Skip to content

Setup a SIEM at the lowest cost with this guide

In the following guide we will discuss how to configure a SIEM using ELK Stack.

How to configure a SIEM at free of cost or the least expenses? How to configure a SIEM without any shackles of license cost?

How to configure elasticsearch, kibana and logstash as a SIEM?

1. Ubuntu Host Setup

The following section will guide you to prepare an ubuntu server for ELK setup:

Essential package installation:

Hardening of the host:

  • Disabled root ssh login
  • Enable ssh login with ssh key
  • Enable ufw firewall and allow only required ports

Mount additional SSD for storage:

  • Find the mount name: $ lsblk
  • Find UUID of the mount: $ blkid /dev/sdXX
  • Partition and format if UUID is not assigned:
       $ fdisk /dev/sdXX
       $ mkdf.ext4 /dev/sdXX
  • Add the details to fstab for persistant hard disk:
      $ sudo nano /etc/fstad
    /dev/sdb1 /disk1 ext4 default 1 2

2. Installation of ELK (elasticsearch, logstash, kibana)

In the following section, we will discuss on the configuration of elasticsearch, logstash and kibana. We will layout the arious configuration changes to be done in the config files. The version we are working on currently is 7.12.

cluster.name: nullcluster
network.host: 0.0.0.0
http.port: 9200
node.name: elasticsrv01
path:
    data:
           /mnt/hdd1/elasticsearch
yml file configuration
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 5601
COMMIT

$ sudo nano /etc/logstash/conf.d/20_metricbeat.yml

input {   beats {     port => 5056     ssl => true     ssl_key => ‘/etc/logstash/config/certs/logstash.pkcs8.key’     ssl_certificate => ‘/etc/logstash/config/certs/logstash01.crt’   } } output {   elasticsearch {     hosts => [“https://<domain name>:9200”]     cacert => ‘/etc/logstash/config/certs/ca.crt’     user => ‘logstash_internal’     password => ‘***’     index => “%{[@metadata][beat]}-%{[@metadata][version]}”   } }
  • Configuration of heartbeat through logstash:

    $ sudo nano /etc/logstash/conf.d/01_heartbeat.conf
input {   beats {     port => 5055     ssl => true     ssl_key => ‘/etc/logstash/config/certs/logstash.pkcs8.key’     ssl_certificate => ‘/etc/logstash/config/certs/azlogstash01.crt’   } } output {   elasticsearch {     hosts => [“https://<domain name>:9200”]     cacert => ‘/etc/logstash/config/certs/ca.crt’     user => ‘logstash_internal’     password => ‘***’     index => “%{[@metadata][beat]}-%{[@metadata][version]}”   } }  

3. Enabling security

In the following section, we will discuss how to accomplish secured access of kibana, elasticsearch and to ensure encrypted transmission of logs from beats agent to the log parsers.


$ sudo nano /etc/elasticsearch/elasticsearch.yml

“`
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

“`

xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: certs/elasticsrv01.key xpack.security.http.ssl.certificate: certs/elasticsrv01.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.key: certs/elasticsrv01.key
xpack.security.transport.ssl.certificate: certs/elasticsrv01.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.verification_mode: certificate
  • Monitoring of the stack:
    •  Logstash Security:
      – Creating a logstash_write role: https://www.elastic.co/guide/en/logstash/current/ls-security.html
      – logstash certificate gen:
        $ openssl pkcs8 -in azlogstash04.key -topk8 -nocrypt -out azlogstash04.pkcs8.key
      – update permissions:
         $ chown root:logstash /etc/logstash/config/certs/azlogstash04.pkcs8.key
         $ chmod 640 /etc/logstash/config/certs/azlogstash04.pkcs8.key

4. Configuration of observability module of elastic

5. Alerting of elastic incidents using free module

6. Forwarding checkpoint firewall logs to elasticsearch

output.elasticsearch:   # Array of hosts to connect to.  
hosts: [“https://<domain name>:9200”]  
username: “elastic”   password: “***”  
ssl:    certificate_authorities: [“/etc/filebeat/config/certs/ca.crt”]   
verification_mode: “certificate”  
indices:    – index: “filebeat-%{[agent.version]}-%{[event.module]:other}”


setup.template.enabled: true
setup.template.name: “filebeat-%{[agent.version]}”
setup.template.pattern: “filebeat-%{[agent.version]}-*”
setup.template.fields: “fields.yml”
setup.template.overwrite: false
setup.ilm.enabled: false # we handle ILM in the cluster, so not defined here
  • Creating Alias
PUT filebeat-7.12.0-checkpoint-000001{  “aliases”: {    “filebeat-7.12.0-checkpoint”: {      “is_write_index”: true    }  }}  
  • Define ILM policy `filebeat-checkpoint-policy`:
  • Create high-order template and assign to the ILM policy:
PUT _template/filebeat-7.12.0-checkpoint-ilm{  “order”: 50,  “index_patterns”: [    “filebeat-7.12.0-checkpoint-*”  ],  “settings”: {    “index”: {      “lifecycle”: {        “name”: “filebeat-checkpoint-policy”,        “rollover_alias”: “filebeat-7.12.0-checkpoint”      }    }  }}  
cp_log_export add name elasticlive_filebeat_exporter \
target-server 10.8.9.153 \
target-port 9520 \
protocol udp \
format syslog \
–apply-now

7. WARM HOST Configuration:

The Warm host can be utilized when we have data that are to be archived and are not required immediately. A general rule of thumb is to transfer data older than 3 days or more to a host with lesser configuration WARM host.

  • Configuration changes:
node.name: extranode01
discovery.seed_hosts: [“<domain name 1>”,]
cluster.initial_master_nodes: [“elasticsrv01”]
node.attr.box_type: warm
  • Renaming/Re-indexing pre-existing indexes:
PUT filebeat-7.12.0-checkpoint-backup {     “settings” : {         “index” : {             “number_of_shards” : 1,             “number_of_replicas” : 0         }     } }


PUT filebeat-7.12.0-checkpoint-backup/_settings { “index.routing.allocation.require.temp”: “warm” }     POST /_reindex {   “source”: {     “index”: “filebeat-7.12.0-checkpoint”   },   “dest”: {     “index”: “filebeat-7.12.0-checkpoint-backup”   } }    



8. Disk allocation changes:

  1. Configuration:
    Explanation: https://www.elastic.co/guide/en/elasticsearch/reference/6.8/disk-allocator.html

    To obtain the current configuration details
    GET _cluster/settings?include_defaults&flat_settings


To change the disk allocation:

PUT _cluster/settings {   “transient”: {     “cluster.routing.allocation.disk.watermark.high”: “95%”   }
}

ANNEXURE A: COMMON COMMANDS FOR TROUBLESHOOTING

  • Linux
    – to monitor last logs:
    $ tail -f /var/log/elasticsearch/elk.log

  • Metricbeat windows
    > .\metricbeat.exe setup -e -d “*”
    > .\metricbeat.exe modules list

  • Elastiflow
    $ netstat -su
    $ tcpdump port 2055

  • Heartbeat
    $ heartbeat -c heartbeat.yml -e -v
    $ heartbeat -e                                   //to send the output to standard
     

Leave a Reply

Your email address will not be published. Required fields are marked *