From e412681f96f0f5732ad27cedb5835e32ad921019 Mon Sep 17 00:00:00 2001 From: ricardokleber Date: Thu, 23 Apr 2026 12:17:21 -0300 Subject: [PATCH] =?UTF-8?q?Atualiza=C3=A7=C3=A3o=20-=2023/04/2026=20-=2012?= =?UTF-8?q?:17?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roteiros/06-lab04/conf/fluent-bit.conf | 29 +++++++ roteiros/06-lab04/docker-compose.yml | 56 ++++++++++++++ .../06-lab04/pipelines/aplicar_pipeline.json | 4 + .../06-lab04/pipelines/deletar_pipeline.json | 1 + .../pipelines/exibir_pipelines_aplicadas.json | 1 + .../06-lab04/pipelines/listar_pipelines.json | 1 + .../pipelines/remover_aplicacao_pipeline.json | 6 ++ .../06-lab04/pipelines/rk-siem_ssh_logs.json | 61 +++++++++++++++ .../pipelines/rk-siem_ssh_logs_teste.json | 10 +++ .../06-lab04/pipelines/rk-siem_web_logs.json | 51 ++++++++++++ .../pipelines/rk-siem_web_logs_teste.json | 10 +++ .../06-lab04/scripts/rk-siem-gera-logs.py | 77 +++++++++++++++++++ 12 files changed, 307 insertions(+) create mode 100644 roteiros/06-lab04/conf/fluent-bit.conf create mode 100644 roteiros/06-lab04/docker-compose.yml create mode 100644 roteiros/06-lab04/pipelines/aplicar_pipeline.json create mode 100644 roteiros/06-lab04/pipelines/deletar_pipeline.json create mode 100644 roteiros/06-lab04/pipelines/exibir_pipelines_aplicadas.json create mode 100644 roteiros/06-lab04/pipelines/listar_pipelines.json create mode 100644 roteiros/06-lab04/pipelines/remover_aplicacao_pipeline.json create mode 100644 roteiros/06-lab04/pipelines/rk-siem_ssh_logs.json create mode 100644 roteiros/06-lab04/pipelines/rk-siem_ssh_logs_teste.json create mode 100644 roteiros/06-lab04/pipelines/rk-siem_web_logs.json create mode 100644 roteiros/06-lab04/pipelines/rk-siem_web_logs_teste.json create mode 100755 roteiros/06-lab04/scripts/rk-siem-gera-logs.py diff --git a/roteiros/06-lab04/conf/fluent-bit.conf b/roteiros/06-lab04/conf/fluent-bit.conf new file mode 100644 index 0000000..29916ca --- /dev/null +++ b/roteiros/06-lab04/conf/fluent-bit.conf @@ -0,0 +1,29 @@ +# cat /etc/fluent-bit/fluent-bit.conf +[SERVICE] + Flush 1 + Log_Level info + Daemon off + +# Coleta logs do Arquivo Gerado +[INPUT] + Name tail + Path /root/teste.log + Tag logs_host04 + +# Envio para o RK-SIEM-CORE +[OUTPUT] + Name opensearch + Match logs_host04 + Host 172.18.0.1 + Port 9200 + Index teste-logs + Type _doc + HTTP_User admin + HTTP_Passwd admin + tls On + tls.verify Off + Suppress_Type_Name On + +#[OUTPUT] +# Name stdout +# Match * diff --git a/roteiros/06-lab04/docker-compose.yml b/roteiros/06-lab04/docker-compose.yml new file mode 100644 index 0000000..df21494 --- /dev/null +++ b/roteiros/06-lab04/docker-compose.yml @@ -0,0 +1,56 @@ +services: + rk-siem-core: + image: ricardokleber/rk-siem-core:latest + container_name: rk-siem-core + environment: + - cluster.name=rk-siem-core + - node.name=rk-siem-node + - discovery.type=single-node + - bootstrap.memory_lock=true + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Ajuste conforme sua RAM disponível + - DISABLE_INSTALL_DEMO_CONFIG=false + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - rk-siem-data:/usr/share/opensearch/data + ports: + - 9200:9200 # API REST + - 9600:9600 # Performance Analyzer + networks: + - rk-siem-net + + rk-siem-ui: + image: ricardokleber/rk-siem-ui:latest + container_name: rk-siem-ui + ports: + - 5601:5601 # Interface Web + expose: + - 5601 + command: ["/bin/bash", "-c", "/etc/init.d/opensearch-dashboards start && tail -f /var/log/opensearch-dashboards/opensearch-dashboards.stdout"] + restart: always + environment: + - 'OPENSEARCH_HOSTS=["https://rk-siem-core:9200"]' + - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=false" + networks: + - rk-siem-net + depends_on: + - rk-siem-core + + rk-siem-host04: + image: ricardokleber/rk-siem-host04:latest + container_name: rk-siem-host04 + hostname: rk-siem-host04 + tty: true + stdin_open: true + restart: always + +volumes: + rk-siem-data: + +networks: + rk-siem-net: diff --git a/roteiros/06-lab04/pipelines/aplicar_pipeline.json b/roteiros/06-lab04/pipelines/aplicar_pipeline.json new file mode 100644 index 0000000..0d98904 --- /dev/null +++ b/roteiros/06-lab04/pipelines/aplicar_pipeline.json @@ -0,0 +1,4 @@ +PUT /teste-logs/_settings +{ + "index.default_pipeline": "rk-siem_web_logs" +} diff --git a/roteiros/06-lab04/pipelines/deletar_pipeline.json b/roteiros/06-lab04/pipelines/deletar_pipeline.json new file mode 100644 index 0000000..75346fc --- /dev/null +++ b/roteiros/06-lab04/pipelines/deletar_pipeline.json @@ -0,0 +1 @@ +DELETE _ingest/pipeline/rk-siem_web_logs diff --git a/roteiros/06-lab04/pipelines/exibir_pipelines_aplicadas.json b/roteiros/06-lab04/pipelines/exibir_pipelines_aplicadas.json new file mode 100644 index 0000000..1bf95a5 --- /dev/null +++ b/roteiros/06-lab04/pipelines/exibir_pipelines_aplicadas.json @@ -0,0 +1 @@ +GET /_settings?filter_path=*.settings.index.default_pipeline diff --git a/roteiros/06-lab04/pipelines/listar_pipelines.json b/roteiros/06-lab04/pipelines/listar_pipelines.json new file mode 100644 index 0000000..4f18fe2 --- /dev/null +++ b/roteiros/06-lab04/pipelines/listar_pipelines.json @@ -0,0 +1 @@ +GET _ingest/pipeline diff --git a/roteiros/06-lab04/pipelines/remover_aplicacao_pipeline.json b/roteiros/06-lab04/pipelines/remover_aplicacao_pipeline.json new file mode 100644 index 0000000..c16dc84 --- /dev/null +++ b/roteiros/06-lab04/pipelines/remover_aplicacao_pipeline.json @@ -0,0 +1,6 @@ +PUT /teste-logs/_settings +{ + "index": { + "default_pipeline": null + } +} diff --git a/roteiros/06-lab04/pipelines/rk-siem_ssh_logs.json b/roteiros/06-lab04/pipelines/rk-siem_ssh_logs.json new file mode 100644 index 0000000..9c38ad2 --- /dev/null +++ b/roteiros/06-lab04/pipelines/rk-siem_ssh_logs.json @@ -0,0 +1,61 @@ +PUT _ingest/pipeline/rk-siem_ssh_logs +{ + "description": "Pipeline do RK-SIEM para normalização de logs SSH", + "processors": [ + { + "grok": { + "field": "log", + "patterns": [ + "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: %{WORD:ssh_event} password for %{USER:user} from %{IP:source_ip} port %{NUMBER:source_port} ssh2", + "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: %{WORD:ssh_event} for invalid user %{USER:user} from %{IP:source_ip} port %{NUMBER:source_port} ssh2", + "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: Connection closed by (authenticating |)%{IP:source_ip} port %{NUMBER:source_port}" + ], + "description": "Extrai eventos de Accepted, Failed e Disconnected do SSH" + } + }, + { + "date": { + "field": "timestamp", + "formats": ["MMM d HH:mm:ss", "MMM dd HH:mm:ss"], + "target_field": "@timestamp", + "description": "Padroniza o tempo vindo do syslog (ex: Oct 10 13:55:36)" + } + }, + { + "set": { + "if": "ctx.ssh_event == 'Accepted'", + "field": "event.outcome", + "value": "success" + } + }, + { + "set": { + "if": "ctx.ssh_event == 'Failed'", + "field": "event.outcome", + "value": "failure" + } + }, + { + "geoip": { + "field": "source_ip", + "target_field": "geo", + "ignore_missing": true, + "description": "Enriquecimento: Localiza a origem do acesso" + } + }, + { + "remove": { + "field": ["log", "timestamp", "program"], + "ignore_missing": true + } + } + ], + "on_failure": [ + { + "set": { + "field": "error.message", + "value": "Falha no processamento do pipeline rk_siem_ssh_logs" + } + } + ] +} diff --git a/roteiros/06-lab04/pipelines/rk-siem_ssh_logs_teste.json b/roteiros/06-lab04/pipelines/rk-siem_ssh_logs_teste.json new file mode 100644 index 0000000..0be7809 --- /dev/null +++ b/roteiros/06-lab04/pipelines/rk-siem_ssh_logs_teste.json @@ -0,0 +1,10 @@ +POST _ingest/pipeline/rk-siem_ssh_logs/_simulate +{ + "docs": [ + { + "_source": { + "log": "Oct 23 11:30:05 servidor-prod sshd[1234]: Failed password for root from 192.168.1.50 port 54321 ssh2" + } + } + ] +} diff --git a/roteiros/06-lab04/pipelines/rk-siem_web_logs.json b/roteiros/06-lab04/pipelines/rk-siem_web_logs.json new file mode 100644 index 0000000..95b2908 --- /dev/null +++ b/roteiros/06-lab04/pipelines/rk-siem_web_logs.json @@ -0,0 +1,51 @@ +PUT _ingest/pipeline/rk-siem_web_logs +{ + "description": "Pipeline do RK-SIEM para normalização de logs HTTP - Ajustado para campo 'log'", + "processors": [ + { + "grok": { + "field": "log", + "patterns": [ + "%{IPORHOST:source_ip} - %{USER:user_id} \\[%{HTTPDATE:timestamp}\\] \"%{WORD:http_method} %{NOTSPACE:url_path} HTTP/%{NUMBER:http_version}\" %{NUMBER:status_code} %{NUMBER:bytes_sent}" + ], + "description": "Extrai dados do campo 'log' enviado pelo Fluent-bit" + } + }, + { + "date": { + "field": "timestamp", + "formats": [ + "dd/MMM/yyyy:HH:mm:ss Z" + ], + "target_field": "@timestamp" + } + }, + { + "convert": { + "field": "status_code", + "type": "integer" + } + }, + { + "user_agent": { + "field": "user_agent_string", + "target_field": "browser_info", + "ignore_missing": true + } + }, + { + "remove": { + "field": ["log", "timestamp"], + "ignore_missing": true + } + } + ], + "on_failure": [ + { + "set": { + "field": "error.message", + "value": "Falha no processamento do pipeline rk_siem_web_logs" + } + } + ] +} diff --git a/roteiros/06-lab04/pipelines/rk-siem_web_logs_teste.json b/roteiros/06-lab04/pipelines/rk-siem_web_logs_teste.json new file mode 100644 index 0000000..4a9a4b2 --- /dev/null +++ b/roteiros/06-lab04/pipelines/rk-siem_web_logs_teste.json @@ -0,0 +1,10 @@ +POST _ingest/pipeline/rk-siem_web_logs/_simulate +{ + "docs": [ + { + "_source": { + "log": "192.168.1.10 - - [23/Apr/2026:14:00:12 +0000] \"DELETE /index.html HTTP/1.1\" 500 5124" + } + } + ] +} diff --git a/roteiros/06-lab04/scripts/rk-siem-gera-logs.py b/roteiros/06-lab04/scripts/rk-siem-gera-logs.py new file mode 100755 index 0000000..44e45e2 --- /dev/null +++ b/roteiros/06-lab04/scripts/rk-siem-gera-logs.py @@ -0,0 +1,77 @@ +import random +import time +from datetime import datetime + +# Bancos de dados fictícios para os logs +IPS = ["192.168.1.10", "10.0.0.5", "172.16.0.2", "45.33.11.2", "185.22.14.5", "200.150.10.1", "8.8.8.8"] +USERS = ["root", "admin", "user1", "guest", "webmaster", "support", "devops", "db_admin"] +PAGES = ["/index.html", "/login", "/admin/dashboard", "/api/v1/user", "/wp-login.php", "/config.php"] +USER_AGENTS = [ + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", + "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36", + "curl/7.68.0", + "python-requests/2.25.1" +] + +def generate_apache_log(): + ip = random.choice(IPS) + date = datetime.now().strftime('%d/%b/%Y:%H:%M:%S +0000') + method = random.choice(["GET", "POST", "PUT", "DELETE"]) + page = random.choice(PAGES) + status = random.choice([200, 201, 404, 500, 403, 301]) + size = random.randint(150, 8000) + agent = random.choice(USER_AGENTS) + return f'{ip} - - [{date}] "{method} {page} HTTP/1.1" {status} {size} "-" "{agent}"' + +def generate_ssh_log(): + ip = random.choice(IPS) + user = random.choice(USERS) + date = datetime.now().strftime('%b %d %H:%M:%S') + host = "host04" + + if random.random() > 0.6: # 40% de chance de sucesso, 60% de falha + return f'{date} {host} sshd[{random.randint(1000, 9999)}]: Failed password for {user} from {ip} port {random.randint(30000, 60000)} ssh2' + else: + return f'{date} {host} sshd[{random.randint(1000, 9999)}]: Accepted password for {user} from {ip} port {random.randint(30000, 60000)} ssh2' + +def main(): + print("--- Gerador de Logs Customizado ---") + + # 1. Escolha do tipo + print("\n[1] Apache2 (HTTP)") + print("[2] SSH (Auth)") + service_choice = input("Escolha o tipo de log (1 ou 2): ") + + # 2. Quantidade de linhas + try: + num_lines = int(input("Quantas linhas de log deseja gerar? ")) + except ValueError: + print("Erro: Por favor, insira um número válido.") + return + + # 3. Nome do arquivo + output_file = input("Digite o nome do arquivo de saída (ex: teste.log): ") + + print(f"\nIniciando geração de {num_lines} linhas em '{output_file}'...") + + try: + with open(output_file, "w") as f: + for i in range(num_lines): + if service_choice == "1": + line = generate_apache_log() + else: + line = generate_ssh_log() + + f.write(line + "\n") + + # Exibe progresso a cada 10% para não travar o terminal em arquivos gigantes + if num_lines > 100 and i % (num_lines // 10) == 0: + print(f"Progresso: {round((i/num_lines)*100)}%...") + + print(f"\nSucesso! Arquivo '{output_file}' gerado com {num_lines} linhas.") + + except Exception as e: + print(f"Ocorreu um erro ao gravar o arquivo: {e}") + +if __name__ == "__main__": + main()