Detailed Guide: How to deploy your Elastic Stack (ELK) SIEM
Security information and event management systems (SIEM) are very important tools in incident response missions. Every security operation centre is equipped with a SIEM. In this article, we are going to learn how to deploy a fully working SIEM using the amazing suite the Elastic stack (ELK).
Image source: dashboard
In this article we are going to explore the following points:
- What is Elastic stack?
- How to install Elastic stack?
- How to install Elasticsearch?
- How to install kibana?
- How to install logstach?
- How to deploy ELK beats: Metricbeat
- How to deply Auditbeat
- How to deploy an ELK SIEM
Before diving deep into the required steps to build a SIEM, it is essential to acquire a fair understanding of the different ELK components.
What is the ELK Stack?
Image source: ELK
ELK Stack is the abbreviated form of "Elasticsearch Logstash Kibana" Stack. They are three open source projects. This stack is one of the world's most popular log management platforms by 500,000 downloads every month. The ELK stack is widely used in information technology businesses because it provides business intelligence, security and compliance, and web analytics.
Let's get started;
To build the SIEM, you need to install the required libraries and programs:
For the demonstration, I used a Ubuntu 18.04 server hosted on Microsoft Azure
Update the sources.list file:
sudo apt update
Install Java JDK 8 (and apt-transport-https if you are using Debian)
sudo apt install -y openjdk-8-jdk
Check the Java version with:
Now let's install Elasticsearch:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install elasticsearch
After installing elasticsearch you need to configure it by modifying /etc/elasticsearch/elasticsearch.yml file
sudo vi /etc/elasticsearch/elasticsearch.yml
Un-comment network.host and http.port and assign values to them. Don't use "0.0.0.0" in your production servers. I am using it just for a demonstration.
save the file.
To start Elasticsearch on boot up type:
sudo update-rc.d elasticsearch defaults 95 10
Start elasticsearch service:
sudo service elasticsearch start
Check the installation:
curl -X GET "YOU_IP:9200"
Now let's install Kibana:
sudo apt install -y kibana
And like what we did with elasticsearch we need to configure it too:
sudo vi /etc/kibana/kibana.yml
Un-comment and modify the following values:
server.port: 5601 server.host: "YOUR-IP-HERE" elasticsearch.url: "http://YOUR-IP-HERE:9200"
Save the file, and perform what we did previously
sudo update-rc.d kibana defaults 95 10
and run it:
sudo service kibana start
Now go to https://YOUR-IP-HERE:5601
Voila, you can start exploring the dashboard of some pre-installed Sample Log data:
Install logstash to collect, parse and transform logs if needed:
sudo apt install -y logstash
But wait how can we use our own data?
It is a good question, we can receive data from a host using what we call "Beats". You can find the full list here:
As a demonstration i am going to use "Metricbeat
sudo apt-get install metricbeat
Configure the beat by typing
sudo vi /etc/metricbeat/metricbeat.yml
To start metricbeat on boot up type as usual
sudo update-rc.d metricbeat defaults 95 10
Start the beat:
sudo service metricbeat start
Now go to the main dashboard and create a new index:
If everything went well you will see your beat:
Select the time filter by selecting @timestamp:
Then, you can visualize any data you want from that beat.
By now we deployed the most important parts. Let's learn how to deploy the ELK SIEM:
Go to the sidebar and you will find SIEM option:
It will take you to the main SIEM page:
But now we need data to run the SIEM. In order to do that we need to install other beats from sources like the following:
For the demonstration i am going to use the " Auditbeat":
sudo apt-get install auditbeat
Configure it by:
sudo vi /etc/auditbeat/auditbeat.yml
Check the setup:
sudo auditbeat setup
Run the beat:
sudo service auditbeat start
If you did everything correctly you will see this on the SIEM Dashboard:
Congratulations! Now you can see the dashboard of your SIEM.
Check the hosts:
Check the Network Dashboard:
A system Overviews:
Voila, you learned how to build an ELK SIEM.