Skip to content

Latest commit

 

History

History
85 lines (46 loc) · 3.09 KB

README.md

File metadata and controls

85 lines (46 loc) · 3.09 KB

ELK SIEM Installation

Step 0: Acquire or Install ELK

If you have access to an ELK stack (Elasticsearch, Logstash, Kibana), skip this step. Otherwise, there are two options available:

  1. Pay for an ELK installation. See logit.io, logz.io, and, of course, Elastic Cloud.
  2. Set up your own ELK installation. I will go through those steps here:

A) Find or create an Ubuntu server/machine

This tutorial will focus on a fully functioning ubuntu server. ELK can be run in Docker, but ELK’s resource requirements are more than what a minimal docker container would usually have.

Minimum specs:

  • 2GB RAM
  • 5GB storage
  • Almost any processor

Recommended specs:

  • 4GB RAM
  • 50GB storage (at least)
  • Intel i7-9700 or equivalent

There are plenty of other tutorials on the internet that cover how to make/get an ubuntu machine to use.

B) Install the ELK stack

See official documentation here: https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html

Note: Some obscure errors can be caused by a lack of resources.

Step 1: Configure ELK

Once you have verified that all services are up and running (on ubuntu, this can be done by running sudo systemctl status <servicename>), connect to Kibana on port 5601 of the host machine via a browser. Copy the enrollment token generated by elasticsearch into the field.

Log into Kibana with the elastic user. Regenerate the password if you don’t have it.

Note: if you get a “connection reset” error, make sure your kibana config file at /etc/kibana/kibana.yml has the machine’s external IP as the server.host hostname

Note: This section has many helpful commands, including password resets and generating enrollment tokens

Note: Elastic Security has much of the functionality, if not all or more than, what will be set up in the next steps. Go to the official elastic documentation here for more info: https://www.elastic.co/security

Step 2: Install and Configure Beats

A) Auditbeat (Linux)

https://www.elastic.co/beats/auditbeat

First party, highly configurable beat for linux machines.

See script here:

B) Winlogbeat (Windows)

https://www.elastic.co/beats/winlogbeat

First party, highly configurable beat for windows machines.

See script here:

C) MacOSlogbeat (MacOS)

https://github.com/jaakkoo/macoslogbeat

Log beat for macOS machines. Not on the same level as auditbeat for linux, but fills in some of the gaps.

D) Auditbeat (MacOS)

https://www.elastic.co/beats/auditbeat

First party, highly configurable beat for linux machines.

Less capable on Macs, but still very powerful.

See script for C and D here:

Step 3: Configure Kibana

A) Setup index for each log type

B) Make Visualisations