写在前面

不推荐使用elkeid,理由如下:

  • 开源版本与商业版本相差N个大版本
  • 开源版本销售已经说不再更新
  • 安装文档文档描述非常不清楚约等于无
  • 规则文档也没有,就是不让你再写规则买他们商业版
  • 现版本1.9.1连写完规则放进到规则目录也不会生效,前端也无添加规则位置

总结:别浪费时间,这玩意开源版本就是一坨屎

镜像配置

首先需要下载镜像,由于这玩意的问题,所以只能使用centos 7.xdebian 9/10,别不信邪,我用了kali、Ubuntu都以失败告终

  • 镜像:debian 10
  • IP:192.168.23.137
  • 分配磁盘:80G
  • 分配CPU:8核
  • 账户:xiaomi

环境配置

首先配置下ssh,这玩意有大用,你不配好后面安装各种坑

先装SSH,方便远程连接,省的虚拟机要装vm-tools

apt-get install -y ssh
/etc/init.d/ssh start

然后远程连接上

ssh xiaomi@192.168.23.137

修改SSH的配置,vim /etc/ssh/sshd_config,把内容修改为下面的

Port 22
ListenAddress 0.0.0.0
PermitRootLogin yes
PermitEmptyPasswords yes

接着重启

/etc/init.d/ssh restart

然后换个源

vi /etc/apt/sources.list

deb https://mirrors.ustc.edu.cn/debian/ buster main contrib non-free
deb https://mirrors.ustc.edu.cn/debian/ buster-updates main contrib non-free
deb https://mirrors.ustc.edu.cn/debian/ buster-backports main contrib non-free
deb https://mirrors.ustc.edu.cn/debian-security/ buster/updates main contrib non-free

deb-src https://mirrors.ustc.edu.cn/debian/ buster main contrib non-free
deb-src https://mirrors.ustc.edu.cn/debian/ buster-updates main contrib non-free
deb-src https://mirrors.ustc.edu.cn/debian/ buster-backports main contrib non-free
deb-src https://mirrors.ustc.edu.cn/debian-security/ buster/updates main contrib non-free

接着需要装这几个包

apt install -y libcurl4
apt install -y vim
apt install -y wget

安装Elkeid

首先执行下这两条命令

rm -rf /elkeid
systemctl stop redis-server

下载安装包

wget https://github.com/bytedance/Elkeid/releases/download/v1.9.1.4/elkeidup_package_v1.9.1.tar.gz.00
wget https://github.com/bytedance/Elkeid/releases/download/v1.9.1.4/elkeidup_package_v1.9.1.tar.gz.01
wget https://github.com/bytedance/Elkeid/releases/download/v1.9.1.4/elkeidup_package_v1.9.1.tar.gz.02

如果是其他地方下载的可以用下面命令传到服务器上

scp -P 22 "D:\Downloads\elkeidup_package_v1.9.1.tar.gz.02" root@192.168.23.137:/home/xiaomi

合并安装包

cat elkeidup_package_v1.9.1.tar.gz.* > elkeidup_package_v1.9.1.tar.gz

移动安装包到指定位置

mkdir -p /root/.elkeidup && cd /root/.elkeidup
mv /home/xiaomi/elkeidup_package_v1.9.1.tar.gz elkeidup_package_v1.9.1.tar.gz

解压后设置执行权限

tar -xf elkeidup_package_v1.9.1.tar.gz
chmod a+x /root/.elkeidup/elkeidup

设置配置IP

./elkeidup init --host 192.168.23.137
mv config_example.yaml config.yaml

最后执行安装

sudo ./elkeidup deploy

然后如果正常的话可以看到这个内容

root@debian:~/.elkeidup# sudo ./elkeidup deploy
[INFO]  2025-05-12T19:55:10+08:00       use elkeidup home dir: /root/.elkeidup
[INFO]  2025-05-12T19:55:10+08:00       Elkeidup Home size:70.4G, avail:50.4G
[INFO]  2025-05-12T19:55:10+08:00       Using config file: /root/.elkeidup/config.yaml
----Elkeid Community Edition Information Collection Statement----


Automatic Download Missed Precompiled Kernel Model Service Enable Prompt:

