centos7 moloch安装及优化

一、安装

1.1下载

wget https://files.molo.ch/builds/centos-7/moloch-1.5.2-1.x86_64.rpm

1.2 安装（按提示操作）

rpm -ivh moloch-1.5.2-1.x86_64.rpm

Instructions for using the prebuilt Moloch packages.
Please report any bugs or feature requests by opening an issue at https://github.com/aol/moloch/issues

Basic Moloch Installation steps:
 1) Download a Moloch build for 64bit Ubuntu 14.04, Ubuntu 16.04, Centos 6, or Centos 7 from http://molo.ch/index.html#downloads
 2) Install package
 3) Configure basic moloch items by running the Configure script (this needs to be done only once)
     /data/moloch/bin/Configure
 4) The Configure script can install elasticsearch for you or you can install yourself
      /sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04
      systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04
 5) Initialize/Upgrade Elasticsearch Moloch configuration
  a) If this is the first install, or want to delete all data
      /data/moloch/db/db.pl http://ESHOST:9200 init
  b) If this is an update to moloch package
      /data/moloch/db/db.pl http://ESHOST:9200 upgrade
 6) Add an admin user if a new install or after an init
      /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin
 7) Start everything
   a) If using upstart (Centos 6 or sometimes Ubuntu 14.04):
      /sbin/start molochcapture
      /sbin/start molochviewer
   b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04)
      systemctl start molochcapture.service
      systemctl start molochviewer.service
 8) Look at log files for errors
      /data/moloch/logs/viewer.log
      /data/moloch/logs/capture.log
 9) Visit http://MOLOCHHOST:8005 with your favorite browser.
      user: admin
      password: THEPASSWORD from step #6

Any configuration changes can be made to /data/moloch/etc/config.ini
See https://github.com/aol/moloch/wiki/FAQ#moloch-is-not-working for issues

Additional information can be found at:
  * https://github.com/aol/moloch/wiki/FAQ
  * https://github.com/aol/moloch/wiki/Settings

二、优化

# 优化es
[root@moloch elasticsearch]# vim /etc/elasticsearch/jvm.options
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms32g
-Xmx32g

#抓包经常会把硬盘用完，当硬盘使用空间到80% es 就开始报警 ，直接把报警关掉的。

[root@moloch elasticsearch]# vim /etc/elasticsearch/elasticsearch.yml
cluster.routing.allocation.disk.threshold_enabled: false
network.host: 10.10.7.7

# 关于pcap的数据包 我是使用moloch来控制删除
[root@moloch ~]# vim /data/moloch/etc/config.ini
# Delete pcap files when free space is lower then this in gigabytes OR it can be
# expressed as a percentage (ex: 5%).  This does NOT delete the session records in
# the database. It is recommended this value is between 5% and 10% of the disk.
# Database deletes are done by the db.pl expire script
freeSpaceG = 5%

# es使用moloch自带的脚本来控制删除 
[root@moloch db]#  vi /data/moloch/db/daily.sh                                                                                                                                    
#!/bin/sh
# This script is only needed for Moloch deployments that monitor live traffic.
# It drops the old index and optimizes yesterdays index.
# It should be run once a day during non peak time.
# CONFIG
ESHOSTPORT=CHANGEMEHOST:CHANGEMEPORT
RETAINNUMDAYS=7

/data/moloch/db/db.pl $ESHOSTPORT expire daily $RETAINNUMDAYS

# 在做个定时任务
[root@moloch ~]# crontab -e01 04 * * * /data/moloch/db/daily.sh >> /data/moloch/logs/daily.log 2>&1

高性能设置
# MOST IMPORTANT, use basic magicMode, libfile kills performance
magicMode=basic
# pfring/snf might be better
pcapReadMethod=tpacketv3
# Increase by 1 if still getting Input Drops
tpacketv3NumThreads=2
# Defaults
pcapWriteMethod=simple
pcapWriteSize = 2560000
# Start with 5 packet threads, increase by 1 if getting thread drops
packetThreads=5
# Set to number of packets a second
maxPacketsInQueue = 200000