Scribd
Upload
60 views20 pages

ELK Setup, Log Ingestion & Attack Detection: Innovate

Uploaded by

ctft1795
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
60 views20 pages

ELK Setup, Log Ingestion & Attack Detection: Innovate

Uploaded by

ctft1795
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

ELK Setup, Log Ingestion & Attack Detection

WE Innovate X Zero$ploit
Supervised by : Ahmed Halwagy – Zeyad Mazen – Adel Ahmed
Prepared by : Omar Hassan
Required Tasks

 Installing & configuring Elasticsearch


 Installing & configuring Kibana
 Connecting Elasticsearch with kibana
 Installing & configuring Fluentbit
 Installing & Configuring Winlogbeat
 Writing detection rules & simulating a suspicious activity

Requirements
 VMware / Virtual Box
 Windows 10/11 ISO – Ubuntu (20.0/22.0/24.0) ISO
 16 GB RAM – 60 GB Disk Space
 4 CPU Cores

Ubuntu Machine

Setting Recommended
RAM 5-6 GB
Disk 20-30 GB
CPU 2-3 Cores
Network NAT

Windows Machine

Setting Recommended
RAM 2-3 GB
Disk 30-40 GB
CPU 1-2 Cores
Network NAT
PHASE 1 : Installing & configuring Elasticsearch

Updating Ubuntu packages

$ sudo apt update


$ sudo apt upgrade -y

Installing required packages & dependencies

$ wget -qO - [Link] |


sudo gpg --dearmor -o /usr/share/keyrings/[Link]

$ sudo apt-get install apt-transport-https

$ echo "deb [signed-by=/usr/share/keyrings/elasticsearch-


[Link]] [Link] stable
main" | sudo tee /etc/apt/[Link].d/[Link]

$ sudo apt-get update && sudo apt-get install elasticsearch

Configuring [Link]

$ sudo nano /etc/elasticsearch/[Link]


Lines to be uncommented : [Link] & [Link]
Lines to be added :
[Link]: single-node

Enabling & starting the Elasticsearch service

$ sudo systemctl enable elasticsearch


$ sudo systemctl start elasticsearch
$ sudo systemctl status elasticsearch

If you receive active(running) then everything is working


Restarting the elasticsearch service

$ sudo systemctl restart elasticsearch

Check connectivity by going to [Link] on your web browser on Ubuntu.

On the first go it should ask you about a username & password , the default username is
elastic , the password should be reset using the following command.

$ sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u
elastic

Then you can save your password in a txt file for later use , you can now login into
elasticsearch using username elastic & the password displayed in the terminal when you
reset it.
After logging in

PHASE 2 : Installing & configuring Kibana

$ sudo apt-get update && sudo apt-get install kibana


$ sudo nano /etc/kibana/[Link]

Only uncomment the [Link] & [Link]

Enabling & starting the [Link]

$ sudo systemctl enable [Link]


$ sudo systemctl start [Link]
To check connectivity go to [Link] , and your will then be asked for an
enrollment token.

PHASE 3 : Connecting elasticsearch with kibana

$ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-
token -s kibana

After getting your token and inserting it into Kibana, a verification code will be created
Getting verification code

$ sudo cd /usr/share/kibana
$ sudo ./kibana-verification-code
PHASE 4 : Installing & Configuring Fluentbit & sending logs

$ sudo apt-get update


$ sudo apt-get install fluent-bit
$ sudo systemctl enable fluent-bit
$ sudo systemctl start fluent-bit

For a simple simulation of logs


Create a .log file for example [Link] and add a few logs to that file and then save it.
Configuring the [Link] file

$ sudo nano /etc/fluent-bit/[Link]

Allow these configurations but only change the path to the path where you stored the logs ,
change the http_passwd value to your current elastic password and modify the index as you
wish.

MAKE SURE THE WORDS ARE ALIGNED TO AVOID ANY SYNTAX ERROR AS THIS IS A SENSITIVE FILE

Configuring the [Link] file

$ sudo nano /etc/fluent-bit/[Link]


Now we have to create a parser for our log using this syntax
Parser is different from one log to another so find your format
To create & test your own regex against your logs click here.

Check you configuration

$ /opt/fluent-bit/bin/fluent-bit -c //etc/fluent-bit/[Link]
Everything works and you can’t view the logs in Kibana ? try adding more logs or copy & pasting the same
ones to simulate a real log update

PHASE 5 : Installing & Configuring Winlogbeat & sending logs

Download winlogbeat zip file from here & then extract to “C:\Program files”

Preferably rename the folder to winlogbeat instead of [Link]


Run Powershell as Administrator and grant permissions to edit the [Link] file

Takeown /F "C:\Program Files\Winlogbeat\[Link]" /A


Icacls "C:\Program Files\Winlogbeat\[Link]" /Grant "Administrators:F" /T

Now editing the [Link] file inside the winlogbeat folder (using notepad)
Uncomment the host field under kibana and modify your IP address
Uncomment the host field under Elasticsearch Output and modify your IP address , uncomment the
protocol (Only If you used https in Elasticsearch) , uncomment the username & password and adjust them ,
and finally add this part :

ssl:
enabled: true
certificate_authorities: ["C:/Program Files/Winlogbeat/http_ca.crt"]

If you don’t have ssl enabled in elasticsearch then change “ enabled : true “ -> “enables : false ”

Adding the http_ca.crt to allow connection with elasticsearch (SKIP THIS PART IF SSL IS DISABLED)
To get the certificate go to Ubuntu , go to /etc/elasticseach/certs and there you will find http_ca.crt ,
you can copy the content inside that file then paste it into a txt file on your windows machine and change the
extension to .crt to transfer it using a USB , after that add it to C:/Program Files/Winlogbeat

MAKE SURE ELASTICSEARCH & KIBANA ARE RUNNING


.\[Link] test config -c .\[Link] -e

.\[Link] setup -e

winlogbeat test output


Start-Service winlogbeat
And then you can check if it’s running using [Link] or Get-Service winlogbeat

Viewing the logs using kibana dashboard


Testing first using Dev tools : GET winlogbeat-*/_search?size=5

Stack Management > Data View


Index Pattern : winlogbeat-*
Select @timestamp as the time filter

Confirm logs and select the winlogbeat-* index


PHASE 6 : Threat detection rules & simulating suspicious activity
To demonstrate how security monitoring works, we’ll simulate a basic but suspicious activity:
an attacker disabling the Linux firewall (UFW).

In real-world scenarios, detection rules are far more sophisticated , incorporating behavioral
analysis, anomaly detection, and threat intelligence . But this simplified example helps
illustrate the core principles.

Security>rules>detection rules (SIEM) > create new rule

Choosing the wanted index pattern and writing our custom query (KQL) to detect the disabling of ufw
firewall , make sure to test your query in discover first.
Specifying a name , description , selecting the severity and risk score

Leave on Default

Testing using the command : sudo ufw disable


View alerts through security>alerts

You might also like