Installation Note For Elastic Stack 7.x SIEM

### Installation Note For Elastic Stack 7.x SIEM ###

1)

https://www.elastic.co/blog/introducing-elastic-siem

SIEM ===> Security information and event management

===> Production must 3 nodes Elastic.

cluster.initial_master_nodes:
  - node01
  - node02
  - node03

===> For single node (demo and development)

discovery.type: single-node

Default installation without SSL between nodes in cluster
Must configure security

Easier way ==> copy the same pk12 to all nodes.

Remember to generate default system username and your own strong password
I will c***e you if not using more than 8 characters alpha numering special characters and such, password.
And change password every 30 days Please.....

*** Monitoring Setting For Elastic Stack 7.x ***

2)

===> elasticsearch.yml

xpack.monitoring.enabled: true
xpack.monitoring.collection.enabled: true

===> kibana.yml

xpack.monitoring.enabled: true
xpack.monitoring.kibana.collection.enabled: true
xpack.monitoring.ui.enabled: true

===> logstash.yml

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.hosts: ["http://localhost:9200"]
xpack.monitoring.elasticsearch.sniffing: true
xpack.monitoring.collection.pipeline.details.enabled: true

=== *** ===

*** Beats Installation Simple Note ***

3)

apt install filebeat
apt install metricbeat
apt install auditbeat
apt install packetbeat
apt install heartbeat-elastic

===> don't install heartbeat package. Its other software not from elastic

# ==> Make sure all beats xml configuration files, upload dashboard using kibana is done first time only or after upgrade
# ===>
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
setup.dashboards.enabled: true

==> Done the above before proceed to run the beats. Only once at any one node of a cluster. And repeat again for every upgrade.

filebeat modules enable system iptables elasticsearch auditd kibana logstash

metricbeat modules enable system elasticsearch kibana logstash docker kubernetes logstash-xpack kibana-xpack elasticsearch-xpack

===> for other beats edit inside each config xml. For heartbeat need to edit xml files inside monitor.d

systemctl enable filebeat
systemctl enable metricbeat
systemctl enable auditbeat
systemctl enable packetbeat
systemctl enable heartbeat-elastic

systemctl restart filebeat
systemctl restart metricbeat
systemctl restart auditbeat
systemctl restart packetbeat
systemctl restart heartbeat-elastic

### Harisfazillah Jamel 09092019 : linuxmalaysia @ gmail dot com ### Blue Team

Popular Posts

Labels

64bit Activity Adempire advocate Akta Apache ASAS Azam backup backuppc Bash Beowulf Big Data Broadband Budget Centos Cinta Cluster CMS cmsfornerd Company Complain computer Computer Operation Conference Contest Data Centre Operation DBmail Digg Digital Certification Discussion Group Django DNS Docker Domain Duit Online Economy Elastic Stack Elasticsearch ELK email email server English Evangelist Events Family Tree Fedora File System Firefox Foss FOSS.my FreeBSD FTX Gesaan Gluster Gmail Godaddy.com Google Google App GTUG Hacking Hadoop hafnie Harisfazillah Jamel horde HP-UX hwclock IBM ICT Service Delivery and Operation Indonesia Internet Internet Tools Itanium Jabatan IT Negara Jaring Java Javascript Jepun Jiwang Joke Joomla K3S K3Sup Kernel Kesihatan Kibana KOSTEM Kubernetes ldap Linux Linux Counter linuxmalaysia Logstash Love Mailman MailScanner Mailwatch Malay Malaysia MAMPU MDeC meetup Melaka Melayu Merdeka Microsoft Migration mirror sites Money Online Monitor MOSC 2010 MOSC2010 mosc2011 MOSC2013 MOSCMY MOSCMY2014 MOSCMY2015 Mozilla MPI MSC Malaysia MSC Malaysia OSCONF MSCOSCONF My Love MyGOSSCON MyMeeting Mypenguin99 mysql Nagios NagiosQL Negaraku Nginx nss_ldap ntp OBW2014 Open Office Open Source openldap Openoffice.org OpenSSH OpenStack Opera OS2 OS400 OSCC OSCC MAMPU osdc.my OSS OSS Policy OWASP Parallel Computing People Power Personal Petition PGP PHP Pligg Podman Politik Postfix Postgresql Programming Proxmox Python q1moscmy2015 Questionnaires Research Research tools RPM SASSIAN Sassian 85-89 Sassians 85-89 SCO Security Sekolah Sekolah Alam Shah Shell script Software License Solaris SongketMail SongketMailFilter sourceforge spam spamassassin Spoof SSH Survey SVR4 System Tools Technorati Terjemahan Terminal TMnet Tor Training translation Treasury Malaysia Trend Micro Twitter Ubuntu Unix Virtualization VMS VOIP Wang Web Server Windows Zimbra
 

LinuxMalaysia Mastodon