You may not be familiar yet with Elasticsearch and Kibana. Before even trying out the punch features, it is a good idea to simply visit your local Kibana http://localhost:5601.
Start exploring the monitoring dashboards. These come with a companion monitoring agent called Metricbeat. It is shipped with the standalone punchplatform and is already running. You can see it running by typing the following command:
or even simpler:
The metricbeat collects various system and monitoring metrics and forwards them to Elasticsearch. You then visualise these through a Kibana dashboard. Execute the following command to load the metricbeat dashboards.
cd $PUNCHPLATFORM_CONF_DIR/../external/metricbeat-*-x86_64/ ./metricbeat setup -c metricbeat.yml --dashboards
Go back to Kibana. On the left-hand panel, select the Dashboard menu. You will see there a number of dashboards, ready to be visualised. Find and select the Metricbeat System Overview dashboard. You should see something like this:
The metricbeat dashboards let you visualise metrics of each of your computer hardware: cpu usage, disk usage, memory usage, etc. These metrics are generated by the Metricbeat.
The so-called Beats are the Elastic agents in charge of collecting various events (windows, network, host, files, audit). What you see here in action is the Metricbeat. Metricbeats are extensively used in the punch. They are deployed as part of the punchplatform setup and provide you with a complete view of your servers.
Let us now explore another beat: the Auditbeat. It monitors user activity and processes. Auditbeat communicates directly with the Linux audit framework and sends the events to the Elastic Stack in real time.
Because the auditbeat requires root privilege, it is not started automatically. Here is how you can start it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
cd $PUNCHPLATFORM_CONF_DIR/../external/auditbeat-*/ sudo chown root auditbeat.yml # load the auditbeat dashboards (you can skip this step if you don't want the audit beat dashboard) # this step may takes up to 1 minute sudo ./auditbeat setup -c auditbeat.yml --dashboards # On Linux, there is an extra step: you must chose your architecture # For example, on a 64 bits computer, delete any unecessary 32-bits configuration files # Otherwise, delete the 64-bits files. rm audit.rules.d/*-32bit.conf # Go for it ! sudo ./auditbeat -c auditbeat.yml -e
You can now visit the "[Auditbeat] File Integrity" dashboard. Have fun discovering what you can learn from such a tool.
When you look for a dashboard use the top level search box. Simply type 'Aud' and it will automatically list the available audit beat dashboards.
The PunchPlatform comes with already made custom Kibana dashboard to easily start exploring your data. All these dashboards are currently stored on this Github repository https://github.com/punchplatform/samples/tree/craig-stable/kibana-dashboards. Each subfolder contains a JSON file and optionally a quick README description with a screenshot of the final result.
To import the dashboards, follow these quick steps:
- Go the Github repository and download a dashboard to your local filesystem (or do a
- Go to Kibana UI (i.e. localhost:5601)
- On the left-side panel, go to the "Management > Saved Objects > Import"
- Drag-n-drop or select the previous JSON file
- Go to the "Dashboard" tab and start exploring your data !