Threat Hunting: Log Monitoring Lab Setup with ELK

Elastic Stack is formerly known as the ELK Stack.

Elk Stack is a collection of free opensource software from Elastic Company which is specially designed for centralized logging. It allows the searching, analyzing, and visualization of logs from different sources.  in this guide, we will learn to install Elastic Stack on ubuntu.

To configure ELK Stack in your Ubuntu platform, there are some prerequisites required for installation.

  • Ubuntu 20.04
  • Root Privileges

Table of Content

  • ELK Stack components
  • Install Java and All Dependencies
  • Install and configure Elasticsearch
  • Install and configure Logstash
  • Install and configure Kibana
  • Install and configure NGINX
  • Install and configure Filebeat
  • Routing Linux Logs to Elasticsearch
  • Create a Log Dashboard in Kibana
  • Monitoring SSH entries

ELK Stack components

  1. Elasticsearch: It is a restful search engine that stores or holds all of the collected Data.
  2. Logstash: It is the Data processing component that sends incoming Data to Elasticsearch.
  3. Kibana: A web interface for searching and visualizing logs.
  4. Filebeat: A lightweight Single-purpose Data forwarder that can send data from thousands of machines to either Logstash or Elasticsearch.

Install Java and All Dependencies

Elasticsearch requires OpenJDK available in our machine. Install Java using the below command along with the HTTPS support and wget packages for APT.

Now, we are going to import Elasticsearch public key into APT. To import the GPG key enter the following command:

Add Elastic repository to the directory sources.list.d by using the following command :

Install and configure Elasticsearch

Update the system repository

Install Elasticsearch by using the following command:

Next, we configure Elasticsearch.

Elasticsearch listens for traffic on port 9200. We are going to restrict outside access to our Elasticsearch instance so that outside parties cannot access data or shut down the elastic cluster through the REST API. Now we’re going to do some modifications to the Elasticsearch configuration file – elasticsearch.yml.

Enter the following command:

Find the line that specifies network.host attribute and uncomment it and add localhost as its value and also uncomment http.port attribute.

Now, start and enable Elasticsearch services.

Let’s verify the status if Elasticsearch.

By default Elasticsearch is listening on the port 9200 you can also verify it on your web browser by pinging https://localhost:9200

Now Elasticsearch is up and running.

Install and configure Logstash

Logstash used to collect and centralizing logs from different servers using filebeat

First Let’s confirm OpenSSL is running and then install Logstash by running following command:

Edit the /etc/hosts file and add the following line

Where 18.224.44.11 is ip address of server elk-master.

Let’s generate an SSL certificate to secure the log data transfer from the client Rsyslog & Filebeat to the Logstash server.

To do this create a new SSL directory under Logstash configuration directory and navigate into that directory generate an SSL certificate by running following command:

Now, we are going to create new configuration files for Logstash named ‘filebeat-input.conf’ as input file from filebeat ‘syslog-filter.conf’ for system logs processing, and ‘output-elasicsearch.conf’ file to define Elasticsearch output.

Navigate to Logstash directory create a file ‘filebeat-input.conf’ in conf.d directory by running command

and paste the following configuration

For the system log data processing, we are going to use a filter plugin named ‘grok’. Create a new conf. file ‘syslog-filter.conf in the same directory

and paste the following configuration lines

And at last create a configuration file ‘output-elasticsearch.conf’ for the output of elasticsearch.

nano conf.d/output-elasticsearch.conf

and paste the following configuration

And at last, save and exit.

Now start, enable & verify the status of Logstash service.

Install and configure Kibana

Install Kibana by using the following command


 We are going to do some modifications to the kibana configuration file.

Locate and uncomment the following Attributes

Now start & enable the kibana service:

Install and configure NGINX

Install Nginx and ‘Apache2-utlis’

Now, create a new virtual host file named Kibana.

and paste the following configuration Into the file.

Let’s create authentication for the Kibana Dashboard and activate the Kibana virtual host configuration and test Nginx configuration after that enable & restart the Nginx service by using the following command.