Service background:
Elkeid Driver works in kernel mode. Since the kernel requires the loaded
kernel module to be strongly bound to the kernel version, we cannot
occupy the resources of the client to compile ko on the client when
installing the agent. Therefore, we provide precompiled ko in the release
package to avoid manual compilation of ko every time. Currently, a total
of 3435 precompiled ko are included. But there are still two problems
that cannot be solved. One is that it cannot be updated in real time.
After the upstream distribution updates the kernel, we cannot and do
not have manpower to update the precompiled ko to the release
synchronously. Second, the coverage is limited, and we may encounter
the kernel used by the distribution we have not used. To this end, we
provide the function of automatically downloading the missing precompiled ko.
This function is mainly to notify our relevant classmates. The version's ko
has customers on trial, update or support the distribution as soon as possible.
If you agree to enable the service, we need to collect some basic operation
information at the same time, so that we can customize the priority schedule
according to users with different needs, and give a reasonable resource
occupation assessment. The email information filled in is only used to
distinguish the identity of the source, either real email or nickname.

The specific information is as follows:
1. Missing the kernel version of the precompiled ko, the server architecture
(only choose one of arm64 or amd64, and do not involve any other cpu machine
information).
2. The number of connections of the agent on the agent center, collected
every 30min.
3. The qps of the agent on the agent center, including send and receive,
are collected every 30min, and the average value of 30min is taken.
4. Hub input qps, collected every 30min, take the average value of 30min.
5. redis qps, collected every 30min, take the average value of 30min.
6. redis memory usage, collected every 30min, real-time value.
7. The qps of kafka production and consumption are collected every 30min

