ELK

https://www.elastic.co/what-is/elk-stack

So, what is the ELK Stack? “ELK” is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Elasticsearch is a search and analytics engine. Logstash is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch.

Kibana lets users visualize data with charts and graphs in Elasticsearch.

There in the wild are existing more complex deployments like HELK https://github.com/Cyb3rWard0g/HELK or S1EM https://github.com/V1D1AN/S1EM.

Security information and event management (SIEM) provide real-time analysis of security alerts generated by applications and network hardware. Events on a system could include and are not limited to credential changes, failed access attempts, role base or attribute changes to accounts, token-based use, access attempts, and failures, etc. While logging every system action to the system is possible, it is often not advised based on the volume of logs and actionable security-relevant data. Organizations can use AU-2 a through e, as the basis to build from while adhering to other controls that may require or call out specific security auditing requirements in more granular detail. NIST SP 800-53 SI-4 System Monitoring is the security control that specifies the monitoring of the system. This monitoring is focused on monitoring systems that monitor the system. This can include hardware and software in unison to detect events and anomalies, malware, connections, and any other pertinent mechanism that is used to detect attacks or indicators of potential attacks.

VPSFree

ELK is being deployed to virtual machine hosted at with operating system Rocky Linux 8.4.

Installation

# Installation of docker
sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install -y docker-ce
sudo systemctl start docker
sudo systemctl enable --now docker
sudo usermod -aG docker $USER

# Installation of docker compose
dnf install -y curl
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version

# Installation of gitlab runner, which is not neccessary for your build
# I'm using gitlab cicd to deploy elk in docker
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
sudo dnf install -y gitlab-runner
sudo systemctl enable --now gitlab-runner

sudo gitlab-runner register

export HTTP_PROXY=http://yourproxyurl:3128
export HTTPS_PROXY=http://yourproxyurl:3128

sudo -E gitlab-runner register

gitlab-runner register -h

sudo gitlab-runner register \
--non-interactive \
--name "docker-shared-runner-bilek" \
--url "https://gitlab.url.com/" \
--registration-token "token" \
--executor "docker" \
--docker-image docker:20.10.17-dind \
--maintenance-note "Sorry that your general pipelie isn't running." \
--tag-list "docker,shared" \
--run-untagged="true" \
--locked="false" \
--access-level="not_protected"


# Install ELK in docker
git clone https://github.com/sherifabdlnaby/elastdocker.git
make setup

# For Linux's docker hosts only. By default virtual memory is not enough
# so run the next command as root sysctl -w vm.max_map_count=262144

make elk #<OR>
docker-compose up -d

#Visit Kibana at https://localhost:5601 or https://<your_public_ip>:5601
#Default Username: elastic, Password: changeme

# Setup ngix reverse proxy
cat > /etc/nginx/sites-available/siem.lichnak.cz.conf <<"EOF"
upstream siem {
  server 127.0.0.1:5601 fail_timeout=0;
}

server {
  server_name siem.lichnak.cz;
  access_log /var/log/nginx/vhost/siem.lichnak.cz-access.log;
  error_log /var/log/nginx/vhost/siem.lichnak.cz-error.log;

  location / {
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header Host $host;
    proxy_set_header X-NginX-Proxy true;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass https://siem;
    proxy_redirect off;
  }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/lichnak.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/lichnak.cz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = siem.lichnak.cz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  server_name siem.lichnak.cz;
    listen 80;
    return 404; # managed by Certbot

}
EOF

ln -s /etc/nginx/sites-available/siem.lichnak.cz.conf /etc/nginx/sites-enabled/siem.lichnak.cz.conf
nginx -t
systemctl restart nginx

Configuration

# Configuration

Backup and restore

# Backups


# Restore

From Zero to Hero

me

My name is Adam Lichonvsky and I'm proud father and researcher.

         

Recent Posts