Once that is done, we need to configure Zeek to convert the Zeek logs into JSON format. Make sure to change the Kibana output fields as well.
FILEBEATS S3 PASSWORD
The username and password for Elastic should be kept as the default unless you’ve changed it.
FILEBEATS S3 INSTALL
Follow the instructions specified on the page to install Filebeats, once installed edit the filebeat.yml configuration file and change the appropriate fields. So in our case, we’re going to install Filebeat onto our Zeek server.
You have to install Filebeats on the host where you are shipping the logs from. As shown in the image below, the Kibana SIEM supports a range of log sources, click on the “Zeek logs” button. Kibana has a Filebeat module specifically for Zeek, so we’re going to utilise this module.įirst, go to the SIEM app in Kibana, do this by clicking on the SIEM symbol on the Kibana toolbar, then click the “add data” button. Now that we’ve got ElasticSearch and Kibana set up, the next step is to get our Zeek data ingested into ElasticSearch. You should see a page similar to the one below. Browse to the IP address hosting kibana and make sure to specify port 5601, or whichever port you defined in the config file. Now let’s check that everything is working and we can access Kibana on our network. You should get a green light and an active running status if all has gone well. Once it’s installed, start the service and check the status to make sure everything is working properly. Change the server host to 0.0.0.0 in the /etc/kibana/kibana.yml file. One it’s installed we want to make a change to the config file, similar to what we did with ElasticSearch.
FILEBEATS S3 UPDATE
sudo apt-get update & sudo apt-get install kibana We’ve already added the Elastic APT repository so it should just be a case of installing the Kibana package. Now it’s time to install and configure Kibana, the process is very similar to installing elastic search. If all has gone right, you should get a reponse simialr to the one below. curl -X GET "IP OF YOUR ELASTIC HOST:9200/?pretty" Run the curl command below from another host, and make sure to include the IP of your Elastic host. I’m going to use my other Linux host running Zeek to test this. Next, we want to make sure that we can access Elastic from another host on our network. Once that’s done, let’s start the ElasticSearch service, and check that it’s started up properly. It’s worth noting, that putting the address 0.0.0.0 here isn’t best practice, and you wouldn’t do this in a production environment, but as we are just running this on our home network it’s fine. We’re going to set the bind address as 0.0.0.0, this will allow us to connect to ElasticSearch from any host on our network. Once installed, we need to make one small change to the ElasticSearch config file, /etc/elasticsearch/elasticsearch.yml. sudo apt-get update & sudo apt-get install elasticsearch echo "deb stable main" | sudo tee -a /etc/apt//elastic-7.x.listįinally install the ElasticSearch package. Then add the elastic repository to your source list. If you need to, add the apt-transport-https package. Installing Elastic is fairly straightforward, firstly add the PGP key used to sign the Elastic packages.
0 kommentar(er)
