-
Notifications
You must be signed in to change notification settings - Fork 371
Redirector installation
- extract
redirs.tgz - Run:
install-redir.sh $FilebeatID $ScenarioName $IP/DNS:PORT - Modify the logging format of your reverse proxy
Copy and extract the redirs.tgz you generated in the previous step on your redirector as part of your red team infra deployment procedures.
Run: install-redir.sh $FilebeatID $ScenarioName $IP/DNS:PORT
-
$FilebeatIDis the identifier of this redirector within filebeat. -
$ScenarioNameis the name of the attack scenario this redirector is used for. -
$IP/DNS:PORTis the IP or DNS name and port where filebeat logs are shipped to, this would be the IP/DNS of your RedELK server. Even if you use the default port (TCP/5044) you need to provide this as a parameter.
This script will set install filebeat and dependencies, install the required certificates, adjust the filebeat configuration and start filebeat.
Having issues? Check the following:
- The installer output in
redelk-install.log. - Filebeat errors in its log file (
/var/log/filebeatorfilebeatmentioned in/var/log/syslogdepending on your Linux flavour used). You want to make sure it is tracking the right log files. And you want to make sure it can connect to the RedELK server. If no connection is established, this is often due to firewall issues, or due to incorrect SSL parameters given in thecerts/config.cfgfile.
The applications used for redirection still need manual tuning in order to get the most out of them. This is done differently for Apache, Nginx and HAProxy. Details of each can be found below, and example configuration files are shipped with the RedELK package in the example-data-and-configs folder
See Naming requirements for detailed info on naming requirements.
RedELK requires:
- Enabling of Apache specific modules. Run
a2enmod rewrite proxy proxy_http proxy_connect ssl proxy_html deflate headersto do so. - modification to the default Apache configuration in order to log more details. Most importantly are the 'LogFormat' and 'CustomLog' directives:
LogFormat "%t %{hostname}e apache[%P]: frontend:%{frontend_name}e/%A:%{local}p backend:%{backend_name}e client:%h:%{remote}p xforwardedfor:%{X-Forwarded-For}i headers:{%{User-Agent}i|%{Host}i|%{X-Forwarded-For}i|%{X-Forwarded-Proto}i|%{X-Host}i|%{Forwarded}i|%{Via}i|} statuscode:%s request:%r" redelklogformatCustomLog ${APACHE_LOG_DIR}/access-redelk.log redelklogformat
An example Apache config file can be found here
By default Filebeat on the redirector will look at the log file /var/log/apache2/access-redelk.log. You can change these manually in the filebeat config file.
RedELK requires a modification to the default HAProxy configuration in order to log more details.
In the 'defaults' section:
log-format "GMT:%T frontend:%f/%H/%fi:%fp backend:%b client:%ci:%cp xforwardedfor:%[capture.req.hdr(3)] headers:%hr statuscode:%ST request:%r"
At each relevant 'frontend' section:
declare capture request len 40000
capture request header User-Agent len 512
capture request header Host len 512
capture request header X-Forwarded-For len 512
capture request header X-Forwarded-Proto len 512
capture request header X-Host len 512
capture request header Forwarded len 512
capture request header Via len 512
By default Filebeat on the redirector will look at the log file /var/log/haproxy.log. You can change these manually in the filebeat config file.
An example HAProxy config file can be found here
RedELK requires a modification to the default Nginx configuration in order to log more details.
An example HAProxy config file can be found here
By default Filebeat on the redirector will look at the log file locations /var/log/nginx/access-redelk.log. You can change these manually in the filebeat config file.