OwlH to ELK

OwlH-net · Oct 28, 2020 · 7e5b19e · 7e5b19e
1 parent f0d6187
commit 7e5b19e
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 2 deletions.
diff --git a/source/main/OwlH-elk.rst b/source/main/OwlH-elk.rst
@@ -1,6 +1,6 @@
 
-Sync with ELK 7.x
-=================
+Sync with ELK 7.x using Wazuh
+=============================
 
 .. warning::
 

diff --git a/source/main/OwlH-node-elk.rst b/source/main/OwlH-node-elk.rst
@@ -0,0 +1,76 @@
+
+Sync with ELK 7.x
+=================
+
+.. warning::
+
+    Be sure you are running ELK (elasticsearch, filebeat and kibana) with version >7.3.2
+
+.. include:: keepincontact.rst
+
+This process will allow you to connect your OwlH environment directly to ELK. 
+
+You will do:
+
+  * install filebeat on OwlH Nodes
+  * install OwlH-Filebeat module 
+  * import OwlH-Kibana objects in Kibana
+  * load OwlH template in Elasticsearch
+  * modify Filebeat main configuration to include OwlH module
+
+
+.. note:: 
+  Please, check URLs and paths to ensure you use the right commands and that you adapt command lines as needed. 
+
+
+Download files and prepare
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+    
+    # cd /tmp
+    # mkdir /tmp/owlhfilebeat
+    # cd /tmp/owlhfilebeat
+    # wget repo.owlh.net/fbit/owlh-module.tar.gz
+    # tar -C /tmp/owlhfilebeat -xf owlh-module.tar.gz
+
+
+Install OwlH module
+-------------------
+
+::
+
+    # tar -C /usr/share/filebeat/module/ -xf /tmp/owlhfilebeat/owlh-filebeat-7.9.x.tar.gz
+
+
+Modify filebeat
+^^^^^^^^^^^^^^^
+
+Modify Filebeat configuration
+-----------------------------
+
+::
+
+    # cp /tmp/owlhfilebeat/filebeat.yml /etc/filebeat/filebeat.yml 
+
+.. attention:: 
+    be sure to update properly your filebeat.yml file to point to your elasticsearch server.
+
+
+
+Restart Filebeat
+----------------
+
+You should be done. check your kibana to see the OwlH dashboards in dashboards section, and indices in discovery section.
+
+::
+
+    Restart Filebeat
+
+    # systemctl restart filebeat 
+
+    Check Filebeat output
+
+    # journalctl -f -u filebeat
+
+    From your web browser, check kibana->discovery for owlh indices.
diff --git a/source/main/OwlHInstall.rst b/source/main/OwlHInstall.rst
@@ -37,6 +37,7 @@ Visualization
 -------------
 
       * :doc:`OwlH dashboards integration Wazuh-ELK</main/OwlH-elk>`
+      * :doc:`OwlH dashboards integration ELK</main/OwlH-node-elk>`
 
 Appendices
 ----------

diff --git a/source/main/install/ins-owlh-node.rst b/source/main/install/ins-owlh-node.rst
@@ -7,6 +7,7 @@ install owlh node
     - install suricata
     - install zeek 
     - install wazuh
+    - connect OwlH to ELK
     - install owlh interface
     - install software tap related packets
     - configure your firewall