DMARC Analyzer: Difference between revisions
mNo edit summary |
m (→parsedmarc.ini) |
||
Line 81: | Line 81: | ||
[imap] | [imap] | ||
host = | host = <fqdn of email server> | ||
user = dmarc | user = <dmarc email address> | ||
password = <password> | password = <password> | ||
watch = True | watch = True |
Latest revision as of 14:57, 22 July 2023
Github repo for more info: https://github.com/domainaware/parsedmarc
This is based upon the information from this repo/setup files.
Setup
- Create the following directory structure:
/srv/dmarc-visualizer
/srv/dmarc-visualizer/parsed_dmarc
/srv/dmarc-visualizer/grafana
/srv/dmarc-visualizer/grafana/grafana-provisioning
/srv/dmarc-visualizer/grafana/grafana-provisioning/dashboards
/srv/dmarc-visualizer/grafana/grafana-provisioning/datasources
docker-compose.yml
Copy the following to /srv/dmarc-visualizer/docker-compose.yml
version: '3.5'
services:
parsedmarc:
build: ./parsedmarc/
volumes:
- ./files:/input:ro
- ./output_files:/output
command: parsedmarc -c /parsedmarc.ini /input/*
depends_on:
- elasticsearch
restart: on-failure
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.0
restart: always
volumes:
- /srv/dmarc-visualizer/data/elasticsearch:/var/lib/elasticsearch
- /srv/dmarc-visualizer/logs/elasticsearch:/var/log/elasticsearch
- /srv/dmarc-visualizer/config/elasticsearch:/usr/share/elasticsearch/config
environment:
# - discovery.type=single-node
# - cluster.name=asl-graylog
# - node.name=el1
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
ports:
- '9200:9200'
- '9300:9300'
grafana:
build: ./grafana/
ports:
- 3000:3000
user: root
restart: always
environment:
GF_INSTALL_PLUGINS: grafana-piechart-panel,grafana-worldmap-panel
GF_AUTH_ANONYMOUS_ENABLED: 'true'
Note: You can change the Grafana port from 3000 to something else.
parsedmarc
Copy the following files to /srv/dmarc-analyzer/parsedmarc/:
Dockerfile
FROM python:alpine
RUN apk add build-base libxml2-dev libxslt-dev \
&& pip install parsedmarc
COPY parsedmarc.ini /
COPY GeoLite2-Country.mmdb /usr/share/GeoIP/GeoLite2-Country.mmdb
parsedmarc.ini
[general]
save_aggregate = True
save_forensic = True
output = /output/
[imap]
host = <fqdn of email server>
user = <dmarc email address>
password = <password>
watch = True
skip_certificate_verification = True
[elasticsearch]
hosts = elasticsearch:9200
ssl = False
GeoLite2-Country.mmdb
You will need to sign up for a free account and download the GeoLite2 databases from MaxMind at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en
Download the correct file and place into this directory
grafana
Copy the following files to /srv/dmarc-analyzer/grafana/:
Dockerfile
FROM grafana/grafana
ADD --chown=grafana:root https://raw.githubusercontent.com/domainaware/parsedmarc/master/grafana/Grafana-DMARC_Reports.json /var/lib/grafana/dashboards/
RUN chmod 644 /etc/grafana/provisioning
COPY grafana-provisioning/ /etc/grafana/provisioning/
grafana files
Copy to /srv/dmarc-visualizer/grafana/grafana-provisioning/dashboards/all.yml:
- name: 'default'
org_id: 1
path: ''
type: 'file'
options:
folder: '/var/lib/grafana/dashboards'
Copy to /srv/dmarc-visualizer/grafana/grafana-provisioning/datasources/all.yml:
apiVersion: 1
datasources:
- name: 'dmarc-ag'
type: 'elasticsearch'
access: 'proxy'
orgId: 1
url: 'http://elasticsearch:9200'
database: '[dmarc_aggregate-]YYYY-MM-DD'
isDefault: true
jsonData:
esVersion: 70
timeField: 'date_range'
interval: 'Daily'
version: 1
editable: false