下载naxsi源码
# cd /usr/local/ git clone https://github.com/nbs-system/naxsi.git
安装pip工具
# yum install python-pip
安装nxtool.py依赖的elasticsearch接口驱动
# pip install elasticsearch
安装nxapi
# cd /usr/local/naxsi/nxapi/ # python setup.py install
安装 python GeoIP 模块
# yum install python-devel geoip-devel # pip install geoip
在elasticsearch创建nxapi索引
# curl -XPUT 127.0.0.1:9200/nxapi
配置nxapi
编辑nxapi.json,将下面的x.x.x.x换成elasticsearch的ip地址,然后将naxsi中的内容改为对应的路径
"elastic" : { "host" : "x.x.x.x:9200", "use_ssl" : false, "index" : "nxapi", "number_of_shards" : "4", "number_of_replicas" : "0", "doctype" : "events", "default_ttl" : "7200", "max_size" : "1000", "version" : "5" }, "naxsi" : { "rules_path" : "/usr/local/nginx/conf/naxsi/naxsi_core.rules", "template_path" : [ "/usr/local/nxapi/tpl/"], "geoipdb_path" : "/usr/local/nxapi/country2coords.txt" },
导入naxsi日志到elasticsearch中
/usr/local/naxsi/nxapi/nxtool.py -c nxapi.json --file=/www/log/nginx/naxsi.log
nxapi常用命令
删除旧索引: curl -XDELETE 127.0.0.1:9200/nxapi 建立新索引: curl -XPUT 127.0.0.1:9200/nxapi 将naxsi的告警日志存储进ElasticSearch: python nxtool.py -c mytest.json --files=/www/log/naxsi.log 检查ElasticSearch中数据状态,并做汇总分析输出: python nxtool.py -c mytest.json -x 验证是否存在nxapi索引: curl 127.0.0.1:9200/_cat/indices/?pretty 查看索引中的内容: curl 127.0.0.1:9200/nxapi/_search?pretty