locked content control after deployment.
  • class/*: When a VM is prepared for distribution in a SANS course such as FOR572, a new sub-branch will be created under the "class" branch with a name corresponding to the VM version. (e.g. "class/v20170629").
  • develop: This branch contains code that should be functional, but may break at times (and remain broken). Of course, we'll try to avoid that, but it should be clear that this is NOT a branch suitable for "real world" use.
  • Other branches may be used for major version updates, etc. These will be merged to master when deployed for mainstream use.

Using

These files are only recommended to be used in the SOF-ELK VM distribution at this time. A great deal of system-level configuration and tie-in is required for them to be used. No support can be provided for the use of these files outsie the SOF-ELK VM as distributed via the readme.

Contents by directory

  • /configfiles/: These files conatain parsing/tagging/formatting/etc logic for individual file types as well as output configuration.
  • /configfiles-UNSUPPORTED/: These configuration files are either not ready for operational use, in testing, or otherwise staged/stashed.
  • /doc/: Documentation. Always a work in progress.
  • /grok-patterns/: Custom parsing patterns used by the files in the /configfiles/ directory.
  • /kibana/: These files define the Kibana dashboards and associated files for individual data types. These correspond with the parsing completed by the Logstash files in the /configfiles/ directory, so they probably won't work on your own Logstash instance without some tweaking. To load these to the Kibana interface, run the /supporting-scripts/load_all_dashboards.sh script.
  • /lib/: Supporting files, including elasticsearch mappings, YAML lookup files, and images.
  • /supporting-scripts/: Numerous scripts and supporting files needed for the SOF-ELK VM to function. Any scripts that may be required for user functionality are symlinked to be in the elk_user's $PATH.

Questions/Bug Reports/etc

All bugs and feature requests should be logged via the github issue tracker: https://github.com/philhagen/sof-elk/issues/.

Please see the pull request submission guidelines before starting any development work - this is in the file.

Administrative Notifications/Disclaimers/Legal/Boring Stuff

  • Content of this repository are provided "as is" with no express or implied warranty for accuracy or accessibility.
  • SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Content is copyrighted by its respective contributors. SOF-ELK logo is a wholly owned property of Lewes Technology Consulting, LLC and is used by permission.