00x0 前言
安装服务器环境是CentOS 7,安装当前最新的版本arkime-3.1.1
00x1 安装
1. 下载rpm包
# wget https://s3.amazonaws.com/files.molo.ch/builds/centos-7/arkime-3.1.1-1.x86_64.rpm
2. 安装依赖
# yum -y install perl-libwww-perl perl-JSON libyaml-devel perl-LWP-Protocol-https
3. 安装rpm包
# rpm -ivh arkime-3.1.1-1.x86_64.rpm
4. 安装回显
注意:提示需要按照README的来运行配置文件
00x2 配置
[root@localhost arkime]# cat README.txt
Instructions for using the prebuilt Arkime packages.
Please report any bugs or feature requests by opening an issue at https://github.com/arkime/arkime/issues
Basic Arkime Installation steps:
1) Download an Arkime build for 64bit Ubuntu 14.04, Ubuntu 16.04, Centos 6, or Centos 7 from http://arkime.com/index.html#downloads
2) Install package
3) Configure basic arkime items by running the Configure script (this needs to be done only once)
/opt/arkime/bin/Configure
4) The Configure script can install elasticsearch for you or you can install yourself
systemctl start elasticsearch.service
5) Initialize/Upgrade Elasticsearch Arkime configuration
a) If this is the first install, or want to delete all data
/opt/arkime/db/db.pl http://ESHOST:9200 init
b) If this is an update to a moloch/arkime package
/opt/arkime/db/db.pl http://ESHOST:9200 upgrade
6) Add an admin user if a new install or after an init
/opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin
7) Start everything
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
8) Look at log files for errors
/opt/arkime/logs/viewer.log
/opt/arkime/logs/capture.log
9) Visit http://arkimeHOST:8005 with your favorite browser.
user: admin
password: THEPASSWORD from step #6
If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmind
Any configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#moloch-is-not-working for issues
Additional information can be found at:
* https://arkime.com/faq
* https://arkime.com/settings
1. 运行配置向导脚本
1.1 安装jdk环境
# yum install java-11-openjdk -y //yum安装arkime依赖jDK环境
# java -version
openjdk version "11.0.12" 2021-07-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)
1.2 运行配置脚本
主要做几件事:
- 确定抓包接口
- 下载并安装默认的es版本,用于快速演示部署(本文采用),生产需要指向生产es
- 检查jdk环境,如果没有会提示,安装后再次运行脚本
- 下载MaxMind的GEO地理位置数据,这个需要去注册一个账号,这样数据显示可以带上地址位置(本文没有选择)
# cd /opt/arkime/bin/
#./Configure
Found interfaces: eth0;lo
Semicolon ';' seperated list of interfaces to monitor [eth1] eth0 //选择抓包接口
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] yes //是否要本地安装es,至少要3G内存,这边主要是演示环境,不推荐生产
/usr/bin/java //这边提示有java环境,如果不是则需要安装jdk环境,再运行配置脚步
Password to encrypt S2S and other things [no-default] S3cur!2019
Arkime - Creating configuration files
Not overwriting /opt/arkime/etc/config.ini, delete and run again if update required (usually not), or edit by hand
Installing systemd start files, use systemctl
Arkime - Downloading and installing demo OSS version of Elasticsearch
Loaded plugins: fastestmirror
elasticsearch-oss-7.10.2-x86_64.rpm | 220 MB 00:00:33
Examining /var/tmp/yum-root-Wzs9zH/elasticsearch-oss-7.10.2-x86_64.rpm: elasticsearch-oss-7.10.2-1.x86_64
/var/tmp/yum-root-Wzs9zH/elasticsearch-oss-7.10.2-x86_64.rpm: does not update installed package.
