在centos上安裝moloch

使用moloch-1.6.1-1.x86_64.rpm進行安裝，環境centos7，Elasticsearch6.4.

在centos7上安裝時：

第一步：yum install -y perl-JSON  perl-libwww-perl libyaml-devel

第二步：rpm -ivh moloch-1.6.1-1.x86_64.rpm

第三步：/data/moloch/bin/Configure

按照提示進行配置：

Found interfaces: enxxx1;enxxx2;enxxx3;enxxx4;enxxx0;enxxx1;lo

Semicolon ';' seperated list of interfaces to monitor [eth1] enxxx2(按照上面所列出的網路卡介面，選擇捕獲資料包的網路卡)

Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no（選擇no）

Elasticsearch server URL [http://localhost:9200] http://xxx.xxx.xxx.xxx:9200（輸入ES資料庫地址）

Password to encrypt S2S and other things [no-default] (輸入相關的密碼)

Moloch - Creating configuration files

Installing systemd start files, use systemctl

Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days

Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited

Download GEO files? (yes or no) [yes] yes（選擇yes，下載相關地理位置檔案）

Moloch - Downloading GEO files

2018-12-04 09:14:46 URL:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv [23031] -> "ipv4-address-space.csv" [1]

WARNING: timestamping does nothing in combination with -O. See the manual

for details.

2018-12-04 09:14:52 URL:https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-Country [1792881/1792881] -> "GeoLite2-Country.mmdb.gz" [1]

WARNING: timestamping does nothing in combination with -O. See the manual

for details.

2018-12-04 09:15:17 URL:https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-ASN [3483756/3483756] -> "GeoLite2-ASN.mmdb.gz" [1]

2018-12-04 09:15:29 URL:https://raw.githubusercontent.com/wireshark/wireshark/master/manuf [1523729/1523729] -> "oui.txt" [1]

Moloch - Configured - Now continue with step 4 in /data/moloch/README.txt

      /sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04

      systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04

5) Initialize/Upgrade Elasticsearch Moloch configuration

  a) If this is the first install, or want to delete all data

      /data/moloch/db/db.pl http://ESHOST:9200 init

  b) If this is an update to moloch package

      /data/moloch/db/db.pl http://ESHOST:9200 upgrade

6) Add an admin user if a new install or after an init

      /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin

7) Start everything

  a) If using upstart (Centos 6 or sometimes Ubuntu 14.04):

      /sbin/start molochcapture

      /sbin/start molochviewer

  b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04)

      systemctl start molochcapture.service

      systemctl start molochviewer.service

8) Look at log files for errors

      /data/moloch/logs/viewer.log

      /data/moloch/logs/capture.log

9) Visit http://MOLOCHHOST:8005 with your favorite browser.

      user: admin

      password: THEPASSWORD from step #6

第四步：/data/moloch/db/db.pl http://xx.xx.xx.xx:9200 init

第五步：/data/moloch/bin/moloch_add_user.sh admin "Admin User" 這裡輸入admin的密碼 --admin

第六步：調整ES資料庫的刪除週期

cd /data/moloch/db

vi daily.sh

#!/bin/sh

# This script is only needed for Moloch deployments that monitor live traffic.

# It drops the old index and optimizes yesterdays index.

# It should be run once a day during non peak time.

# CONFIG

ESHOSTPORT=xxx.xxx.xxx.xxx:9200（修改）

RETAINNUMDAYS=7（修改）

/data/moloch/db/db.pl $ESHOSTPORT expire daily $RETAINNUMDAYS

然後：使用命令crontab -e

編輯寫入以下內容：00 01 * * * /data/moloch/db/daily.sh >> /data/moloch/logs/daily.log 2>&1

使用crontab -l檢視是否成功

第七步：調整pcap刪除週期

cd /data/moloch/etc

vi config.ini

freeSpaceG = 20%(根據自己需要，修改臨界值用於刪除pcap)

最後：

啟動服務：

systemctl start molochcapture.service

systemctl start molochviewer.service

在瀏覽器中輸入http://xx.xx.xx.xx:8005

http://hackforlab.com/moloch-usage/

https://qbox.io/blog/introduction-using-moloch-elasticsearch

http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/