Page Up/Down or j/k to browse full text
Press q/n to quit or y to accept

Thanks to accept the collected list.
[INFO]  2025-05-12T19:55:12+08:00       Please input your email, if you do not wish to be contacted, you can only input your nick name
Email: ascotbe@gmail.com
[INFO]  2025-05-12T19:55:18+08:00       Start to check the Checker configuration
[SUCC]  2025-05-12T19:55:18+08:00       The Checker pass the test.
[INFO]  2025-05-12T19:55:18+08:00       Start to check the NodeExporter configuration
[SUCC]  2025-05-12T19:55:18+08:00       The NodeExporter pass the test.
[INFO]  2025-05-12T19:55:18+08:00       Start to check the Redis configuration
[INFO]  2025-05-12T19:55:18+08:00       Use recovered password Redis: 0t8671mjccf76d172q
[INFO]  2025-05-12T19:55:18+08:00       create random redis password: 0t8671mjccf76d172q
[SUCC]  2025-05-12T19:55:22+08:00       The Redis pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the Kafka configuration
[SUCC]  2025-05-12T19:55:22+08:00       The Kafka pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the MongoDB configuration
[SUCC]  2025-05-12T19:55:22+08:00       The MongoDB pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the MongoDBLeaderData configuration
[SUCC]  2025-05-12T19:55:22+08:00       The MongoDBLeaderData pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the MongoDBManagerData configuration
[SUCC]  2025-05-12T19:55:22+08:00       The MongoDBManagerData pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the ServiceDiscovery configuration
[SUCC]  2025-05-12T19:55:22+08:00       The ServiceDiscovery pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the Manager configuration
[SUCC]  2025-05-12T19:55:22+08:00       The Manager pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the AgentCenter configuration
[SUCC]  2025-05-12T19:55:22+08:00       The AgentCenter pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the HubLeader configuration
[SUCC]  2025-05-12T19:55:22+08:00       The HubLeader pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the Hub configuration
[SUCC]  2025-05-12T19:55:22+08:00       The Hub pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the Nginx configuration
[INFO]  2025-05-12T19:55:22+08:00       Use recovered password nginx_uploader:admin 76p3do1k6mc8thf082
[SUCC]  2025-05-12T19:55:22+08:00       The Nginx pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the RedisExporter configuration
[SUCC]  2025-05-12T19:55:22+08:00       The RedisExporter pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the MongoDB Exporter configuration
[SUCC]  2025-05-12T19:55:22+08:00       The MongoDB Exporter pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the ZookeeperExporter configuration
[SUCC]  2025-05-12T19:55:22+08:00       The ZookeeperExporter pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the KafkaExporter configuration
[SUCC]  2025-05-12T19:55:22+08:00       The KafkaExporter pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the PrometheusAlertManager configuration
[SUCC]  2025-05-12T19:55:22+08:00       The PrometheusAlertManager pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the Prometheus configuration
[INFO]  2025-05-12T19:55:22+08:00       Use recovered password prometheus:admin 93i5fmpm5t11935dg4
[SUCC]  2025-05-12T19:55:22+08:00       The Prometheus pass the test.
[INFO]  2025-05-12T19:55:22+08:00       Start to check the Grafana configuration
[SUCC]  2025-05-12T19:55:22+08:00       The Grafana pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Checker extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The Checker pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the NodeExporter extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The NodeExporter pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Redis extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The Redis pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Kafka extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The Kafka pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the MongoDB extra configuration
[INFO]  2025-05-12T19:55:41+08:00       Use recovered password Mongodb:admin b046rg3n668f572711
[INFO]  2025-05-12T19:55:41+08:00       Create Random 'admin' user Mongodb Password: b046rg3n668f572711
[INFO]  2025-05-12T19:55:41+08:00       Use recovered password Mongodb:elkeid 3dbaem68is442e8k72
[INFO]  2025-05-12T19:55:41+08:00       Create Random 'elkeid' user Mongodb Password: 3dbaem68is442e8k72
[SUCC]  2025-05-12T19:55:41+08:00       The MongoDB pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the MongoDBLeaderData extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The MongoDBLeaderData pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the MongoDBManagerData extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The MongoDBManagerData pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the ServiceDiscovery extra configuration
[INFO]  2025-05-12T19:55:41+08:00       Use recovered AC:AK lpqat4ycbpnlcmjo
[INFO]  2025-05-12T19:55:41+08:00       Use recovered AC:SK lxbbhdp3vmg21i022uvvoe0gyjrp0yk9
[INFO]  2025-05-12T19:55:41+08:00       Use recovered MG:AK emc6s2c2hyzaem4c
[INFO]  2025-05-12T19:55:41+08:00       Use recovered MG:SK bix7pynwkhdxwyuisyx61fvrppry3ktc
