General ELK Stack guide - ryanm292002/SEC480 GitHub Wiki

Installation

Deliverables: (in document or linked from tech journal)

List what SIEM you will use, what server OS and which agent on the BLUE network you will use: Ill be using ELK stack as ive heard its widely customizable so it should work well with ansible. Ill be using the ubuntu VMs to setup the SIEM.

List/link the install guide(s) that you will use: https://phoenixnap.com/kb/how-to-install-elk-stack-on-ubuntu https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html https://blog.devops.dev/how-to-install-elastic-stack-on-ubuntu-22-04-lts-18c3d9120494

Outline the server and agent install steps as it will be valuable for building your Ansible playbooks:

  • It seems like there's a few components of ELK that need to be configured in order for full SIEM experience, Elastic search (where the data is stored), logstash (processes the data and sends it to elastic) and Kibana the web interface where you can actually look at the logs. Also 'beats' seems like a feature that could also benefit in gathering extra data that could be important.
  1. Install java sudo apt-get install openjdk-8-jdk

  2. Install nginx sudo apt-get install nginx

  3. Add elastic repository with wget 'wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -'

  4. Install apt-transport-https sudo apt-get install apt-transport-https

  5. echo the newly added echo repository to the system repository echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee –a /etc/apt/sources.list.d/elastic-7.x.list

  6. sudo apt-get update

  7. sudo apt-get install elasticsearch