ineso22
/

Mozdef

Model card Files Files and versions

Mozdef / QUICK_START_GUIDE.md

ineso22's picture

Upload folder using huggingface_hub

7c89ed7 verified 3 months ago

|

history blame contribute delete

2.26 kB

	# MozDef Quick Start Guide

	## What is MozDef?
	MozDef is a SIEM (Security Information and Event Management) platform - an open-source microservices-based security event management system built on Elasticsearch.

	## Quick Installation (Docker)

	```bash
	# 1. Navigate to MozDef directory
	cd /root/MozDef

	# 2. Build Docker images
	make build

	# 3. Start all services
	make run

	# 4. Access services
	# - Web Interface: http://localhost
	# - Kibana: http://localhost:9090/app/kibana
	# - Loginput: http://localhost:8080
	```

	## Quick Commands

	```bash
	# Start MozDef
	make run

	# Stop MozDef
	make stop

	# Rebuild everything
	make rebuild

	# Clean up (remove containers and volumes)
	make clean

	# Run tests
	make tests

	# View logs
	docker-compose -f docker/compose/docker-compose.yml -p mozdef logs [service-name]
	```

	## Send a Test Event

	```bash
	curl -X POST http://localhost:8080/events \
	-H "Content-Type: application/json" \
	-d '{
	"timestamp": "2024-01-15T10:00:00+00:00",
	"utctimestamp": "2024-01-15T10:00:00+00:00",
	"hostname": "test.example.com",
	"processname": "test.py",
	"processid": 1234,
	"severity": "INFO",
	"summary": "Test event",
	"category": "test",
	"source": "test",
	"tags": ["test"],
	"details": {}
	}'
	```

	## Service Ports

	\| Service \| Port \| URL \|
	\|---------\|------\|-----\|
	\| Meteor (Web UI) \| 80 \| http://localhost \|
	\| Kibana \| 9090 \| http://localhost:9090/app/kibana \|
	\| Loginput \| 8080 \| http://localhost:8080 \|
	\| Syslog \| 514 \| UDP/TCP \|

	## Key Directories

	- `/alerts` - Alert definitions and engine
	- `/loginput` - HTTP event ingestion endpoint
	- `/mq` - Message queue workers
	- `/meteor` - Web interface
	- `/rest` - REST API
	- `/config` - Configuration files
	- `/docs` - Documentation

	## Create a New Alert

	```bash
	make new-alert
	# Follow prompts to create alert and test files
	```

	## View Service Status

	```bash
	docker-compose -f docker/compose/docker-compose.yml -p mozdef ps
	```

	## Troubleshooting

	1. Services won't start: Check Docker has 4GB+ RAM
	2. Events not appearing: Check loginput status: `curl http://localhost:8080/status`
	3. View logs: `docker-compose logs [service-name]`

	## Full Documentation

	See `MOZDEF_COMPREHENSIVE_REPORT.md` for complete details.