Git Product home page Git Product logo

elasticsiem's Introduction

ELK SIEM Installation

Step 0: Acquire or Install ELK

If you have access to an ELK stack (Elasticsearch, Logstash, Kibana), skip this step. Otherwise, there are two options available:

  1. Pay for an ELK installation. See logit.io, logz.io, and, of course, Elastic Cloud.
  2. Set up your own ELK installation. I will go through those steps here:

A) Find or create an Ubuntu server/machine

This tutorial will focus on a fully functioning ubuntu server. ELK can be run in Docker, but ELK’s resource requirements are more than what a minimal docker container would usually have.

Minimum specs:

  • 2GB RAM
  • 5GB storage
  • Almost any processor

Recommended specs:

  • 4GB RAM
  • 50GB storage (at least)
  • Intel i7-9700 or equivalent

There are plenty of other tutorials on the internet that cover how to make/get an ubuntu machine to use.

B) Install the ELK stack

See official documentation here: https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html

Note: Some obscure errors can be caused by a lack of resources.

Step 1: Configure ELK

Once you have verified that all services are up and running (on ubuntu, this can be done by running sudo systemctl status <servicename>), connect to Kibana on port 5601 of the host machine via a browser. Copy the enrollment token generated by elasticsearch into the field.

Log into Kibana with the elastic user. Regenerate the password if you don’t have it.

Note: if you get a “connection reset” error, make sure your kibana config file at /etc/kibana/kibana.yml has the machine’s external IP as the server.host hostname

Note: This section has many helpful commands, including password resets and generating enrollment tokens

Note: Elastic Security has much of the functionality, if not all or more than, what will be set up in the next steps. Go to the official elastic documentation here for more info: https://www.elastic.co/security

Step 2: Install and Configure Beats

A) Auditbeat (Linux)

https://www.elastic.co/beats/auditbeat

First party, highly configurable beat for linux machines.

See script here:

B) Winlogbeat (Windows)

https://www.elastic.co/beats/winlogbeat

First party, highly configurable beat for windows machines.

See script here:

C) MacOSlogbeat (MacOS)

https://github.com/jaakkoo/macoslogbeat

Log beat for macOS machines. Not on the same level as auditbeat for linux, but fills in some of the gaps.

D) Auditbeat (MacOS)

https://www.elastic.co/beats/auditbeat

First party, highly configurable beat for linux machines.

Less capable on Macs, but still very powerful.

See script for C and D here:

Step 3: Configure Kibana

A) Setup index for each log type

B) Make Visualisations

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.