[INFO]  2025-05-12T19:55:41+08:00       Use recovered LD:AK xitghns2z5jgob9j
[INFO]  2025-05-12T19:55:41+08:00       Use recovered LD:SK zc0k183rt8blq7m6rd2w4qx8aryz7phx
[INFO]  2025-05-12T19:55:41+08:00       Generate random AcKeys: lpqat4ycbpnlcmjo, lxbbhdp3vmg21i022uvvoe0gyjrp0yk9
[INFO]  2025-05-12T19:55:41+08:00       Generate random MgKeys: emc6s2c2hyzaem4c, bix7pynwkhdxwyuisyx61fvrppry3ktc
[INFO]  2025-05-12T19:55:41+08:00       Generate random LeaderKeys: xitghns2z5jgob9j, zc0k183rt8blq7m6rd2w4qx8aryz7phx      
[SUCC]  2025-05-12T19:55:41+08:00       The ServiceDiscovery pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Manager extra configuration
[INFO]  2025-05-12T19:55:41+08:00       Use recovered password elkeid_console:root k4s641f691f84s786mQX
[INFO]  2025-05-12T19:55:41+08:00       Create Random Manger 'root' Password: k4s641f691f84s786mQX
[INFO]  2025-05-12T19:55:41+08:00       Use recovered password elkeid_console:admin 9ac33a16c05o6ck58lDZ
[INFO]  2025-05-12T19:55:41+08:00       Create Random Manger 'admin' Password: 9ac33a16c05o6ck58lDZ
[SUCC]  2025-05-12T19:55:41+08:00       The Manager pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the AgentCenter extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The AgentCenter pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the HubLeader extra configuration
[INFO]  2025-05-12T19:55:41+08:00       Use recovered password elkeid_hub_frontend:elkeid_hub 5817b51m30k2d3r43kFG
[INFO]  2025-05-12T19:55:41+08:00       Create User for HUB, Password: 5817b51m30k2d3r43kFG
[SUCC]  2025-05-12T19:55:41+08:00       The HubLeader pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Hub extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The Hub pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Nginx extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The Nginx pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the RedisExporter extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The RedisExporter pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the MongoDB Exporter extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The MongoDB Exporter pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the ZookeeperExporter extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The ZookeeperExporter pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the KafkaExporter extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The KafkaExporter pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the PrometheusAlertManager extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The PrometheusAlertManager pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Prometheus extra configuration
[SUCC]  2025-05-12T19:55:41+08:00       The Prometheus pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start to prepare the Grafana extra configuration
[INFO]  2025-05-12T19:55:41+08:00       Use recovered password grafana:admin 7r7i2pp27t024fl1pq
[SUCC]  2025-05-12T19:55:41+08:00       The Grafana pass the test.
[INFO]  2025-05-12T19:55:41+08:00       Start PingCheck. This will take several minutes.
[INFO]  2025-05-12T19:55:41+08:00       --- Start to deploy Elkeid Backend ---
[INFO]  2025-05-12T19:55:41+08:00       Start to deploy the Checker
[INFO]  2025-05-12T19:55:48+08:00       pre check success in host: 192.168.23.137
[INFO]  2025-05-12T19:55:48+08:00       2025/05/12 19:55:48 /elkeid current exist, it's a dir
[INFO]  2025-05-12T19:55:48+08:00       2025/05/12 19:55:48 disk check done, mount at /, size is 70.4G, avail is 50.4G      
[SUCC]  2025-05-12T19:56:53+08:00       Checker installation is complete.
[INFO]  2025-05-12T19:56:53+08:00       Start to deploy the NodeExporter
[SUCC]  2025-05-12T19:57:17+08:00       192.168.23.137 elkeid_node_exporter active
[SUCC]  2025-05-12T19:57:44+08:00       192.168.23.137 elkeid_process_exporter active
[SUCC]  2025-05-12T19:57:44+08:00       NodeExporter installation is complete.
[INFO]  2025-05-12T19:57:44+08:00       Start to deploy the Redis
[INFO]  2025-05-12T19:57:44+08:00       Redis will be installed at:
[INFO]  2025-05-12T19:57:44+08:00               192.168.23.137
[SUCC]  2025-05-12T19:58:39+08:00       Redis standalone model validate success
[SUCC]  2025-05-12T19:58:39+08:00       Redis installation is complete.
[INFO]  2025-05-12T19:58:39+08:00       Start to deploy the Kafka
[INFO]  2025-05-12T19:58:39+08:00       Kafka will be installed at:
[INFO]  2025-05-12T19:58:39+08:00               192.168.23.137
[INFO]  2025-05-12T19:58:39+08:00       Create 'admin' for Kafka, Password: 'elkeid'
[INFO]  2025-05-12T20:00:19+08:00       Sleep 20 second to wait kafka startup
[INFO]  2025-05-12T20:00:39+08:00       Kafka Dial Leader broker success, offset=0 whence=0
[SUCC]  2025-05-12T20:00:39+08:00       Kafka validate success
[SUCC]  2025-05-12T20:00:39+08:00       Kafka installation is complete.
[INFO]  2025-05-12T20:00:39+08:00       Start to deploy the MongoDB
[INFO]  2025-05-12T20:00:39+08:00       Mongodb will be installed at:
[INFO]  2025-05-12T20:00:39+08:00               192.168.23.137
[SUCC]  2025-05-12T20:03:16+08:00       Mongodb validate success
[INFO]  2025-05-12T20:03:18+08:00       Now start restore DB, this will take several minutes.
