可视化ELK堆栈上的WordPress用户活动日志

在本教程中,您将学习如何在ELK堆栈上可视化WordPress用户活动日志。 WordPress没有提供一种简单的方法来概述用户活动或将任何用户活动记录在服务器日志文件中。日志对于检测,预防或最小化任何安全漏洞的影响至关重要。已经开发了数千种WordPress插件来启用WordPress日志记录。其中一些插件提供了将任何WordPress用户活动日志记录在本地系统日志文件中的功能,以便于分析。但是,在此设置中,我们使用 苏库里 WordPress插件可用于将WordPress登录到本地系统文件,然后我们将使用Filebeat读取该文件,并使用Logstash处理该文件,然后再将数据发送到Elasticsearch进行索引,然后在Kibana界面上可视化。

可视化ELK堆栈上的WordPress用户活动日志

安装和设置WordPress

当然,如果您在这里,则必须拥有已经运行的WordPress。但是,您可能还想查看以下有关如何安装和设置WordPress网站的链接;

在Ubuntu 20.04上使用LAMP Stack安装最新的WordPress

在CentOS 8上使用Nginx和MySQL 8安装WordPress

在Debian 10 Buster上使用Nginx安装WordPress 5

安装WordPress安全审核/文件完整性监控插件

如上所述,有一千个可用于审核和记录每个WordPress用户活动的插件。您可以使用参考的任何插件。但是正好我们可以在同一页面上,在此设置中使用了Sucuri插件。

我们无法深入研究Sucuri插件的安装和设置。您可以访问 Sucuri插件安装页面 为了那个原因。

现在,假设您已经安装并激活了插件,请创建一个本地系统日志文件,将WordPress审核事件写入其中。我们用, /var/log/wordpress/kifarunix-demo.com.log,在此设置中。您的情况可能有所不同。

mkdir /var/log/wordpress/kifarunix-demo.com.log

设置日志目录的适当所有权。例如,将用户和组设置为 www-data 要么 nginx 取决于您使用的HTTP服务器。

chown -R www-data: /var/log/wordpress

接下来,导航至 Sucuri Security > Settings > General Settings > Log Exporter 并输入您的WordPress审核日志文件的完整路径,在此设置中,我们使用 /var/log/wordpress/kifarunix-demo.com.log

输入路径后,点击 提交 保存并创建日志文件。

从现在开始,任何WordPress活动都会记录到 /var/log/wordpress/kifarunix-demo.com.log

只是为了展示Sucuri如何进行审核日志记录;

tail -f /var/log/wordpress/kifarunix-demo.com.log

登录到WordPress网站的成功和失败尝试;

2020-11-12 04:15:10 WordPressAudit kifarunix-demo.com [email protected] : Error: 192.168.57.1; User authentication failed: demouser
2020-11-12 04:15:24 WordPressAudit kifarunix-demo.com [email protected] : Notice: 192.168.57.1; User authentication succeeded: gentoo

WordPress插件激活和停用日志;

2020-11-12 04:17:04 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; Plugin activated: Hello Dolly (v1.7.2; hello.php)
2020-11-12 04:17:13 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; Plugin deactivated: Hello Dolly (v1.7.2; hello.php)

WordPress博客文章管理日志;

新的帖子/页面;

2020-11-12 04:30:02 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: auto-draft,New status: draft,Title: My new post
2020-11-12 04:45:53 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Page status has been changed; details: ID: 9,Old status: auto-draft,New status: draft,Title: sample page

更新现有的草稿帖子/页面;

2020-11-12 04:31:22 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Revision status has been changed; details: ID: 7,Old status: new,New status: inherit,Title: My new post
2020-11-12 04:47:16 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Revision status has been changed; details: ID: 11,Old status: new,New status: inherit,Title: sample page

发布博客文章/页面;

2020-11-12 04:32:49 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: draft,New status: publish,Title: My new post
2020-11-12 04:32:49 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Post was created; ID: 5; name: My new post
2020-11-12 04:47:49 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Page status has been changed; details: ID: 9,Old status: draft,New status: publish,Title: sample page
2020-11-12 04:47:49 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Page was created; ID: 9; name: sample page