Install and configure Filebeat

We’re going to configure filebeat data shippers on our elk-master server. This will be used to collect data from various sources and transport them to Logstash and Elasticsearch.

Download & Install filebeat by running the following command.

 Let’s repackage the downloaded file by using the following command:

Next, open the filebeat configuration file named ‘filebeat.yml’

Edit the configuration file:

we’re going to use Elasticsearch to perform additional processing on data collected by filebeat. Therefore, Enable the filebeat prospectors by changing the ‘enabled’ line value to ‘true’.

Next head to the Elasticsearch output section and add the following lines

output.elasticsearch:

Enable and configure the Elasticsearch module by running following command

sudo filebeat modules enable elasticsearch

Let’s start filebeat

And at last copy the Logstash certificate file – logstash-forwarder.crt – to /etc/filebeat directory by running following command:

To test ELK stack open your browser and browse your server ip address followed by port 5601

Routing Linux Logs to Elasticsearch

We’re routing logs from rsyslog to Logstash and these logs transferred to Elasticsearch automatically

Routing From Logstash To Elasticsearch

Before routing logs from rsyslog to Logstash firstly we need to set up log forwarding between Logstash and Elasticsearch.

To do this we’re going to create a configuration file for Logstash. To create configuration file head over towards the directory /etc/logstash/conf.d and create a logstash.conf file

paste the following configuration into the logstash.conf file

Restart the Logstash service.

Let’s check that everything is running correctly issue the following command:

Routing from rsyslog to Logstash

Rsyslog has the capacity to transform logs using templates in order to forward logs in rsylog, head over to the directory /etc/rsylog.d and create a new file named 70-output.conf

And paste the following configuration into the 70-output.conf file

Now we have log forwarding, create a 01-json-template.conf file in the same folder

And paste the following configuration into the 01-json-template.conf file

Restart rsyslog service and verify that logs are correctly forwarded into Elasticsearch.

Note:- Logs will be forwarded in an index named logstash-*.

Create a Log Dashboard in Kibana

Open your browser and head over to https://localhost:5601 and you should see the following screen.

Go to the management section and create an index pattern called logstash-* and proceed for the next step.

we’ve defined logstash-* as our index pattern. Now we can specify some settings before we create it. In the field of time filter field name choose @timestamp and create an index pattern

Monitoring SSH entries

This one is a little bit special, as we can go into the “Discover” tab in order to build our panel.

When entering the discover tab, select logstash-*

From there, in the fiterbar, put a query filter “programename:ssh*”.

Now we can see every log related to the SSHd service in our machine.

As we can see, now we have direct access to every log related to the SSHd service. we can for example track illegal access attempts or wrong logins.

Similarly, we can monitor various illegal access attempts or wrong logins like ftp, telnet etc…

For example, I took Telnet access to my server from a different machine.

Let’s check what happens on the Kibana dashboard.

Hold tight!

Nice! Now your panel is included in your dashboard.

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. ContacHere

7 Comments Threat Hunting: Log Monitoring Lab Setup with ELK

    1. Vijay

      Go for the article… in the last of this aarticle u are able to monitor threat logs. The first time you use a new instance of Kibana, there are a couple of setup steps you’ll need to do. Since Elasticsearch can store multiple different kinds of data at once, Kibana wants you to narrow it down to a particular set of data using a search pattern. For log monitoring go to management console and create a index and conifgure index with timestamp Once you have this set up you should be able to go to “Discover” and see a bit of data on display.

      Reply
  1. Jm

    Hi RAJ CHANDEL,

    have you any idea how much memory and disk space is necessary to install and let running the monitoring activity with all these applications ?

    Thanks for your content!

    Reply
  2. Vikas

    This is by far the best article around Elasticsearch I’ve even seen and I have researched for months. This shit should be paid and I want to thank you for putting this out here for everyone’s benefit. You’ve put so much man hours on this!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *