Log centralization and security alert with ELK (part 1)

morten12

Hored Otniel

Posted on August 20, 2022

Log centralization and security alert with ELK (part 1)

As a SysAdmin, DevOps, or cybersecurity analyst, the moment will inevitably come in your work when you will need to consult the logs to investigate an incident or a bug.

Imagine a scenario where one of your collaborators often allows himself to connect in ssh as 'root' on the servers, or a scenario in which your main database replication server is down, wouldn't it be interesting to have a place where you have all these information without having to log in on each server?

Log aggregation

In the previous scenarios, the best way to quickly have all these information is by log aggregation. So what is log aggregation?

Log aggregation is the process of collecting and standardizing log events from various sources across your IT infrastructure for faster log analysis. Log aggregation is one of the early stages in the log management process. With log aggregation, you have the assurance of having centralized the logs and of having a tool for analyzing the logs.
Using log aggregation gives you a lot of advantages. Indeed, you can:

  • Perform real-time monitoring
  • Troubleshoot production incidents
  • Centralize logs in the same location
  • Collaborate with others on log analysis
  • Enhanced Security in your infrastructure

Elasticsearch-Logstash-Kibana

ELK is a log analysis suite composed of 3 open source tools, developed by the company Elastic: Elasticsearch, Logstash and Kibana.

ElasticSearch is a search and analysis engine that uses the JSON format. Its goal is to efficiently extract data from structured or unstructured data sources in real-time. Elasticsearch uses Lucene to provide the most powerful full-text search capabilities available in any open-source product.

Logstash is a tool for entering, processing, and outputting log data. Its function is to analyze, filter, and cut the logs to transform them into formatted documents for Elasticsearch.

Kibana is an interactive and configurable dashboard that allows you to visualize the data stored in ElasticSearch. Kibana provides insight into trends and patterns in all forms of diagrams and curves. This dashboard can be shared and combined with data visualizations for quick and smart communication.

For the collection of data, Elastic has planned the beats which are agents that you install on your machines to monitor.

With this stack, you, therefore, have the possibility of setting up a centralized system (SIEM) that offers total visibility on the activity of your infrastructure and which thus allows you to react to threats in real-time.

ELK

Image source

In the rest of this article, we will therefore make a demo where we will set up the suite for elk to collect logs from a machine and visualize the dashboards on kibana.

Demo

Disclaimer: In this article, we will not cover logstash. Logstash is not essential for what we want to do in this series.

To realize our work here, we will use a server to install elk. The information-gathering agents (Filebeat, metricbeat...) will be installed on a host.

The server used to install elk is a GCP server with the following specifications:

  • 25GB of disk space
  • 4GB of memory

Although these are fairly minimalist features, they should suffice for this item.

Prerequisites

Make sure you have java installed and that ports 9200(elasticsearch) and 5601(kibana) are open on your server.

Elasticsearch

We will start by importing the Elasticsearch public GPG key.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Enter fullscreen mode Exit fullscreen mode

After that, you have to get OK

Next, we add the Elastic source list to the sources.list.d directory :

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee –a /etc/apt/sources.list.d/elastic-7.x.list
Enter fullscreen mode Exit fullscreen mode

Install and configure elasticsearch

After that, you have to update your system and install elasticsearch

sudo apt-get update

sudo apt-get install elasticsearch
Enter fullscreen mode Exit fullscreen mode

To configure elasticsearch, we will modify the file /etc/elasticsearch/elasticsearch.yml

sudo nano /etc/elasticsearch/elasticsearch.yml
Enter fullscreen mode Exit fullscreen mode

The most important things to change:

network.host
http.port
discovery.type
Enter fullscreen mode Exit fullscreen mode

Config elasticsearch

After that, we start the service:

sudo systemctl start elasticsearch
Enter fullscreen mode Exit fullscreen mode

You also need to allow Elasticsearch to start every time the server starts.

sudo systemctl enable elasticsearch
Enter fullscreen mode Exit fullscreen mode

After that, we check if everything works well with an HTTP request. In my case, since I used my IP address, I use it for the request:

curl -X GET "your_ip:9200"
Enter fullscreen mode Exit fullscreen mode

If you used localhost, it comes out to :

curl -X GET "localhost:9200"
Enter fullscreen mode Exit fullscreen mode

Test

Kibana

Install and configure kibana

To install kibana :

sudo apt install kibana

sudo systemctl enable kibana

sudo systemctl start kibana
Enter fullscreen mode Exit fullscreen mode

After that, we configure kibana by modifying the file /etc/kibana/kibana.yml. The most important elements that we modify here :

server.port: 5601

server.host: "0.0.0.0"

elasticsearch.hosts: ["http://localhost:9200"]
Enter fullscreen mode Exit fullscreen mode

For elasticsearch.hosts replace localhost if you have configured elasticsearch on another IP address.

Let's restart the service

systemctl restart kibana
Enter fullscreen mode Exit fullscreen mode

You should normally have access to the kibana dashboard with http://localhost:5601 ou http://your-ip:5601 :

Kibana dashboard

As you may have noticed when logging into kibana, no authentication is required. While this doesn't particularly bother our work here, in a real environment, we can't let the dashboard be accessible so easily. So we will add authentication to our dashboard. To do this, elastic has prepared some tools that we can use.