删除已发布的博客文章;

2020-11-12 04:33:54 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: publish,New status: trash,Title: My new post
2020-11-12 04:48:24 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Page status has been changed; details: ID: 9,Old status: publish,New status: trash,Title: sample page

恢复已删除的帖子;

2020-11-12 04:35:04 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: trash,New status: publish,Title: My new post

已发布的博客文章草稿;

2020-11-12 04:36:19 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: publish,New status: draft,Title: My new post

用户帐户创建;

2020-11-12 04:38:22 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; User account created; ID: 2; name: demouser; email: [email protected]; roles: editor

用户帐户更改;

2020-11-12 04:39:52 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; User account edited; ID: 2; name: demouser; old_name: demouser; email: [email protected]; old_email: [email protected]; roles: editor; old_roles: editor

用户帐户删除;

2020-11-12 04:41:44 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; User account deleted; ID: 2

文件上传;

2020-11-12 04:43:32 WordPressAudit kifarunix-demo.com [email protected] : Notice: gentoo, 192.168.57.1; Media file added; ID: 8; name: linuxtux; type: image/jpeg

文件删除;

2020-11-12 04:44:23 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; Post deleted: (multiple entries): Post id: 8

主题激活;

2020-11-12 04:49:31 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; Theme activated: Twenty Nineteen

小部件更改;

2020-11-12 04:50:37 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; Widget recent-posts (recent-posts-3) added to sidebar-2 (#2; size 250x200)
2020-11-12 04:51:39 WordPressAudit kifarunix-demo.com [email protected] : Warning: gentoo, 192.168.57.1; Widget recent-posts (recent-posts-4) deleted from sidebar-2 (#2; size 250x200)

而这样的例子不胜枚举。

在ELK堆栈上可视化WordPress用户活动日志

综上所述,我们现在需要在ELK堆栈上可视化WordPress用户活动日志,因为我们已将日志写入服务器本地日志文件。

在此设置中,我们将使用Filebeat收集日志并将其发送到Logstash,在其中我们将进一步处理以提取特定的日志字段,然后将其发送到Elasticsearch进行存储和索引,从而在Kibana上进行可视化。

请按照下面的链接安装和设置Filebeat以及ELK堆栈;

安装和设置ELK堆栈

在Ubuntu 20.04上安装ELK Stack

在CentOS 8上安装ELK Stack

配置Logstash处理WordPress用户活动日志

假设您已经设置了ELK堆栈,则需要配置Logstash来接收WordPress用户活动日志并进行处理。

Logstash数据处理管道包括三个部分:

  • 输入:输入部分用于将来自不同端点的数据提取到Logstash中。 我们在此设置中使用Filebeat
  • 过滤器:处理和转换接收到的数据。 我们使用grok模式从WordPress用户活动日志中提取字段。
  • 输出值:将已处理的数据存储到指定的目标(可以是Elasticsearch)中。 我们在本指南中使用Elasticsearch