Error: Nothing to do
Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] no
Arkime - NOT downloading GEO files
Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt
4) The Configure script can install elasticsearch for you or you can install yourself
systemctl start elasticsearch.service
5) Initialize/Upgrade Elasticsearch Arkime configuration
a) If this is the first install, or want to delete all data
/opt/arkime/db/db.pl http://ESHOST:9200 init
b) If this is an update to a moloch/arkime package
/opt/arkime/db/db.pl http://ESHOST:9200 upgrade
6) Add an admin user if a new install or after an init
/opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin
7) Start everything
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
8) Look at log files for errors
/opt/arkime/logs/viewer.log
/opt/arkime/logs/capture.log
9) Visit http://arkimeHOST:8005 with your favorite browser.
user: admin
password: THEPASSWORD from step #6
If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmind
Any configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#moloch-is-not-working for issues
Additional information can be found at:
* https://arkime.com/faq
* https://arkime.com/settings
2. 开启服务
2.1 开启本地安装的elasticsearch
# systemctl start elasticsearch.service
3. 创建Web访问账号
1qaz2wsx替换为你的密码
# /opt/arkime/bin/arkime_add_user.sh admin "Admin User" 1qaz2wsx --admin
Added
4. 初始化elasticsearch
需要使用arkime提供的db.pl对es进行初始化
# /opt/arkime/db/db.pl http://localhost:9200 init
It is STRONGLY recommended that you stop ALL Arkime captures and viewers before proceeding. Use 'db.pl http://localhost:9200 backup' to backup db first.
There is 1 elastic search data node, if you expect more please fix first before proceeding.
This is a fresh Arkime install
Erasing
Creating
Finished
5. 启动web服务
5.1 启动arkimeviewer(web服务)
# systemctl start arkimeviewer.service
# systemctl status arkimeviewer.service //查看arkimeviewer服务是否运行正常
5.2 启动arkimecapture(抓包服务)
由于arkimecapture依赖GEO位置数据,运行配置脚本的时候我并没有选择安装GEO,所以也就无法启动了,下面提供了一个办法,通过分析arkime_update_geo.sh脚本内容来达到支持GEO位置信息包更新的目的。
注意:由于国内网络环境有的时候无法正常下载GEO数据,所以我上面就没有选择安装,而是直接手动运行脚本安装,但发现运行脚本也不行,于是我们打开这个shell脚本,看看到底需要下载什么数据
# cd /opt/arkime/bin
# vim arkime_update_geo.sh
从脚本上主要就是要把2个文件拷贝复制到/opt/arkime/conf目录下,并且用chmod修改权限
#!/bin/bash
# Variables
DEST_DIR="${MOLOCH_DIR:-/opt/arkime}/etc"
TIMEOUT=${WGET_TIMEOUT:-30}
# Check we have a number for timeout
if ! [[ $TIMEOUT =~ ^[0-9]+$ ]] ; then
echo "WGET_TIMEOUT isn't a number '$TIMEOUT'"
exit 1;
fi
# Try and download ipv4-address-space.csv, only copy if it works
FILENAME=$(mktemp)
wget -nv --timeout=${TIMEOUT} --no-check-certificate -O "$FILENAME" https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv
if (( $? == 0 )) ; then
chmod a+r "$FILENAME"
mv "$FILENAME" "${DEST_DIR}/ipv4-address-space.csv"
fi
# Try and download manuf, only copy if it works
FILENAME=$(mktemp)
wget -nv --timeout=${TIMEOUT} -O "$FILENAME" https://raw.githubusercontent.com/wireshark/wireshark/master/manuf
if (( $? == 0 )) ; then
chmod a+r "$FILENAME"
mv "$FILENAME" "${DEST_DIR}/oui.txt"
fi
# Call the maxind geoipupdate program if available. See
# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
# https://dev.maxmind.com/geoip/geoipupdate/#For_Free_GeoLite2_Databases
if [ -x "/usr/bin/geoipupdate" ]; then
/usr/bin/geoipupdate
chmod a+r /usr/share/GeoIP/*.mmdb
fi
文件我下载放到CSDN上了,点击下载,文件解压到/opt/arkime/conf,并修改下权限
# chmod a+r oui.txt
# chmod a+r ipv4-address-space.csv
这个时候就可以启动服务了
# systemctl start arkimecapture.service
# systemctl status arkimecapture.service //观察arkimecapture服务是否启动成功
6. 访问界面
ipaddress替换为你安装的服务器IP
http://ipaddress:8005