IT environments are becoming increasingly large, distributed and difficult to manage. All system components must be protected and monitored against cyber threats. You need a scalable platform that can store and analyze logs, metrics and events. SIEM solutions can cost a lot of money. In this story we will take a look at the free solution available in Elastic Stack, which is Elastic SIEM.

What will we use?

Elastic Stack is a set of components: Elasticsearch, Kibana, Logstash and Beats. Brief information about what is used in this story:

• Elasticsearch — document database/search engine
• Kibana —Data visualization dashboard for Elasticsearch
• Filebeat — lightweight log collector (available modules)
• Packetbeat — lightweight network protocol collector (and more)
• Audibeat — a lightweight security event collector without the use of auditd
• Winlogbeat — a lightweight event collector from Windows systems.

Environment

I’ve created 3 virtual machines on the Azure cloud:

• ELK — Ubuntu 20.04 — Elasticsearch + Kibana
• Ubuntu1 — Ubuntu 20–04 — Filebeat, Packetbeat, Auditbeat
• Win10 — Windows 10 — Auditbeat, Packetbeat, Winlogbeat

Elasticsearch + Kibana installation

We’ll put a simple one node cluster. Here you can download Elasticsearch and Kibana deb files.

The installation:

sudo dpkg -i file_name.deb

#security #elasticsearch #elastic-stack