安装一定要注意版本号，不然使用不了

这里Ubuntu使用ubuntu-20.04.6-desktop-amd64.iso

elasticsearch这里使用Elasticsearch 7.17.5 | Elastic

arkime这里使用wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb

大家想用别的版本记得去看看哪个版本能配套，es和arkime对互相的版本有要求不然不能使用

 elasticsearch-8.7.1-x86_64和 arkime-4.3.1-1.x86_64 应该是可以的

Elasticsearch 8.7.1 | Elastic

Release Version 4.3.1 · arkime/arkime · GitHub

Ubuntu新机

sudo apt upgrade

sudo apt install open-vm-tools-desktop -y

sudo reboot

然后换源

cp /etc/apt/source.list /etc/apt/source.list.bak

sudo apt update

nano /etc/apt/source.list

deb https://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse

deb https://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse

deb https://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse

# deb https://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse
# deb-src https://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse

deb https://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
deb-src https://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
 

单体ES安装

1.ES下载
Elasticsearch 7.17.5 | Elastic

tar -zxvf elasticsearch-7.17.5-linux-x86_64.tar.gz 
mv elasticsearch-7.17.5 /usr/local/
cd /usr/local/elasticsearch-7.17.5/
nano config/elasticsearch.yml 

/usr/local/elasticsearch-7.17.5/config# nano jvm.options

useradd es123

chown -R es123:es123 /usr/local/elasticsearch-7.17.5
cd /usr/local/elasticsearch-7.17.5/bin

nano /etc/security/limits.conf

* soft nofile 65536
* hard nofile 131072
* soft nproc 4096
* hard nproc 4096
es123 -  nproc  65535
 

nano /etc/sysctl.conf

vm.max_map_count=262145

./elasticsearch

 

curl http://localhost:9200

安装arkime

如果选择使用 arkime-4.3.1-1.x86_64，去别的博客看看.dep包或者rpm怎么安装

wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb

apt install ./arkime_3.4.2-1_amd64.deb

/opt/arkime/bin/Configure

系统将要求您指定网络接口，如下所示：

Found interfaces: lo;eth0;eth1
Semicolon ';' seperated list of interfaces to monitor [eth1] eth0

自己ifconfig

查看自己的，我这里是eth33

输入您的网络接口名称并按 Enter 键继续。配置完成后，您应该得到以下输出：

Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200] 
Password to encrypt S2S and other things, don't use spaces [no-default] password
Arkime - Creating configuration files
Installing systemd start files, use systemctl
Arkime - Installing /etc/logrotate.d/arkime to rotate files after 7 days
Arkime - Installing /etc/security/limits.d/99-arkime.conf to make core and memlock unlimited
Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] no
Arkime - NOT downloading GEO filesArkime - Configured - Now continue with step 4 in /opt/arkime/README.txt4) The Configure script can install elasticsearch for you or you can install yourselfsystemctl start elasticsearch.service5) Initialize/Upgrade Elasticsearch Arkime configurationa) If this is the first install, or want to delete all data/opt/arkime/db/db.pl http://ESHOST:9200 initb) If this is an update to a moloch/arkime package/opt/arkime/db/db.pl http://ESHOST:9200 upgrade6) Add an admin user if a new install or after an init/opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin7) Start everythingsystemctl start arkimecapture.servicesystemctl start arkimeviewer.service8) Look at log files for errors/opt/arkime/logs/viewer.log/opt/arkime/logs/capture.log9) Visit http://arkimeHOST:8005 with your favorite browser.user: adminpassword: THEPASSWORD from step #6If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://arkime.com/faq#maxmindAny configuration changes can be made to /opt/arkime/etc/config.ini
See https://arkime.com/faq#moloch-is-not-working for issuesAdditional information can be found at:* https://arkime.com/faq* https://arkime.com/settings

按上面的文字来

初始化Elasticsearch Arkime配置

下载ipv4-address-space.csv 和oui.txt,并复制到/opt/arkime/etc/下赋权

ipv4-address-space.csv下载地址：https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv

注意：这里大部分的博客原地址都找不到了，这是我后面找出来的，如果地址失效就找 manuf项目

oui.txt下载地址：项目文件预览 - manuf:Parser library for Wireshark's OUI database. - GitCode

把manuf改名oui.txt

然后
mv ipv4-address-space.csv /opt/arkime/etc/

mv oui.txt /opt/arkime/etc/

1. chmod a+r /opt/arkime/etc/oui.txt
2. chmod a+r /opt/arkime/etc/ipv4-address-space.csv

/opt/arkime/db/db.pl http://localhost:9200 init

/opt/arkime/bin/arkime_add_user.sh admin “Admin” 1234 --admin

##用户名admin 密码1234

启动服务
systemctl start arkimecapture.service
systemctl start arkimeviewer.service
systemctl enable arkimecapture.service
systemctl enable arkimeviewer.service

tail -f /opt/arkime/logs/capture.log//查看日志

sudo systemctl status arkimecapture//检查状态

sudo systemctl restart arkimecapture//重启

访问

http://IP:8005
就可以访问啦，然后在弹出的框输入账号密码即可

注意是8005端口

以下是在别的博客看见的先记一下

高性能配置
修改arkime配置文件/opt/arkime/etc/config.ini 启用如下参数

magicMode=basic
pcapReadMethod=tpacketv3
tpacketv3NumThreads=2
pcapWriteMethod=simple
pcapWriteSize=2560000
packetThreads=5
maxPacketsInQueue=200000

注：修改配置文件后，要重启arkime服务
systemctl restart arkimecapture