[SUCC]  2025-05-12T20:03:21+08:00       MongoDB installation is complete.
[INFO]  2025-05-12T20:03:21+08:00       Start to deploy the MongoDBLeaderData
[INFO]  2025-05-12T20:03:21+08:00       Now start restore Leader DB, this will take several minutes.
[INFO]  2025-05-12T20:03:59+08:00       now update hub config
[INFO]  2025-05-12T20:03:59+08:00       Now add kafka auth for hub
[INFO]  2025-05-12T20:03:59+08:00       Now add kafka auth for hub
[SUCC]  2025-05-12T20:03:59+08:00       MongoDBLeaderData installation is complete.
[INFO]  2025-05-12T20:03:59+08:00       Start to deploy the MongoDBManagerData
[INFO]  2025-05-12T20:03:59+08:00       Now start restore Manager DB, this will take several minutes.
[SUCC]  2025-05-12T20:04:25+08:00       MongoDBManagerData installation is complete.
[INFO]  2025-05-12T20:04:25+08:00       Start to deploy the ServiceDiscovery
[INFO]  2025-05-12T20:04:25+08:00       Service Discovery will be installed at:
[INFO]  2025-05-12T20:04:25+08:00               192.168.23.137
[SUCC]  2025-05-12T20:04:59+08:00       ServiceDiscovery installation is complete.
[INFO]  2025-05-12T20:04:59+08:00       Start to deploy the Manager
[INFO]  2025-05-12T20:04:59+08:00       Manager will be installed at:
[INFO]  2025-05-12T20:04:59+08:00               192.168.23.137
[INFO]  2025-05-12T20:04:59+08:00       Generate new agent cert..
[SUCC]  2025-05-12T20:06:05+08:00       Manager installation is complete.
[INFO]  2025-05-12T20:06:05+08:00       Start to deploy the AgentCenter
[INFO]  2025-05-12T20:06:05+08:00       Agent Center will be installed at:
[INFO]  2025-05-12T20:06:05+08:00               192.168.23.137
[SUCC]  2025-05-12T20:07:18+08:00       AgentCenter installation is complete.
[INFO]  2025-05-12T20:07:18+08:00       Start to deploy the HubLeader
[INFO]  2025-05-12T20:07:18+08:00       HUB Leader will be installed at:
[INFO]  2025-05-12T20:07:18+08:00               192.168.23.137
[SUCC]  2025-05-12T20:08:33+08:00       HubLeader installation is complete.
[INFO]  2025-05-12T20:08:33+08:00       Start to deploy the Hub
[INFO]  2025-05-12T20:08:33+08:00       HUB  will be installed at: 192.168.23.137
[INFO]  2025-05-12T20:08:33+08:00       HUB install, install cluster: security.elkeid.hub, install host: 192.168.23.137
 [SUCC] 2025-05-12T20:09:59+08:00       Hub installation is complete.
[INFO]  2025-05-12T20:09:59+08:00       Start to deploy the Nginx
[INFO]  2025-05-12T20:09:59+08:00       Nginx will be installed at: {192.168.23.137 192.168.23.137 22  root /root/.ssh/id_rsa}
[INFO]  2025-05-12T20:11:19+08:00       Nginx Uploader will be installed at: {192.168.23.137 192.168.23.137 22  root /root/.ssh/id_rsa}
[SUCC]  2025-05-12T20:11:58+08:00       192.168.23.137 elkeid_nginx_uploader active
[INFO]  2025-05-12T20:12:01+08:00       Nginx connect test successfully.
[INFO]  2025-05-12T20:12:01+08:00       Nginx http get http://192.168.23.137:8089/ping success, resp code is 200
[SUCC]  2025-05-12T20:12:01+08:00       Nginx installation is complete.
[INFO]  2025-05-12T20:12:01+08:00       Start to deploy the RedisExporter
[SUCC]  2025-05-12T20:12:32+08:00       192.168.23.137 elkeid_redis_exporter active
[SUCC]  2025-05-12T20:12:32+08:00       RedisExporter installation is complete.
[INFO]  2025-05-12T20:12:32+08:00       Start to deploy the MongoDB Exporter
[SUCC]  2025-05-12T20:12:58+08:00       192.168.23.137 elkeid_mongodb_exporter active
[SUCC]  2025-05-12T20:12:58+08:00       MongoDB Exporter installation is complete.
[INFO]  2025-05-12T20:12:58+08:00       Start to deploy the ZookeeperExporter
[SUCC]  2025-05-12T20:13:27+08:00       192.168.23.137 elkeid_zookeeper_exporter active
[SUCC]  2025-05-12T20:13:27+08:00       ZookeeperExporter installation is complete.
[INFO]  2025-05-12T20:13:27+08:00       Start to deploy the KafkaExporter
[SUCC]  2025-05-12T20:13:58+08:00       192.168.23.137 elkeid_kafka_exporter active
[SUCC]  2025-05-12T20:13:58+08:00       KafkaExporter installation is complete.
[INFO]  2025-05-12T20:13:58+08:00       Start to deploy the PrometheusAlertManager
[SUCC]  2025-05-12T20:14:32+08:00       192.168.23.137 elkeid_prometheus_alertmanager active
[SUCC]  2025-05-12T20:14:32+08:00       PrometheusAlertManager installation is complete.
[INFO]  2025-05-12T20:14:32+08:00       Start to deploy the Prometheus
[INFO]  2025-05-12T20:14:32+08:00               192.168.23.137
[INFO]  2025-05-12T20:14:32+08:00       Prometheus will be installed at: 192.168.23.137
[INFO]  2025-05-12T20:15:23+08:00       Test prometheus metrics api
[INFO]  2025-05-12T20:15:25+08:00       Test prometheus metrics done
[SUCC]  2025-05-12T20:15:29+08:00       192.168.23.137 elkeid_prometheus active
[SUCC]  2025-05-12T20:15:29+08:00       Prometheus installation is complete.
[INFO]  2025-05-12T20:15:29+08:00       Start to deploy the Grafana
[INFO]  2025-05-12T20:15:29+08:00       Grafana will be installed at: 192.168.23.137
[SUCC]  2025-05-12T20:17:15+08:00       192.168.23.137 elkeid_grafana active
[SUCC]  2025-05-12T20:17:15+08:00       Grafana installation is complete.
[INFO]  2025-05-12T20:17:15+08:00       --- Elkeid Backend installation is complete ---
[WARN]  2025-05-12T20:17:15+08:00       The password file is in /root/.elkeidup/elkeid_passwd, please be sure to transfer, save and delete the file!

