Lahilabs
IT Learning and Labbing

How To Install ELK SIEM For Beginners – Complete Guide

Howard Mukanda Uncategorized January 2, 2020

In 2019, Elastic, the company that brought us the ELK (Elastic, Logstash and Kibana) stack released an ELK based SIEM (Security information and event management System). A SIEM is critical to the operation of a Security Operation Center. I made a video on my youtube channel that can show you some of the information that you can get from the ELK SIEM. Please watch that video to get an idea of what to expect after completing the easy installation guide bellow.

https://www.youtube.com/watch?v=NbXBOaIfGfU

How does ELK SIEM Work?

Here is a diagram from elastic.co that shows all the components needed for the SIEM to work. You can find a detailed explanation here: https://www.elastic.co/guide/en/siem/guide/current/siem-overview.html

Machine generated alternative text: Elastic SIEM app Elastic Common Schema (ECS) Network & host data integrations Kibana Elasticsearch Visualize your Elasticsearch data and navigate the Elastic Stack A distributed, RESTful search and analytics engine Security content by Elastic & community Beats Elastic Endpoint Logstash

Installation Process

  1. Install Ubuntu 18
  2. Install ELK SIEM
  3. Ship Data to the SIEM using endpoint agents

Installing Ubuntu 18

The installation of ubuntu should be clear and straight forward for you. In my lab , running on VMWare , my VM has the following settings: In the future I would like to try this in docker and k8.

Machine generated alternative text: New Virtual Machine 1 Select a creation type 2 Select a name and folder 3 Select a compute resource 4 Select storage 5 Select compatibility 6 Select a guest OS 7 Customize hardware 8 Ready to complete Select a name and folder Specify a unique name and target location Virtual machine name: ELK SIEM Select a location for the virtual machine. Cloud Datacenter 1 > > VRN-DC CANCEL BACK NEXT

Machine generated alternative text: New Virtual Machine 1 Select a creation type 2 Select a name and folder 3 Select a compute resource 4 Select storage 5 Select compatibility 6 Select a guest OS 7 Customize hardware 8 Ready to complete Select a guest OS Choose the guest OS that will be installed on the virtual machine Identifying the guest operating system here allows the wizard to provide the appropriate defaults for the operating system installation. Guest OS Family: Guest OS Version: Linux Ubuntu Linux (64-bit) Compatibility: ESXi 6.5 and later (VM version 13) CANCEL BACK NEXT

Machine generated alternative text: New Virtual Machine 1 Select a creation type 2 Select a name and folder 3 Select a compute resource 4 Select storage 5 Select compatibility 6 Select a guest OS 7 Customize hardware 8 Ready to complete Customize hardware Configure the virtual machine hardware Virtual Hardware Memory VM Options New Hard disk New SCSI controller & New Network New CD/DVD Drive Video card & VMCI device Other 500 LSI Logic Parallel VM Network Datastore ISO File Specify custom settings ADD NEW DEVICE o Connect. Connect. Device on the virtual machine PCI bus that provides support for the virtual machine communication interface Additional Hardware Compatibility: ESXi 6.5 and later (VM version 13) CANCEL BACK NEXT

Boot and the machine and Install Ubuntu

Machine generated alternative text: I-ibuntu 18.04 Helcorre to Llbuntu! The world's favourite platform for clouds, clusters, and amazing internet things. This is the installer for I-lbuntu on servers and internet devices. [ Install MAAS bare-metal c loud (region) [ Install MAAS bare-metal cloud (rack) [ sack Use up, DORN arrow kegs, and ENTER, to navigate options

Set a static ip address

Machine generated alternative text: Network connect ions Conf igure at least one IPv4 Method: Subnet : Address: Nane servers: Search domains: select an interface to interface this server can use to talk to other machines, Edit ens160 IPv4 conf igurat ion Manual 132. 168.5. BO 182. 168.5. 1 132.168.s.40 IP addresses, comma separated lahilabs . cor Doma Ins, comma separated [ Save Cancel [ Done Back conf igure it or select Done to cont inue