First, we need to stop the two services

systemctl stop elasticsearch kibana
Enter fullscreen mode Exit fullscreen mode

In the file /etc/elasticsearch/elasticsearch.yml, let's add :

xpack.security.enabled: true
Enter fullscreen mode Exit fullscreen mode

To communicate with our cluster, we need to configure a username for the embedded users. For this we have a program elasticsearch in the folder /usr/share/elasticsearch/. So start by stopping the elasticsearch service and running the following command from the folder :

./bin/elasticsearch
Enter fullscreen mode Exit fullscreen mode

Then in another terminal :

./bin/elasticsearch-setup-passwords auto

Enter fullscreen mode Exit fullscreen mode

You must answer with "y" here for this step

passwords y

After that, you will get the passwords for the different users as shown here :

Image description

Then we have to go back to the kibana configuration file to authenticate the user kibana_system. Otherwise, kibana and elasticsearch will not be able to communicate.

The following information must be added to the configuration by filling in the credentials obtained earlier. The user to indicate here is kibana_system

elasticsearch.username: "kibana_system"
elasticsearch.password: "your_password_for_kibana_system"

Enter fullscreen mode Exit fullscreen mode

You have to restart elasticsearch and kibana and voila! 😎

Image description

As you can see kibana requires authentication. You have to connect with the credential of the user elastic

Beats

If you browse a bit on kibana you will notice that we don't have any dashboard currently.

Image description

This is quite normal since we have not created any dashboard and especially we have no data in elasticsearch for that.

To solve this problem, we will use metricbeat.

Metricbeat

Elastic define Metricbeat as a lightweight shipper that you can install on your servers to periodically collect metrics from the operating system and from services running on the server. Metricbeat takes the metrics and statistics that it collects and ships them to the output that you specify, such as Elasticsearch or Logstash.

The installation of Metricbeat is quite simple. You have to install it on the host you want to monitor and then configure it to send information to elasticsearch. We use version 7.17.5 of elasticsearch in this tutorial. So we have to install the same version of metricbeat.

So we start by downloading the deb package here

Then we proceed to the installation with :

sudo dpkg -i metricbeat-7.17.5-amd64.deb
Enter fullscreen mode Exit fullscreen mode

After that, you have to configure the file /etc/metricbeat/metricbeat.yml

In the basic configuration that we exploit here, we change the following elements:

setup.kibana:

  # Kibana Host
  host: "your_ip:5601"


output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]
  #username: "elastic"
  #password: "changeme"

Enter fullscreen mode Exit fullscreen mode

Take care to change the information according to your infrastructure. For the username and password, these are the credentials of the user elastic.

What is interesting with beats is that there are dashboards that are pre-loaded, which allows us to have a basic global view of the data transferred by the agent. You will be able to create your dashboards if you wish later on.

To initialize metricbeat and load the dashboards, use the following command:

sudo metricbeat setup -e

Enter fullscreen mode Exit fullscreen mode

Normally this command will take some time to finalize the loading of the data and dashboards.

After that, you have to start the service.

sudo service metricbeat start
Enter fullscreen mode Exit fullscreen mode

Then go to kibana to see the change

Image description

You can see that we now have a list of dashboards proposed by metricbeat. We are going to browse some dashboards concerning us to see the feedback. (It should be noted that some dashboards may be empty if your server to monitor does not have the metrics that concern this dashboard)

Let's take a look at [Metricbeat System] Host overview ECS dashboard

[Metricbeat System] Host overview ECS

As the name of the dashboard indicates, we have an overview of the host. There is more information :

Host overview ECS

Let's take a look at another dashboard : [Metricbeat System] Containers overview ECS

Containers overview ECS

As you can see, there is much less information than in the previous dashboard. This is due to the very few containers running on the host. The list of dashboards offered by metricbeat is quite large. You can also create your own dashboard.

Filebeat

The installation of filebeat is done following the same process as for metricbeat. Download the deb package here

You can also renew the basic configuration, taking care to change the modified information for metricbeat.

Here we can also indicate the folders where filebeat can fetch the logs.

- type: filestream
  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id
  # Change to true to enable this input configuration.
  enabled: true
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

Enter fullscreen mode Exit fullscreen mode

After that, we perform the setup and start the service.

sudo filebeat setup -e
Enter fullscreen mode Exit fullscreen mode
sudo service filebeat start
Enter fullscreen mode Exit fullscreen mode

Note that Metricbeat and Filebeat have modules that can be activated to get more information. Indeed if you have tools such as apache, Nginx, docker... you can activate the modules related to these tools to have data on the corresponding dashboard. You can consult the list of dashboards in the folder: /etc/filebeat/modules.d

To enable MySQL module for example :

sudo metricbeat modules enable mysql
Enter fullscreen mode Exit fullscreen mode
sudo  metricbeat modules enable apache
Enter fullscreen mode Exit fullscreen mode

You will need to re-setup and restart filebeat

We can see that you now have dashboards for filebeat.

Filebeat dashboard list

Take the time to explore the dashboards. The basic dashboard that you will have with enough information will be that of Syslog.

You have to enable the service first with

sudo metricbeat modules enable system
Enter fullscreen mode Exit fullscreen mode

Summary

In this tutorial we have covered the following points:

  • Installation and configuration of elasticsearch
  • Installation and configuration of kibana
  • Activation of authentication on kibana
  • Installation and configuration of metricbeat and filebeat
  • Exploration of some dashboards

What next?

So in this first tutorial, we have covered the interesting points concerning the implementation of the ELK stack but there is still a lot to discover. In the next part of the series, we are going to focus on setting up security alerts with a very great tool (Elastalert). It will also be an opportunity to come back to the possibilities that ELK offers us.

💖 💪 🙅 🚩
morten12
Hored Otniel

Posted on August 20, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related