Elasticsearch 和arkime 安装

安装一定要注意版本号，不然使用不了

这里Ubuntu使用ubuntu-20.04.6-desktop-amd64.iso

elasticsearch这里使用Elasticsearch 7.17.5 | Elastic

arkime这里使用wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb

大家想用别的版本记得去看看哪个版本能配套，es和arkime对互相的版本有要求不然不能使用

elasticsearch-8.7.1-x86_64和 arkime-4.3.1-1.x86_64 应该是可以的

Elasticsearch 8.7.1 | Elastic

Release Version 4.3.1 · arkime/arkime · GitHub

单体ES安装

1.ES下载
Elasticsearch 7.17.5 | Elastic

tar -zxvf elasticsearch-7.17.5-linux-x86_64.tar.gz
mv elasticsearch-7.17.5 /usr/local/
cd /usr/local/elasticsearch-7.17.5/
nano config/elasticsearch.yml

/usr/local/elasticsearch-7.17.5/config# nano jvm.options

useradd es123

chown -R es123:es123 /usr/local/elasticsearch-7.17.5
cd /usr/local/elasticsearch-7.17.5/bin

nano /etc/security/limits.conf

* soft nofile 65536
* hard nofile 131072
* soft nproc 4096
* hard nproc 4096
es123 - nproc 65535

nano /etc/sysctl.conf

vm.max_map_count=262145

./elasticsearch

curl http://localhost:9200

安装arkime

如果选择使用 arkime-4.3.1-1.x86_64，去别的博客看看.dep包或者rpm怎么安装

wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb

apt install ./arkime_3.4.2-1_amd64.deb

/opt/arkime/bin/Configure

系统将要求您指定网络接口，如下所示：

Found interfaces: lo;eth0;eth1
Semicolon ';' seperated list of interfaces to monitor [eth1] eth0

自己ifconfig

查看自己的，我这里是eth33

输入您的网络接口名称并按 Enter 键继续。配置完成后，您应该得到以下输出：

Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200] 
Password to encrypt S2S and other things, don't use spaces [no-default] password
Arkime - Creating configuration files
Installing systemd start files, use systemctl
Arkime - Installing /etc/logrotate.d/arkime to rotate files after 7 days
Arkime - Installing /etc/security/limits.d/99-arkime.conf to make core and memlock unlimited
Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] no
Arkime - NOT downloading GEO files

Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt

 4) The Configure script can install elasticsearch for you or you can install yourself
      systemctl start elasticsearch.service
 5) Initialize/Upgrade Elasticsearch Arkime configuration
  a) If this is the first install, or want to delete all data
      /opt/arkime/db/db.pl http://ESHOST:9200 init
  b) If this is an update to a moloch/arkime package
      /opt/arkime/db/db.pl http://ESHOST:9200 upgrade
 6) Add an admin user if a new install or after an init
      /opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin
 7) Start everything
      systemctl start arkimecapture.service
      systemctl start arkimeviewer.service
 8) Look at log files for errors
      /opt/arkime/logs/viewer.log
      /opt/arkime/logs/capture.log
 9) Visit http://arkimeHOST:8005 with your favorite browser.
      user: admin
      password: THEPASSWORD from step #6

If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmind

Any configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#moloch-is-not-working for issues

Additional information can be found at:
  * https://arkime.com/faq
  * https://arkime.com/settings

按上面的文字来

初始化Elasticsearch Arkime配置

下载ipv4-address-space.csv 和oui.txt,并复制到/opt/arkime/etc/下赋权

ipv4-address-space.csv下载地址：https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv

oui.txt下载地址：standards-oui.ieee.org/oui/oui.txt

然后
mv ipv4-address-space.csv /opt/arkime/etc/

mv oui.txt /opt/arkime/etc/

chmod a+r /opt/arkime/etc/oui.txt
chmod a+r /opt/arkime/etc/ipv4-address-space.csv

opt/arkime/db/db.pl http://localhost:9200 init

/opt/arkime/bin/arkime_add_user.sh admin “Admin” 1234 --admin

##用户名admin 密码1234

启动服务
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
systemctl enable arkimecapture.service
systemctl enable arkimeviewer.service