接着你查看本地配置就可以登录了

root@debian:~/.elkeidup# cat /root/.elkeidup/elkeid_passwd
AC: AK lpqat4ycbpnlcmjo
AC: SK lxbbhdp3vmg21i022uvvoe0gyjrp0yk9
LD: AK xitghns2z5jgob9j
LD: SK zc0k183rt8blq7m6rd2w4qx8aryz7phx
MG: AK emc6s2c2hyzaem4c
MG: SK bix7pynwkhdxwyuisyx61fvrppry3ktc
Mongodb: admin b046rg3n668f572711
Mongodb: elkeid 3dbaem68is442e8k72
Redis:  0t8671mjccf76d172q
elkeid_console: admin 9ac33a16c05o6ck58lDZ
elkeid_console: root k4s641f691f84s786mQX
elkeid_hub_frontend: elkeid_hub 5817b51m30k2d3r43kFG
grafana: admin 7r7i2pp27t024fl1pq
nginx_uploader: admin 76p3do1k6mc8thf082
prometheus: admin 93i5fmpm5t11935dg4
AC: AK lpqat4ycbpnlcmjo
AC: SK lxbbhdp3vmg21i022uvvoe0gyjrp0yk9
MG: AK emc6s2c2hyzaem4c
MG: SK bix7pynwkhdxwyuisyx61fvrppry3ktc
LD: AK xitghns2z5jgob9j
LD: SK zc0k183rt8blq7m6rd2w4qx8aryz7phx
Kafka: admin: elkeid
elkeid_kafka: 192.168.23.137:9092;
grafana: http://192.168.23.137:8083
elkeid_hub_frontend: http://192.168.23.137:8081
elkeid_console: http://192.168.23.137:8082
elkeid_service_discovery: 192.168.23.137:8089

