-
Notifications
You must be signed in to change notification settings - Fork 300
Install
WatchAD was a 360 internal system, so many related storage services use the private cloud inside 360. The following are suggested configuration methods, and they may be wrong or unreasonable. If there is any problem, please submit a issue, I will solve it in time.
WatchAD requires some data storage services. It is recommended to use the Docker script already configured in the project. Execute the following commands in the project root directory:
docker-compose up
Rabbitmq, Logstash, ElasticSearch, Redis, MongoDB will be launched locally.
Because all storage-related services are installed locally, the default configuration is a simplified version of the architecture, and the project's architecture will use the following image:
Execute in the project root directory:
Pip3 install -r requirements.txt
The basis of our analysis is all event logs of all domain controllers, so we first need to enable the security audit option on the domain controller to record all types of event logs. Take windows server 2008 R2 as an example. In the Local Security Policy -> Security Settings -> Local Policies -> Audit Policy, enable all auditing options:
First, open the configuration file {project_home}/settings/winlogbeat/winlogbeat.yml
provided by us, and modify the hosts
field of output.logstash
to the IP and port of the Logstash you installed (default 5044), assuming you install The IP of Logstash is 10.10.10.10, and the configuration file is:
Winlogbeat.event_logs:
- name: Security
Ignore_older: 1h
Output.logstash:
Hosts: ["10.10.10.10:5044"]
Download winlogbeat, the recommended version is 6.2, other versions of ES may have incompatibilities.
After decompressing, replace the original default configuration file winlogbeat.yml
with the configuration file winlogbeat.yml
you just modified.
Then follow the official website tutorial to install normally.
Attention! The event log is not synchronized between domain controllers, so we must collect all event logs for all domain controllers, otherwise false positives and false negatives will occur.
WatchAD uses python to automate some configurations:
Usage: WatchAD.py <options> [settings]
Options:
-h, --help show this help message and exit
--install Perform WatchAD to initialize the installation. Make sure that the complete environment is installed and configured before the second.
-d DOMAIN, --domain=DOMAIN
A FQDN domain name of detection.
-s SERVER, --ldap-server=SERVER
Server address for LDAP search. e.g: dc01.corp.com
-u USERNAME, --domain-user=USERNAME
Username for LDAP search. e.g: CORP\peter
-p PASSWORD, --domain-passwd=PASSWORD
Password for LDAP search.
--check Check each database connection status, message queue status
--start starts the detection engine
--restart restart detection engine
--stop Stop engine (delete existing message queues to prevent backlog caused by excessive data volume)
--status View current engine status
Directly execute the installation command, such as:
Python3 WatchAD.py --install -d 360.cn -s dc01.360.cn -u admin -p password
To start WatchAD normally, you need to meet the following requirements:
- All storage related dependencies are properly installed and configured
- Ability to access the LDAP server specified during installation
- The supervisor can be installed correctly.
- Install python3.6 correctly and have /usr/bin/python3 soft link
Python3 WatchAD.py --start
After starts up, the supervisor
will be used to host the python
process. The command line of WatchAD is simply a wrapper for the supervisor command. The startup of the engine is essentially the startup and shutdown of the supervisor task.
WatchAD relies on Rabbitmq, Logstash, ElasticSearch, Redis, and MongoDB. If you want to use existing storage services and MQ, please modify the {project_home}/settings/database_config.py
configuration information, the configuration of the data pipeline Logstash
. Refer to {project_home}/settings/logstash/logstash.conf
and the configuration needs to be changed according to your environment.