您可以阅读有关Logstash管道的更多信息 这里

以下是我们的Logstash配置文件,其中包含Filebeat输入,grok过滤器以处理定义的WordPress日志活动和Elasticsearch输出。

vim /etc/logstash/conf.d/wordpress.conf
input {
  beats {
    port => 5044
  }
}
filter {
	# Extract Authentication Logs
	grok { 
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s%{IPORHOST:src_ip};s(?<msg>.*):s(?<user_name>w+)" }
		add_tag => "authentication"
	}
	# plugins activation and deactivation logs;
	grok { 
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<user_name>w+),s%{IPORHOST:src_ip};s(?<msg>Plugin.*):s(?<plugin>.*)" }
		add_tag => "plugins"
	}
	# Blogs Posts Management
	## New draft post/page, publish post/pages, delete/restore posts/pages, 
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<user_name>w+),s%{IPORHOST:src_ip};s(?<msg>Post.*|Page.*);s.*Oldsstatus:s(?<old_status>w.+),Newsstatus:s(?<new_status>w.+),Title:s(?<title>.*)" }
		add_tag => "posts_pages"
	}
	## Updating Existing draft post/page;
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<user_name>w+),s%{IPORHOST:src_ip};s(?<msg>Revision.*);s.*Oldsstatus:s(?<old_status>w.+),Newsstatus:s(?<new_status>w.+),Title:s(?<title>.*)" }
		add_tag => "posts_pages"
	}
	## User Account Created
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<created_by>w+),s%{IPORHOST:src_ip};s(?<msg>User account created);.*name:s(?<user_name>w+);semail:s(?<email_address>[a-zA-Z0-9_.+=:-][email protected][0-9A-Za-z][0-9A-Za-z-]{0,62}(?:.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})));sroles:s(?<user_role>w.+)" }
		add_tag => "account_created"
	}
	## User Account Changes
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<edited_by>w+),s%{IPORHOST:src_ip};s(?<msg>User account edited);.*name:s(?<user_name>w+);sold_name:s(?<old_name>w+);semail:s(?<email_address>[a-zA-Z0-9_.+=:-][email protected][0-9A-Za-z][0-9A-Za-z-]{0,62}(?:.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})));sold_email:s(?<old_email_address>[a-zA-Z0-9_.+=:-][email protected][0-9A-Za-z][0-9A-Za-z-]{0,62}(?:.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})));sroles:s(?<user_role>w.+);sold_roles:s(?<old_role>w.+)" } 
		add_tag => "account_edited"
	}
	## User account deletion
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<deleted_by>w+),s%{IPORHOST:src_ip};s(?<msg>User account deleted);sID:s(?<deleted_user_id>d+)" }
		add_tag => "account_deleted"
	}
	## File Uploads
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<user_name>w+),s%{IPORHOST:src_ip};s(?<msg>Media file added);sID:s(?<file_id>d+);sname:s(?<file_name>w+);stype:s(?<file_type>w.+)" }
		add_tag => "file_added"
	}
	## File Deletion
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<user_name>w+),s%{IPORHOST:src_ip};s(?<msg>Post deleted).*Postsid:s(?<file_id>d+)" }
		add_tag => "file_deleted"
	}
	## Theme Activations
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<user_name>w+),s%{IPORHOST:src_ip};s(?<msg>Theme.*):s(?<theme_name>w.+)" }
		add_tag => "theme_changes"
	}
	## Widget management
	grok {
		match => { "message" => "(?<event_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}s%{TIME})sw+s%{HOSTNAME:host_name}s.*s:s(?<log_level>w+):s(?<user_name>w+),s%{IPORHOST:src_ip};s(?<msg>Widget.*)" }
		add_tag => "widget_changes"
	}
}
output {
   elasticsearch {
     hosts => ["192.168.57.30:9200"]
     index => "wordpress-%{+YYYY.MM.dd}"
   }
  #stdout { codec => rubydebug }

随意调整grok样式以适应您的需求。您可以使用Kibana Grok调试器(Kibana>开发工具> Grok调试器) 要么 Herokuapp Grok调试器 创建您的希腊模式。

如果您需要调试Logstash Grok过滤器以确认它们实际上可以将日志解析到必填字段中,请参阅下面的链接,了解如何调试Logstash Grok过滤器。

如何调试Logstash Grok筛选器

测试Logstash配置

完成配置后,请先运行以下命令验证Logstash配置,然后再启动它。

/usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2020-11-13T19:58:51,616][INFO ][org.reflections.Reflections] Reflections took 76 ms to scan 1 urls, producing 21 keys and 41 values 
Configuration OK
[2020-11-13T19:58:54,815][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

好吧,如果你得到 配置确定 那你就好了

运行Logstash

现在,启动并启用logstash以在系统启动时运行;

systemctl enable --now logstash

检查状态;

systemctl status logstash

确认端口已打开;

ss -antlp | grep :5044
LISTEN 0 128 *:5044 *:* users:(("java",pid=3273,fd=99))

打开防火墙上的端口以允许删除节拍连接到它;

