Elasticsearch 和arkime 安装
安装一定要注意版本号,不然使用不了
这里Ubuntu使用ubuntu-20.04.6-desktop-amd64.iso
elasticsearch这里使用Elasticsearch 7.17.5 | Elastic
arkime这里使用wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb
大家想用别的版本记得去看看哪个版本能配套,es和arkime对互相的版本有要求不然不能使用
elasticsearch-8.7.1-x86_64和 arkime-4.3.1-1.x86_64 应该是可以的
Elasticsearch 8.7.1 | Elastic
Release Version 4.3.1 · arkime/arkime · GitHub
Ubuntu新机
sudo apt upgrade
sudo apt install open-vm-tools-desktop -y
sudo reboot
然后换源
cp /etc/apt/source.list /etc/apt/source.list.bak
sudo apt update
nano /etc/apt/source.list
deb https://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse
# deb https://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse
# deb-src https://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse
deb https://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
单体ES安装
1.ES下载
Elasticsearch 7.17.5 | Elastic
tar -zxvf elasticsearch-7.17.5-linux-x86_64.tar.gz
mv elasticsearch-7.17.5 /usr/local/
cd /usr/local/elasticsearch-7.17.5/
nano config/elasticsearch.yml
/usr/local/elasticsearch-7.17.5/config# nano jvm.options
useradd es123
chown -R es123:es123 /usr/local/elasticsearch-7.17.5
cd /usr/local/elasticsearch-7.17.5/bin
nano /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 4096
* hard nproc 4096
es123 - nproc 65535
nano /etc/sysctl.conf
vm.max_map_count=262145
./elasticsearch
curl http://localhost:9200
安装arkime
如果选择使用 arkime-4.3.1-1.x86_64,去别的博客看看.dep包或者rpm怎么安装
wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb
apt install ./arkime_3.4.2-1_amd64.deb
/opt/arkime/bin/Configure
系统将要求您指定网络接口,如下所示:
Found interfaces: lo;eth0;eth1
Semicolon ';' seperated list of interfaces to monitor [eth1] eth0自己ifconfig
查看自己的,我这里是eth33
输入您的网络接口名称并按 Enter 键继续。配置完成后,您应该得到以下输出:
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200]
Password to encrypt S2S and other things, don't use spaces [no-default] password
Arkime - Creating configuration files
Installing systemd start files, use systemctl
Arkime - Installing /etc/logrotate.d/arkime to rotate files after 7 days
Arkime - Installing /etc/security/limits.d/99-arkime.conf to make core and memlock unlimited
Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] no
Arkime - NOT downloading GEO filesArkime - Configured - Now continue with step 4 in /opt/arkime/README.txt4) The Configure script can install elasticsearch for you or you can install yourselfsystemctl start elasticsearch.service5) Initialize/Upgrade Elasticsearch Arkime configurationa) If this is the first install, or want to delete all data/opt/arkime/db/db.pl http://ESHOST:9200 initb) If this is an update to a moloch/arkime package/opt/arkime/db/db.pl http://ESHOST:9200 upgrade6) Add an admin user if a new install or after an init/opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin7) Start everythingsystemctl start arkimecapture.servicesystemctl start arkimeviewer.service8) Look at log files for errors/opt/arkime/logs/viewer.log/opt/arkime/logs/capture.log9) Visit http://arkimeHOST:8005 with your favorite browser.user: adminpassword: THEPASSWORD from step #6If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmindAny configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#moloch-is-not-working for issuesAdditional information can be found at:* https://arkime.com/faq* https://arkime.com/settings按上面的文字来
初始化Elasticsearch Arkime配置
下载ipv4-address-space.csv 和oui.txt,并复制到/opt/arkime/etc/下赋权
ipv4-address-space.csv下载地址:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv
注意:这里大部分的博客原地址都找不到了,这是我后面找出来的,如果地址失效就找 manuf项目
oui.txt下载地址:项目文件预览 - manuf:Parser library for Wireshark's OUI database. - GitCode
把manuf改名oui.txt
然后
mv ipv4-address-space.csv /opt/arkime/etc/
mv oui.txt /opt/arkime/etc/
- chmod a+r /opt/arkime/etc/oui.txt
- chmod a+r /opt/arkime/etc/ipv4-address-space.csv
/opt/arkime/db/db.pl http://localhost:9200 init
/opt/arkime/bin/arkime_add_user.sh admin “Admin” 1234 --admin
##用户名admin 密码1234
启动服务
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
systemctl enable arkimecapture.service
systemctl enable arkimeviewer.service
tail -f /opt/arkime/logs/capture.log//查看日志
sudo systemctl status arkimecapture//检查状态
sudo systemctl restart arkimecapture//重启
访问
http://IP:8005
就可以访问啦,然后在弹出的框输入账号密码即可
注意是8005端口
以下是在别的博客看见的先记一下
高性能配置
修改arkime配置文件/opt/arkime/etc/config.ini 启用如下参数
magicMode=basic
pcapReadMethod=tpacketv3
tpacketv3NumThreads=2
pcapWriteMethod=simple
pcapWriteSize=2560000
packetThreads=5
maxPacketsInQueue=200000
注:修改配置文件后,要重启arkime服务
systemctl restart arkimecapture