agent

接着初始化agent

./elkeidup agent init

返回结果

[INFO]  2025-05-13T11:23:21+08:00       use elkeidup home dir: /root/.elkeidup
[INFO]  2025-05-13T11:23:21+08:00       Elkeidup Home size:70.4G, avail:45.6G
[INFO]  2025-05-13T11:23:21+08:00       Elkeid has been deployed, flag file /root/.elkeidup/elkeid_server.yaml exist        
[INFO]  2025-05-13T11:23:21+08:00       Using config file: /root/.elkeidup/config.yaml
[INFO]  2025-05-13T11:23:21+08:00       upload agent uninstall script
[INFO]  2025-05-13T11:23:26+08:00       login successfully with token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InJvb3QiLCJleHAiOjE3NDcxNDk4MDZ9.U6WGruqjBHUK4jrJwI2nA4978rp4-B6hZzpjMvYImhg
[SUCC]  2025-05-13T11:23:26+08:00       init driver component successfully
[SUCC]  2025-05-13T11:23:26+08:00       init collector component successfully
[SUCC]  2025-05-13T11:23:26+08:00       init journal_watcher component successfully
[SUCC]  2025-05-13T11:23:26+08:00       init rasp component successfully
[SUCC]  2025-05-13T11:23:26+08:00       init scanner component successfully
[SUCC]  2025-05-13T11:23:26+08:00       init baseline component successfully
[SUCC]  2025-05-13T11:23:26+08:00       init  component successfully

然后编译

./elkeidup agent build

然后结果

[INFO]  2025-05-13T11:24:15+08:00       use elkeidup home dir: /root/.elkeidup
[INFO]  2025-05-13T11:24:15+08:00       Elkeidup Home size:70.4G, avail:45.6G
[INFO]  2025-05-13T11:24:15+08:00       Elkeid has been deployed, flag file /root/.elkeidup/elkeid_server.yaml exist        
[INFO]  2025-05-13T11:24:15+08:00       Using config file: /root/.elkeidup/config.yaml
[INFO]  2025-05-13T11:24:15+08:00       current output dir: /tmp/output
[INFO]  2025-05-13T11:24:22+08:00       check agent deps' packages successfully
[INFO]  2025-05-13T11:24:29+08:00       extract agent deps' packages successfully
[SUCC]  2025-05-13T11:25:27+08:00       build agent successfully
[SUCC]  2025-05-13T11:29:08+08:00       build driver successfully
[INFO]  2025-05-13T11:29:08+08:00       login successfully with token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InJvb3QiLCJleHAiOjE3NDcxNTAxNDh9.N-H1IW9ZtU-nTp3_yRMDjZthJyveHwN7ibPBUzQrSn8
[SUCC]  2025-05-13T11:29:10+08:00       get components successfully
[SUCC]  2025-05-13T11:29:10+08:00       publish driver component version successfully
[SUCC]  2025-05-13T11:29:11+08:00       publish collector component version successfully
[SUCC]  2025-05-13T11:29:11+08:00       publish journal_watcher component version successfully
[SUCC]  2025-05-13T11:29:12+08:00       publish rasp component version successfully
[SUCC]  2025-05-13T11:29:13+08:00       publish scanner component version successfully
[SUCC]  2025-05-13T11:29:13+08:00       publish baseline component version successfully
[SUCC]  2025-05-13T11:29:14+08:00       publish elkeid-agent component version successfully
[INFO]  2025-05-13T11:29:14+08:00       generate agent install script
[INFO]  2025-05-13T11:29:14+08:00       upload agent install script