基于RHEL的衍生产品;

firewall-cmd --add-port=5044/tcp --permanent
firewall-cmd --reload

基于Debian的衍生产品;

ufw allow 5044/tcp

在IPtables上;

iptables -A INPUT -p tcp --dport 5044 -j ACCEPT

安装和设置Filebeat

在CentOS 8上安装和配置Filebeat

在Fedora 30 / Fedora 29 / CentOS 7上安装Filebeat

在Ubuntu 18.04 / Debian 9.8上安装和配置Filebeat 7

配置Filebeat

假设您已经安装了Filebeat,并且正在运行WordPress的服务器上运行,则可以将其配置为读取WordPress用户活动日志,如下所示。在此设置中,该插件已配置为将WordPress用户活动日志写入本地文件, /var/log/wordpress/kifarunix-demo.com.log

打开Filebeat配置进行编辑;

vim /etc/filebeat/filebeat.yml

启用Filebeat输入类型日志并将其配置为读取WordPress用户活动日志文件;

# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/wordpress/kifarunix-demo.com.log
...

配置Filebeat以将日志发送到Logstash而不是Elasticsearch。

...
# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
...
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.57.30:5044"]
...

保存并退出配置文件。

确保可以连接到Logstash端口5044 / tcp。

telnet 192.168.57.30 5044
Trying 192.168.57.30...
Connected to 192.168.57.30.
Escape character is '^]'.

验证Filebeat配置

在前台运行Filebeat可以将输出重定向到标准错误,以便在启动前检查它是否成功连接到Logstash。

filebeat -e
...
2020-11-13T17:36:08.735Z	INFO	log/input.go:157	Configured paths: [/var/log/wordpress/kifarunix-demo.com.log]
2020-11-13T17:36:08.736Z	INFO	[crawler]	beater/crawler.go:141	Starting input (ID: 13913356589683053536)
2020-11-13T17:36:08.737Z	INFO	[crawler]	beater/crawler.go:108	Loading and starting Inputs completed. Enabled inputs: 1
2020-11-13T17:36:08.738Z	INFO	cfgfile/reload.go:164	Config reloader started
2020-11-13T17:36:08.739Z	INFO	cfgfile/reload.go:224	Loading of config files completed.
2020-11-13T17:36:08.738Z	INFO	log/harvester.go:302	Harvester started for file: /var/log/wordpress/kifarunix-demo.com.log
2020-11-13T17:36:11.648Z	INFO	[add_cloud_metadata]	add_cloud_metadata/add_cloud_metadata.go:89	add_cloud_metadata: hosting provider type not detected.
2020-11-13T17:36:12.649Z	INFO	[publisher_pipeline_output]	pipeline/output.go:143	Connecting to backoff(async(tcp://192.168.57.30:5044))
2020-11-13T17:36:12.651Z	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2020-11-13T17:36:12.654Z	INFO	[publisher]	pipeline/retry.go:223	  done
2020-11-13T17:36:12.653Z	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(async(tcp://192.168.57.30:5044)) established

如果您看到这样的一行 建立到退避(async(tcp://192.168.57.30:5044))的连接,则一切正常。

继续启动,并使filebeat在系统引导时运行;

systemctl start filebeat

可视化ELK堆栈上的WordPress用户活动日志

接下来,验证从Logstash接收的Elasticsearch数据并创建Kibana索引,以使您可视化ELK堆栈上的WordPress用户活动日志。

您可以查看有关如何创建Kibana索引的指南。

创建Kibana索引以可视化事件数据

接下来,执行一些WordPress网站活动,您应该能够看到在Kibana上填充的事件。

根据提取的字段,您可以创建可视化仪表板。以下是示例仪表板;

可视化ELK堆栈上的WordPress用户活动日志可视化ELK堆栈上的WordPress用户活动日志在ELK堆栈上可视化WordPress用户活动日志

这些只是基于Sucuri插件生成的日志的本指南中关于WordPress用户活动的示例仪表板。您可以做更多,:)。

这样,我们就结束了有关如何在ELK Stack上可视化WordPress用户活动日志的基础教程的结尾。对于任何建议/评论,请在评论部分中放置。否则,请尽情享受!

Sidebar