-
Notifications
You must be signed in to change notification settings - Fork 58
Setup with Docker
S03D4-164 edited this page Apr 30, 2020
·
1 revision
The following instruction is optimized for Linux (Ubuntu).
Please install docker-compose before setup.
Clone SysmonSearch repository. Move to docker directory:
$ git clone https://github.com/JPCERTCC/SysmonSearch.git
$ cd SysmonSearch/docker/Specify proxy server, if needed
$ vim docker-compose.yml
# Modify the lines as follows:
args:
- http_proxy=[proxy_server_URL]
- https_proxy=[proxy_server_URL]Run the setup.sh:
$ sh ./setup.sh
The container starts with the following command:
$ docker-compose up
If the container is running on the port 9200 of the localhost:
$ curl localhost:9200Access [Server IP address]:5601 from a Web browser.
kibana compiles the plugin at the first startup. It takes several minutes to complete.
If the container is running on the port 56020 of the localhost:
# If run in the docker directory:
$ curl localhost:56020/convert/ioc -F 'file=@../stixioc-import-server/data/sample.ioc.xml'Configure as follows in the crontab on the host OS:
DATE=`date -d \"-1 day\" \"+%Y.%m.%d\"`
0,30 * * * * docker exec docker-stixioc-import-server python ../script/collection_statistical_data.py
0,30 * * * * docker exec docker-stixioc-import-server python ../script/collection_alert_data.py
0 1 * * * docker exec docker-stixioc-import-server python ../script/collection_statistical_data.py $DATE
Modify the configuration to make sure the script runs properly:
$ vim script/collection_statistical_data_setting.py
# For INDEX_NAME_ORG, use the index name without the year, month, and date information.
# If the index name is winlogbeat-yyyy.mm.dd:
INDEX_NAME_ORG = "winlogbeat"
# If the index name is winlogbeat-7.5.1-yyyy.mm.dd:
INDEX_NAME_ORG = "winlogbeat-7.5.1"Refer to Client Setup