Cyb3rSn0rlax
Social MediaGitHub
  • About Cyb3rSn0rlax
  • 🛡️ SOC Engineering
  • 🧞Building an Open SIEM From Scratch
    • 1. Introduction to Elastic Stack
      • a. Installing and configuring Elasticsearch
      • b. Installing and configuring Kibana
      • c. Installing and configuring Logstash
    • 2. Installing OpenDistro for Elasticsearch Plugins
    • 3. Installing ElastAlert
    • 4. ELK Stack: "L" is for Lord of the Stack
      • a- Event Parsing: Pipelines
      • b - Event Parsing : From Beats to Logstash
      • c- Event Normalization with ECS
    • 5. Alerting in ELK
    • 6. Building Detection Rules
    • 7. Metrics Reports & Dashboards
  • 🛡️A Primer to Detection Engineering Dimensions in a SOC Universe
    • Operationalization
    • Execution
    • Analytics
  • 😺GitHub Projects
    • ELK4QRadar
    • Automating ELK Health Check
  • 💾DFIR
    • DFIR-01 : $MFT
    • DFIR-02 : Journal Forensics
    • DFIR-03: RDP Authentication Artifacts
  • ☢️ DEATH : Detection Engineering And Threat Hunting
    • 🔑TA0006 : Credential Access
      • Detecting Remote Credentials Dumping via comsvcs.dll
    • 🦘TA0008 : Lateral Movement
      • Detecting Lateral Movement via Service Configuration Manager
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
  • 🔎Misc
    • Infosec Game-Sense
Powered by GitBook
On this page
  • Modify Hosts File
  • Disabling SWAP
  • Download and install Debian packages manually
  • Modify Heap Size
  • Modify Configuration File
  • Modifying System Configuration
  • Lets begin!
  1. Building an Open SIEM From Scratch
  2. 1. Introduction to Elastic Stack

a. Installing and configuring Elasticsearch

Guide to install Elastic Stack

Previous1. Introduction to Elastic StackNextb. Installing and configuring Kibana

Last updated 4 years ago

For simplicity reasons I will be installing Elastic Stack as an All-in-One server that has all three instances, Elasticsearch, Kibana, and Logstash on a Ubuntu 18.04 LTS server with 8GB of RAM.

Sizing and configuring an Elastic Stack cluster with multiple nodes for logging use cases can be challenging and might be the subject of a separate blog.

Modify Hosts File

Firstly, I will add the name of my single-node cluster in /etc/hosts to use later in my elasticsearch configuration file.

192.168.20.222  elk_allinone
127.0.0.1 localhost

Disabling SWAP

Considering the impact of swap on the performance and stability of the nodes, it is recommended to disable it permanently by modifying the/etc/fstab file.

$ sudo swapon –show
$ sudo swapoff -v /swapfile
$ sudo vi /etc/fstab

Then comment any ligne that contains the word swap in the/etc/fstab then delete swapfile

$ sudo rm /swapfile

Download and install Debian packages manually

I am going to work here with version 7.8.0 of elastic stack since, later, I will be installing opendistro's plugins which are at the time of writing this blog was not compatible with the latest version of Elastic Stack. .

$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-amd64.deb
$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-amd64.deb.sha512
$ shasum -a 512 -c elasticsearch-7.8.0-amd64.deb.sha512 
$ sudo dpkg -i elasticsearch-7.8.0-amd64.deb

Modify Heap Size

As a rule of thumb, it is recommended to dedicate half of the available RAM to Elasticsearch. In our case we have 8GB so we will modify jvm.optionsaccordingly.

$ sudo vi /etc/elasticsearch/jvm.options
-Xms4g
-Xmx4g

Modify Configuration File

Next step is modifying elasticsearch.ymlconfiguration file to fit my single-node cluster requirements.

// Back up your configuration file
$ sudo cp elasticsearch.yml elasticsearch.yml.backup
$ sudo vi /etc/elasticsearch/elasticsearch.yml
# ======================== Elasticsearch Configuration ===================#
cluster.name: cyb3rsn0rlax
node.name: elk_allinone
node.master: true
node.ingest: true
node.data: true
node.ml: false
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: [_local_, _site_]
http.port: 9200
cluster.initial_master_nodes: ["elk_allinone"]

I have a single-node cluster so obviously it will be my data node for storing data, my master node and my ingest node if I am willing to use Elasticsearch pipelines.

Modifying System Configuration

It is recommended to modify system configuration to allow the user running Elasticsearch to access more resources than allowed by default. This part depends on the system you're using and the method you used to install Elasticsearch, since we are using Ubuntu and the Debian package manual installation the following method would make the necessary changes.

$ sudo systemctl edit elasticsearch

Add the following lines then reload and start Elasticsearch :

[Service]
LimitMEMLOCK=infinity
$ sudo systemctl daemon-reload
$ sudo systemctl start elasticsearch 

Lets begin!

Configure elasticsearch service for automatic startup

$ sudo /bin/systemctl daemon-reload
$ sudo /bin/systemctl enable elasticsearch.service

Check its status and curl it

$ sudo systemctl status elasticsearch
$ sudo curl localhost:9200
{
  "name" : "elk_allinone",
  "cluster_name" : "cyb3rsn0rlax",
  "cluster_uuid" : "-wuP6BX2QCiB5CSHKSw2GQ",
  "version" : {
    "number" : "7.8.0",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
    "build_date" : "2020-11-26T06:34:37.794943Z",
    "build_snapshot" : false,
    "lucene_version" : "8.4.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

🧞
See here for more information about version compatibilities