下载naxsi源码

# cd /usr/local/ 
git clone https://github.com/nbs-system/naxsi.git

安装pip工具

# yum install python-pip

安装nxtool.py依赖的elasticsearch接口驱动

# pip install elasticsearch

安装nxapi

# cd /usr/local/naxsi/nxapi/
# python setup.py install

安装 python GeoIP 模块

# yum install python-devel geoip-devel 
# pip install geoip

在elasticsearch创建nxapi索引

# curl -XPUT 127.0.0.1:9200/nxapi

配置nxapi

编辑nxapi.json，将下面的x.x.x.x换成elasticsearch的ip地址，然后将naxsi中的内容改为对应的路径

"elastic" : {
 "host" : "x.x.x.x:9200",
 "use_ssl" : false,
 "index" : "nxapi",
 "number_of_shards" : "4",
 "number_of_replicas" : "0",
 "doctype" : "events",
 "default_ttl" : "7200",
 "max_size" : "1000",
 "version" : "5"
},
"naxsi" : {
 "rules_path" : "/usr/local/nginx/conf/naxsi/naxsi_core.rules",
 "template_path" : [ "/usr/local/nxapi/tpl/"],
 "geoipdb_path" : "/usr/local/nxapi/country2coords.txt"
},

导入naxsi日志到elasticsearch中

/usr/local/naxsi/nxapi/nxtool.py -c nxapi.json --file=/www/log/nginx/naxsi.log

nxapi常用命令

删除旧索引:
curl -XDELETE 127.0.0.1:9200/nxapi
建立新索引:
curl -XPUT 127.0.0.1:9200/nxapi
将naxsi的告警日志存储进ElasticSearch:
python nxtool.py -c mytest.json --files=/www/log/naxsi.log
检查ElasticSearch中数据状态，并做汇总分析输出:
python nxtool.py -c mytest.json -x
验证是否存在nxapi索引:
curl 127.0.0.1:9200/_cat/indices/?pretty
查看索引中的内容:
curl 127.0.0.1:9200/nxapi/_search?pretty