ELK | Notion

Install (Linux)

$ wget -qO - <https://artifacts.elastic.co/GPG-KEY-elasticsearch> | sudo apt-key add -
$ sudo apt-get install apt-transport-https
$ echo "deb <https://artifacts.elastic.co/packages/7.x/apt> stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

$ sudo apt-get install apm-server elasticsearch logstash kibana metricbeat filebeat packetbeat

Setup

# ELASTICSEARCH

$ sudo gedit /etc/elasticsearch/elasticsearch.yml
network.host: 192.168.1.64 # VM IP
discovery.seed_hosts: ["192.168.1.64"]
$ sudo systemctl start elasticsearch.service
$ curl 192.168.1.64:9200 # test on Linux
> curl 192.168.1.65:9200 # test on Windows

# KIBANA

$ sudo gedit /etc/kibana/kibana.yml
elasticsearch.hosts: ["<http://192.168.1.64:9200>"]
server.host: "192.168.1.64"
$ sudo systemctl start kibana.service

Run

$ sudo systemctl stop elasticsearch.service && sudo systemctl stop kibana.service && sudo systemctl stop auditbeat && sudo systemctl stop metricbeat && sudo systemctl stop filebeat && sudo systemctl start elasticsearch.service && sudo systemctl start kibana.service && sudo systemctl start auditbeat && sudo systemctl start metricbeat && sudo systemctl start filebeat && curl 192.168.1.64:9200

192.168.1.64:5601

Beats

Filebeat

$ sudo gedit /etc/filebeat/filebeat.yml
setup.kibana:
  host: "192.168.1.64:5601"
output.elasticsearch:
  hosts: ["192.168.1.64:9200"]
$ sudo filebeat modules list
$ sudo filebeat modules enable system [...microsoft...]
$ sudo filebeat-e setup

Winbeatlog

# INSTALL

Move unzipped to C:\\Program Files\\Winlogbeat\\

PS> .\\install-service-winlogbeat.ps1

# CONFIG

C:\\Program Files\\Winlogbeat\\winlogbeat.yml

setup.kibana:
  host: "192.168.1.64:5601"

output.elasticsearch:
  hosts: ["192.168.1.64:9200"]

PS> .\\winlogbeat.exe test config -c .\\winlogbeat.yml -e

# SETUP

PS> .\\winlogbeat.exe setup -e

# START

PS> Start-Service winlogbeat

Metricbeat

$ sudo gedit /etc/auditbeat/auditbeat.yml
setup.kibana:
  host: "192.168.1.64:5601"
output.elasticsearch:
  hosts: ["192.168.1.64:9200"]
$ sudo metricbeat modules list
$ sudo metricbeat modules enable system [...windows linux elasticsearch kibana logstash http...]
$ sudo metricbeat -e setup

Auditbeat

$ sudo gedit /etc/auditbeat/auditbeat.yml
output.elasticsearch:
  hosts: ["192.168.1.64:9200"]
$ sudo auditbeat -e setup
$ sudo systemctl start auditbeat

Packetbeat

$ sudo gedit /etc/packetbeat/packetbeat.yml
setup.kibana:
  host: "192.168.1.64:5601"
output.elasticsearch:
  hosts: ["192.168.1.64:9200"]
$ sudo packetbeat -e setup