安装包发版

./elkeidup agent policy create

返回结果

[INFO]  2025-05-13T11:32:04+08:00       use elkeidup home dir: /root/.elkeidup
[INFO]  2025-05-13T11:32:04+08:00       Elkeidup Home size:70.4G, avail:41.7G
[INFO]  2025-05-13T11:32:04+08:00       Elkeid has been deployed, flag file /root/.elkeidup/elkeid_server.yaml exist        
[INFO]  2025-05-13T11:32:04+08:00       Using config file: /root/.elkeidup/config.yaml
[INFO]  2025-05-13T11:32:04+08:00       login successfully with token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InJvb3QiLCJleHAiOjE3NDcxNTAzMjR9.ZrnoZva1mCY-JPfLVmxfLuXvaf7IL6mB_UlZbKJNjFk
[SUCC]  2025-05-13T11:32:04+08:00       get component successfully: [{Key:6822bb2e455cfc296f680aab Value:driver} {Key:6822bb2e455cfc296f680aad Value:collector} {Key:6822bb2e455cfc296f680aaf Value:journal_watcher} {Key:6822bb2e455cfc296f680ab1 Value:rasp} {Key:6822bb2e455cfc296f680ab3 Value:scanner} {Key:6822bb2e455cfc296f680ab5 Value:baseline} {Key:6822bb2e455cfc296f680ab7 Value:elkeid-agent}]
[INFO]  2025-05-13T11:32:04+08:00       create policy for component driver
[SUCC]  2025-05-13T11:32:04+08:00       get component version successfully: [{Key:6822bc86455cfc296f681086 Value:1.0.0.16}] 
[SUCC]  2025-05-13T11:32:04+08:00       create policy successfully, version: {6822bc86455cfc296f681086 1.0.0.16}
[INFO]  2025-05-13T11:32:04+08:00       create policy for component collector
[SUCC]  2025-05-13T11:32:04+08:00       get component version successfully: [{Key:6822bc87455cfc296f68108a Value:1.0.0.140}]
[SUCC]  2025-05-13T11:32:04+08:00       create policy successfully, version: {6822bc87455cfc296f68108a 1.0.0.140}
[INFO]  2025-05-13T11:32:04+08:00       create policy for component journal_watcher
[SUCC]  2025-05-13T11:32:04+08:00       get component version successfully: [{Key:6822bc87455cfc296f68108e Value:1.0.0.23}] 
[SUCC]  2025-05-13T11:32:04+08:00       create policy successfully, version: {6822bc87455cfc296f68108e 1.0.0.23}
[INFO]  2025-05-13T11:32:04+08:00       create policy for component rasp
[SUCC]  2025-05-13T11:32:04+08:00       get component version successfully: [{Key:6822bc88455cfc296f6810b5 Value:2.1.0.2}]  
[SUCC]  2025-05-13T11:32:04+08:00       create policy successfully, version: {6822bc88455cfc296f6810b5 2.1.0.2}
[INFO]  2025-05-13T11:32:04+08:00       create policy for component scanner
[SUCC]  2025-05-13T11:32:04+08:00       get component version successfully: [{Key:6822bc89455cfc296f6810b9 Value:3.1.9.6}]  
[SUCC]  2025-05-13T11:32:04+08:00       create policy successfully, version: {6822bc89455cfc296f6810b9 3.1.9.6}
[INFO]  2025-05-13T11:32:04+08:00       create policy for component baseline
[SUCC]  2025-05-13T11:32:04+08:00       get component version successfully: [{Key:6822bc89455cfc296f6810bd Value:1.0.1.23}] 
[SUCC]  2025-05-13T11:32:04+08:00       create policy successfully, version: {6822bc89455cfc296f6810bd 1.0.1.23}
[INFO]  2025-05-13T11:32:04+08:00       create policy for component elkeid-agent
[SUCC]  2025-05-13T11:32:04+08:00       get component version successfully: [{Key:6822bc8a455cfc296f6810c3 Value:1.7.0.24}] 
[SUCC]  2025-05-13T11:32:04+08:00       create policy successfully, version: {6822bc8a455cfc296f6810c3 1.7.0.24}

关于部署

主机

目前好像就至此官方的几个容器名称

  • CentOS 6及以上
  • Debian 9及以上
  • Ubuntu 12及以上

但是你想要安装到其他机器上比如kali,那么可以通过以下命令

首先找到安装包

find / -type f -name "elkeid-agent-*" 2>/dev/null

然后下载

curl --connect-timeout 15 --retry 3 --retry-delay 5 -L -# \
  -o "elkeid-agent-debian-x86_64-1.7.0.24.deb" \
  "http://192.168.23.137:8080/agent/component/elkeid-agent/elkeid-agent-debian-x86_64-1.7.0.24.deb"

接着安装

apt install elkeid-agent-debian-x86_64-1.7.0.24.deb

集群

mkdir /etc/kubernetes/elkeid-audit/
mv audit.kubeconfig /etc/kubernetes/elkeid-audit/audit.kubeconfig
mv audit-policy.yaml /etc/kubernetes/elkeid-audit/audit-policy.yaml
vim  /etc/kubernetes/manifests/kube-apiserver.yaml