安装一定要注意版本号,不然使用不了
这里Ubuntu使用ubuntu-20.04.6-desktop-amd64.iso
elasticsearch这里使用Elasticsearch 7.17.5 | Elastic
arkime这里使用wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb
大家想用别的版本记得去看看哪个版本能配套,es和arkime对互相的版本有要求不然不能使用
elasticsearch-8.7.1-x86_64和 arkime-4.3.1-1.x86_64 应该是可以的
Release Version 4.3.1 · arkime/arkime · GitHub
单体ES安装
1.ES下载
Elasticsearch 7.17.5 | Elastic
tar -zxvf elasticsearch-7.17.5-linux-x86_64.tar.gz
mv elasticsearch-7.17.5 /usr/local/
cd /usr/local/elasticsearch-7.17.5/
nano config/elasticsearch.yml
/usr/local/elasticsearch-7.17.5/config# nano jvm.options
useradd es123
chown -R es123:es123 /usr/local/elasticsearch-7.17.5
cd /usr/local/elasticsearch-7.17.5/bin
nano /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 4096
* hard nproc 4096
es123 - nproc 65535
nano /etc/sysctl.conf
vm.max_map_count=262145
./elasticsearch
安装arkime
如果选择使用 arkime-4.3.1-1.x86_64,去别的博客看看.dep包或者rpm怎么安装
wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb
apt install ./arkime_3.4.2-1_amd64.deb
/opt/arkime/bin/Configure
系统将要求您指定网络接口,如下所示:
Found interfaces: lo;eth0;eth1
Semicolon ';' seperated list of interfaces to monitor [eth1] eth0
自己ifconfig
查看自己的,我这里是eth33
输入您的网络接口名称并按 Enter 键继续。配置完成后,您应该得到以下输出:
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200]
Password to encrypt S2S and other things, don't use spaces [no-default] password
Arkime - Creating configuration files
Installing systemd start files, use systemctl
Arkime - Installing /etc/logrotate.d/arkime to rotate files after 7 days
Arkime - Installing /etc/security/limits.d/99-arkime.conf to make core and memlock unlimited
Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] no
Arkime - NOT downloading GEO files
Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt
4) The Configure script can install elasticsearch for you or you can install yourself
systemctl start elasticsearch.service
5) Initialize/Upgrade Elasticsearch Arkime configuration
a) If this is the first install, or want to delete all data
/opt/arkime/db/db.pl http://ESHOST:9200 init
b) If this is an update to a moloch/arkime package
/opt/arkime/db/db.pl http://ESHOST:9200 upgrade
6) Add an admin user if a new install or after an init
/opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin
7) Start everything
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
8) Look at log files for errors
/opt/arkime/logs/viewer.log
/opt/arkime/logs/capture.log
9) Visit http://arkimeHOST:8005 with your favorite browser.
user: admin
password: THEPASSWORD from step #6
If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmind
Any configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#moloch-is-not-working for issues
Additional information can be found at:
* https://arkime.com/faq
* https://arkime.com/settings
按上面的文字来
初始化Elasticsearch Arkime配置
下载ipv4-address-space.csv 和oui.txt,并复制到/opt/arkime/etc/下赋权
ipv4-address-space.csv下载地址:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv
oui.txt下载地址:standards-oui.ieee.org/oui/oui.txt
然后
mv ipv4-address-space.csv /opt/arkime/etc/
mv oui.txt /opt/arkime/etc/
- chmod a+r /opt/arkime/etc/oui.txt
- chmod a+r /opt/arkime/etc/ipv4-address-space.csv
/opt/arkime/db/db.pl http://localhost:9200 init
/opt/arkime/bin/arkime_add_user.sh admin "Admin" 1234 --admin
##用户名admin 密码1234
启动服务
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
systemctl enable arkimecapture.service
systemctl enable arkimeviewer.service
访问
就可以访问啦,然后在弹出的框输入账号密码即可
注意是8005端口
以下是在别的博客看见的先记一下
高性能配置
修改arkime配置文件/opt/arkime/etc/config.ini 启用如下参数
magicMode=basic
pcapReadMethod=tpacketv3
tpacketv3NumThreads=2
pcapWriteMethod=simple
pcapWriteSize=2560000
packetThreads=5
maxPacketsInQueue=200000
注:修改配置文件后,要重启arkime服务
systemctl restart arkimecapture