Mirtov Alexey a5de537490 update all descriptions (except docker image and schema) | 2 年 前 | |
---|---|---|
.. | ||
example | 2 年 前 | |
images | 2 年 前 | |
security-events-to-siem-importer | 2 年 前 | |
security-events-to-storage-exporter | 2 年 前 | |
README.md | 2 年 前 | |
README_RU.md | 2 年 前 |
Version-2.0
cr.yandex/crpjfmfou6gflobbfvfv/k8s-events-siem-worker:1.1.0
.Here are the out-of-the-box features of the solution: ☑️ Collect K8s audit logs in Managed ELK SIEM.
The solution "Collecting, monitoring, and analyzing audit logs in Yandex Managed Service for Elasticsearch (ELK)" contains information on how to install Yandex Managed Service for Elasticsearch (ELK) and collect logs from Audit Trails in it.
See a detailed description of the objects here.
The solution consists of two Terraform modules: 1) security-events-to-storage-exporter exports logs to S3.
It accepts the following input:
- `folder_id`: The ID of the folder where the cluster is hosted.
cluster_name
: The name of the Kubernetes cluster.log_bucket_service_account_id
: The ID of the service account that can write to the bucket and has the ymq.admin role.log_bucket_name
: The name of the bucket to save logs to.function_service_account_id
: The ID of the service account that will run the function (optional). If omitted, log_bucket_service_account_id
is used.Functionality:
2) security-events-to-siem-importer imports logs into ELK.
It accepts the following input:
security-events-to-storage-exporter
) module.auditlog_enabled
: true or false (enables/disables sending of K8s audit logs to ELK).Functionality:
See the example of calling modules in /example/main.tf
//Calling the security-events-to-storage-exporter module
module "security-events-to-storage-exporter" {
source = "../security-events-to-storage-exporter/" # path to the module
folder_id = "xxxxxx" // The folder ID of the K8s cluster yc managed-kubernetes cluster get --id <cluster ID> --format=json | jq .folder_id
cluster_name = "k8s-cluster" // The name of the cluster
log_bucket_service_account_id = "xxxxxx" // The ID of the Service Account (it must have the roles: ymq.admin and "write to bucket")
log_bucket_name = "k8s-bucket" // You can use the value from the deploy config
# function_service_account_id = "xx" // An optional ID of the service account that calls functions. If not set, the function is called on behalf of log_bucket_service_account_id
}
//Calling the security-events-to-siem-importer module
module "security-events-to-siem-importer" {
source = "../security-events-to-siem-importer/" # path to the module
folder_id = module.security-events-to-storage-exporter.folder_id
service_account_id = module.security-events-to-storage-exporter.service_account_id
auditlog_enabled = true // Send K8s auditlog to ELK
falco_enabled = true // Install Falco and send its alerts to ELK
kyverno_enabled = true // Install Kyverno and send its alerts to ELK
log_bucket_name = module.security-events-to-storage-exporter.log_bucket_name
elastic_server = "https://c-xxx.rw.mdb.yandexcloud.net " // The ELK URL "https://c-xxx.rw.mdb.yandexcloud.net" (you can use the value from the module.yc-managed-elk.elk_fqdn module)
coi_subnet_id = "xxxxxx" // The ID of the subnet where the VM with the container will be deployed (be sure to enable NAT)
elastic_pw = var.elk_pw // Run the command: export TF_VAR_elk_pw=<ELK PASS> (replace ELK PASS with your value) // The password for the ELK account (you may use the value from the module.yc-managed-elk.elk-pass module)
elastic_user = "admin" // The name of the ELK account
}
We recommend subscribing to this repository to receive update notifications.
To get the latest content version, do the following:
For content updates, make sure that you are running the latest available image version:
cr.yandex/crpjfmfou6gflobbfvfv/k8s-events-siem-worker:latest
You can update the container as follows:
terraform apply
).falco-worker-*
, kyverno-worker-*
, audit-worker-*
containers, delete the k8s-events-siem-worker
image, and restart the COI Instance. When it starts, a new image is downloaded and new containers are created.You can update the Security content in Kibana (dashboards, detection rules, searches) by launching the elk-updater
container:
docker run -it --rm -e ELASTIC_AUTH_USER='admin' -e ELASTIC_AUTH_PW='password' -e KIBANA_SERVER='https://xxx.rw.mdb.yandexcloud.net' --name elk-updater cr.yandex/crpjfmfou6gflobbfvfv/elk-updater:latest
If you prefer OPA Gatekeeper to Kyverno, set the value kyverno_enabled
to false when calling the module, then run the manual installation:
Recommendations for setting up retention, rollover, and snapshots