Install and Configuration of ELK

This section will be all about how to configure your ELK server to be compatible with the Ergo Witness front end. All of these commands are for RPM, but DEB guides can be found with a quick Google search if needed. I have a sh script that will do a basic installation of the ELK stack for you here. Take note that it is important to understand how ELK works in order to troubleshoot some things.

Get this script on GitHub

Install ELK

Follow the steps below to install Logstash!

Install Java

yum install wget -y cd /opt wget --no-cookies --no-check-certificate --header "Cookie:; oraclelicense=accept-securebackup-cookie" "" rpm -Uvh jre-8u102-linux-x64.rpm rm -rf jre-8u102-linux-x64.rpm yum install java-devel -y

Install Elasticsearch

sudo rpm --import echo '[elasticsearch-5.x] name=Elasticsearch repository for 5.x packages baseurl= gpgcheck=1 gpgkey= enabled=1 autorefresh=1 type=rpm-md ' | sudo tee /etc/yum.repos.d/elasticsearch.repo sudo yum -y install elasticsearch

Change the network host to localhost

sed -i 's/ localhost/g' /etc/elasticsearch/elasticsearch.yml

Enable Elasticsearch to start when the machine boots, and then start Elasticsearch

systemctl enable elasticsearch systemctl start elasticsearch

Install Kibana

Now we will install Kibana, so that we can see our data

echo '[kibana-4.4] name=Kibana repository for 4.4.x packages baseurl= gpgcheck=1 gpgkey= enabled=1 ' | sudo tee /etc/yum.repos.d/kibana.repo sudo yum -y install kibana sudo vi /opt/kibana/config/kibana.yml

In the kibana config file(/etc/kibana/kibana.yml), find the line that specifies and replace the ip with "localhost", so that it looks like this:

## "localhost"

Now start kibana:

sudo systemctl start kibana sudo chkconfig kibana on

Install NGINX

Installing NGINX will provide some basic security to the access of the ELK stack. It is simple to do and highly recommended.

yum -y install epel-release yum -y install nginx httpd-tools sudo htpasswd -c /etc/nginx/htpasswd.users kibanaadmin cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak # Delete server block in default config sed -i -e '38,87d' /etc/nginx/nginx.conf mkdir /etc/nginx/conf.d cat > /etc/nginx/conf.d/kibana.conf << EOF server { listen 80; server_name; auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/htpasswd.users; location / { proxy_pass http://localhost:5601; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } EOF sudo systemctl start nginx sudo systemctl enable nginx sudo setsebool -P httpd_can_network_connect 1

If you cannot access your ELK stack after you install NGINX, you may need to set your firewall rules to allow TCP access on port 9200 and 5400.

Install Logstash

echo '[logstash-5.x] name=Elastic repository for 5.x packages baseurl= gpgcheck=1 gpgkey= enabled=1 autorefresh=1 type=rpm-md ' | sudo tee /etc/yum.repos.d/logstash.repo sudo yum -y install logstash systemctl restart logstash systemctl enable logstash

Configure Logstash

In order for Packetbeat and Filebeat to actually send information to Logstash, we need some configuration files for Logstash. Make a configuration directory for logstash if you do not already have one:

mkdir /etc/logstash/conf.d

Copy my configuration folder from my GitHub into that new directory. Get those files here

Restart logstash

systemctl restart logstash