Once done with the installation, update the sources.list file

Sudo apt update

Install java JDK8

sudo apt install -y openjdk-8-jdk

Machine generated alternative text: Imakonem@siem2 : sudo apt install —Y openjdk— 8-3dk Reading package lists. . Done Building dependency C zee Reading state information. . Done rhe following additional packages will be installed: fontconfig fontconfig—config hi color—icon—theme humanity—icon—theme java—corunon libasound2 libasound2—data libasyncnsO libatk—bIidge2. 0—0 libatkl . 0—0 libatkl . O—data libatspi2. 0—0 libavahi—cIient3 libavahi—comnon3 Iibcai102 Iibcroc03 Iibcups2 Iibdatriel Iibdrm—amdgpul IibdIm—inCeII IibdIm—nouveau2 Iibdrm—radeonl IibfIac8 Iibfontconfigl Iibfontencl Iibgail—comnon Iibgai118 Iibgdk—pixbuf2 . 0—0 Iibgdk—pixbuf2 . O—bin Iibgdk—pixbuf2 . O—corunon Iibgif7 IibgII Iibglapi—mesa IibgIvndO IibgIx—mesaO IibgIxO Iibgraphite2—3 Iibgtk2 . 0—0 Iibgtk2 . O—bin Iibgtk2 . O—corunon IibhaIfbuzzOb libice—dev libice6 IibjbigO Iibjpeg—tuIb08 Iibjpeg8 IibIcms2—2 IibIIvm8 Iibnsp14 Iibnss3 IiboggO Iibpango—l . Iibpangocairo—l . Iibpangoft2—I . IibpciaccessO IibpcscIiCeI IibpuIseO IibIsvg2—2 IibIsvg2—corunon Iibsensors4 Iibsm—dev Iibsm6 Iibsndfilel Iibthai—data IibthaiO IibtiffS Iib%mIbisOa IibV01bisenc2 IibxII—6 Iibxll—dev Iibxll—doc IibxII—xcbI Iibxau—dev Iibxaw7 Iibxcb—gIxO Iibxcb—presento Iibxcb—rendeIO Iibxcb—shapeO Iibxcb—shmO Iibxcb—syncl Iibxcbl Iibxcbl—dev Iibxcompositel IibxcmISOII Iibxdamagel Iibxdmcp—dev Iibxfixes3 Iibxft2 Iibxi6 Iibxineramal Iibxmu6 Iibxpm4 IibXIand12 Iibxrenderl Iibxshmfencel Iibxt—dev IibxC6 IibxCsC6 Iibxvl Iibxxf86dgaI Iibxxf86vmI ubuntu—mono xll—corunon xlI—uCiIs xllproto—dev Xtrans—dev Suggested packages: default—jre libasound2—pIugins alsa—utils cups—corunon gvfs libice—doc IibIcms2—utiIs pcscd pulseaudio IibIsvg2—bin Im—sensors Iibsm—doc Iibxcb—doc Iibxt—doc visualvm Iibnss—mdns fonts—indic mesa—utils rhe following NEW packages will be installed: fontconfig fontconfig—config hi color—icon—theme humanity—icon—theme java—corunon libasound2 libasound2—data libasyncnsO libatk—bIidge2. 0—0 libatkl . 0—0 libatkl . O—data libatspi2. 0—0 libavahi—cIient3 libavahi—comnon3 Iibcai102 Iibcroc03 Iibcups2 Iibdatriel Iibdrm—amdgpul IibdIm—inCeII IibdIm—nouveau2 Iibdrm—radeonl IibfIac8 Iibfontconfigl Iibfontencl Iibgail—comnon Iibgai118 Iibgdk—pixbuf2 . 0—0 Iibgdk—pixbuf2 . O—bin Iibgdk—pixbuf2 . O—corunon Iibgif7 IibgII Iibglapi—mesa IibgIvndO IibgIx—mesaO IibgIxO Iibgraphite2—3 Iibgtk2 . 0—0 Iibgtk2 . O—bin Iibgtk2 . O—corunon IibhaIfbuzzOb libice—dev libice6 IibjbigO Iibjpeg—tuIb08 Iibjpeg8 IibIcms2—2 IibIIvm8 Iibnsp14 Iibnss3 IiboggO Iibpango—l . Iibpangocairo—l . Iibpangoft2—I . IibpciaccessO IibpcscIiCeI IibpuIseO IibIsvg2—2 IibIsvg2—corunon Iibsensors4 Iibsm—dev Iibsm6 Iibsndfilel Iibthai—data IibthaiO IibtiffS IibV01bisOa IibV01bisenc2 Iibxll—dev Iibxll—doc IibxII—xcbI Iibxau—dev Iibxaw7 Iibxcb—gIxO Iibxcb—presento Iibxcb—rendeIO Iibxcb—shapeO Iibxcb—shmO Iibxcb—syncl Iibxcbl—dev Iibxcompositel IibxcmISOII Iibxdamagel Iibxdmcp—dev Iibxfixes3 IibxfC2 Iibxi6 Iibxineramal Iibxmu6 Iibxpm4 IibXIand12 Iibxrenderl Iibxshmfencel Iibxt—dev IibxC6 IibxCsC6 Iibxvl Iibxxf86dgaI Iibxxf86vmI ubuntu—mono xll—corunon xlI—uCiIs xllproto—dev xCrans—dev rhe following packages will be upgraded: IibxII—6 Iibxcbl upgraded, 12 S newly installed, O Co remove and 193 not upgraded. Need to get 79.0 MB of archives. After this operation, 453 MB of additional disk space will be used.

