Skip to content

Detailed Guide: How to deploy your Elastic Stack (ELK) SIEM

Security information and event management systems (SIEM) are very important tools in incident response missions. Every security operation centre is equipped with a SIEM. In this article, we are going to learn how to deploy a fully working SIEM using the amazing suite the Elastic stack (ELK).

Image source: dashboard

In this article we are going to explore the following points:

  • What is Elastic stack?
  • How to install Elastic stack?
  • How to install Elasticsearch?
  • How to install kibana?
  • How to install logstach?
  • How to deploy ELK beats: Metricbeat
  • How to deply Auditbeat
  • How to deploy an ELK SIEM

Before diving deep into the required steps to build a SIEM, it is essential to acquire a fair understanding of the different ELK components.

What is the ELK Stack?

Image source: ELK

ELK Stack is the abbreviated form of "Elasticsearch Logstash Kibana" Stack. They are three open source projects. This stack is one of the world's most popular log management platforms by 500,000 downloads every month. The ELK stack is widely used in information technology businesses because it provides business intelligence, security and compliance, and web analytics.

Let's get started;

To build the SIEM, you need to install the required libraries and programs:

For the demonstration, I used a Ubuntu 18.04 server hosted on Microsoft Azure

Update the sources.list file:

sudo apt update

Install Java JDK 8 (and apt-transport-https if you are using Debian)

sudo apt install -y openjdk-8-jdk

Check the Java version with:

java -version

Now let's install Elasticsearch:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

sudo apt update

sudo apt install elasticsearch

After installing elasticsearch you need to configure it by modifying /etc/elasticsearch/elasticsearch.yml file

sudo vi /etc/elasticsearch/elasticsearch.yml

Un-comment network.host and http.port and assign values to them. Don't use "0.0.0.0" in your production servers. I am using it just for a demonstration.

save the file.

To start Elasticsearch on boot up type:

sudo update-rc.d elasticsearch defaults 95 10

Start elasticsearch service:

sudo service elasticsearch start

Check the installation:

curl -X GET "YOU_IP:9200"

Now let's install Kibana:

sudo apt install -y kibana

And like what we did with elasticsearch we need to configure it too:

sudo vi /etc/kibana/kibana.yml

Un-comment and modify the following values:

server.port: 5601
server.host: "YOUR-IP-HERE"
elasticsearch.url: "http://YOUR-IP-HERE:9200"

Save the file, and perform what we did previously

sudo update-rc.d kibana defaults 95 10

and run it:

sudo service kibana start

Now go to https://YOUR-IP-HERE:5601

Voila, you can start exploring the dashboard of some pre-installed Sample Log data:

Install logstash to collect, parse and transform logs if needed:

sudo apt install -y logstash

But wait how can we use our own data?

It is a good question, we can receive data from a host using what we call "Beats". You can find the full list here:

As a demonstration i am going to use "Metricbeat

sudo apt-get install metricbeat

Configure the beat by typing

sudo vi /etc/metricbeat/metricbeat.yml

To start metricbeat on boot up type as usual

sudo update-rc.d metricbeat defaults 95 10

Start the beat:

sudo service metricbeat start

Now go to the main dashboard and create a new index:

If everything went well you will see your beat:

Select the time filter by selecting @timestamp:

Then, you can visualize any data you want from that beat.

By now we deployed the most important parts. Let's learn how to deploy the ELK SIEM:

Go to the sidebar and you will find SIEM option:

It will take you to the main SIEM page:

But now we need data to run the SIEM. In order to do that we need to install other beats from sources like the following:

For the demonstration i am going to use the " Auditbeat":

sudo apt-get install auditbeat

Configure it by:

sudo vi /etc/auditbeat/auditbeat.yml

Check the setup:

sudo auditbeat setup

Run the beat:

sudo service auditbeat start

If you did everything correctly you will see this on the SIEM Dashboard:

Congratulations! Now you can see the dashboard of your SIEM.

Check the hosts:

Check the Network Dashboard:

A system Overviews:

Voila, you learned how to build an ELK SIEM.