Check Java Version and make sure its installed properly

Machine generated alternative text: Imakonem@siem2 : —$ java —version Jpenjdk version "1.8. 0 232" OpenJDK Runtime Environment (build I . 8 . 0 -18 . . I-bog) OpenJDK 64—BiC Server (build 2S .232—bog, mixed mcde) Imakonem@siem2 :

We are ready to install elasticsearch. We will be using commands from:

https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html

wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –

From <https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html>

Machine generated alternative text: Imakonem@siem2 : Imakonem@siem2 • wge C — 40 hCCps: //arcifaccs . elastic. I sudo apt—key add

Install apt-transport-https package if needed:

sudo apt-get install apt-transport-https

Save the repository definition to /etc/apt/sources.list.d/elastic-7.x.list:

echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Now install elasticsearch

sudo apt-get update && sudo apt-get install elasticsearch

Configure the /etc/elasticsearch/elasticsearch.yml , uncomment and change network.host to 0.0.0.0 and http.port to 9200

sudo vi /etc/elasticsearch/elasticsearch.yml

Machine generated alternative text: . host : 0.0. o. o

Please note, in production, do not use 0.0.0.0 for the network.host. This is just an isolated lab.

Start elasticsearch automatically on boot:

sudo update-rc.d elasticsearch defaults 95 10

From <https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html>

Start elasticsearch

sudo -i service elasticsearch start

From <https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html>

Note, elasticsearch fails here, we need to make one more change

Machine generated alternative text: Imakonem@siem2 : —$ sudo —i service elasticsearch start Job for elasticsearch. service failed because the control process exited with error code . See "systemctl status elasticsearch. service" and "journal cc I —xe" for details. Imakonem@siem2 :

Change the cluster.initial master nodes: ( I googled this and this is why it fails to load)

sudo vi /etc/elasticsearch/elasticsearch.yml

Machine generated alternative text: . initial master nodes: cde — I

Now start elasticsearch again and on a web browser visit http://192.168.5.53:9200/ (replace with your ip address). You should see this. Elasticsearch is now installed.

Machine generated alternative text: c Not secure 192.168.5.53.9200 " name' "siem2", "cluster name" "cluster uuid" "build flavor" : "default", "version" • "number" "build hash "build date "build_snapshot" • "lucene version' "minimum Ripe compatibility_version" • _ version " : "elasticsearch", "7.5.1", : "dab", " : "3ae9ac9a93c95bdøcdca54951cf95d88e1e18d96", false, • "8.3.0", "6.8.e", : "6.e.O-betaI" "tagline" : "You Know, for Search"

INSTALLING KIBANA

Next, we will install Kibana. I am using these instructions:

https://www.elastic.co/guide/en/kibana/current/deb.html

We already have our repos, so we can just run:

sudo apt-get install kibana

From <https://www.elastic.co/guide/en/kibana/current/deb.html>

Once done, lets configure kibana

sudo vi /etc/kibana/kibana.yml

Machine generated alternative text: server . host : elasticsearch . hosts : o o: 9200"]

Save and enable kibana to start on reboot:

sudo update-rc.d kibana defaults 95 10

And start kibana

sudo service kibana start

Machine generated alternative text: Imakonem@siem2: — sudo update—lc.d kibana defaults SS 10 Imakonem@siem2 : —$ sudo service kibana scarc

DONE! Now go to https://YOUR-IP-HERE:5601

You might see this:

Machine generated alternative text: C O Not secure Klbana server is not ready yet 192.168.5.53:5601

Wait for kibana to initialize, sometimes it takes a few minutes depending on how many resources your machine has.

About: Howard Mukanda