SIEM implementation with ELK stack for windows and Linux

What is SIEM

Security, information, and event management (SIEM) is a term used to describe the management of security, information, and events. SIEM technology combines log data, security warnings, and events into a centralized platform that allows for real-time security monitoring analysis.

SIEM software is used by security operation centers (SOCs) to improve visibility across their organization’s environments, examine log data for incident response to cyberattacks and data breaches, and comply with local and federal compliance regulations.

How dose it work

SIEM software collects log and event data from applications, devices, networks, infrastructure, and systems in order to do analysis and offer a comprehensive picture of an organization’s information technology (IT).

SIEM systems can be installed on-premises or in the cloud. SIEM systems employ rules and statistical correlations to provide actionable information during forensic investigations by analyzing all data in real time. SIEM technology analyses all data, categorizing threat behavior by risk level to assist security teams in swiftly identifying malicious actors and mitigating assaults.

Architecture of the ELK stack

what is ELK

ELK stack is collection of three product those are Elasticsearch, Logstash and kibana To discover problems with servers or apps, ELK stack provides centralized logging. You may search in only one spot for all logs. It also helps to discover problems on several servers by linking logs over a certain period of time.

  • Elasticsearch is used for storing logs
  • Logstash is used to send and receive storing and processing logs
  • kibana is used as a dashboard for the logs that we can see in the interface

Architecture

This is the basic architecture for the ELK stack

First collect the log file from all the service. Then collect all the logs using beats files after collecting all the logs from the beats using Logstach its process the data in a format that can be store in Elasticsearch. In the last step it send data to the Kibana to represent in a visually appealing way.

How to install ELK in Linux

For this example i am going to use centos as my main machine

Elasticsearch Installation

First we need import the elasticsearch GPG keys
run rpm — — import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Here i am going to install this using Repo so i am going to create yum repository for Elasticsearch

Now create repo file call elasticsearch.repo in /etc/yum.repos.d/ directory

[elasticsearch]

name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md

Then run sudo yum install — enablerepo=elasticsearch elasticsearch

After installing we need to run the Elasticsearch with system for that run the following commands

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl stop elasticsearch.service

To check weather this work run the following command
curl http://<IP>:9200 when you go to this link you might get a result like shown in here.

next step is to install the kibana dashboard

Kibana Installation

In previous step we imported the PGP key so we do not need to import that key here again

then create repo file call kibana.repo in /etc/yum.repos.d/ directory

[kibana-7.x]

name=Kibana repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

After creating the repo we can run sudo yum install kibana

then run kibana with system
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service
sudo systemctl start kibana.service
sudo systemctl stop kibana.service
Then we need configure the following items

after configuring them we can go the http://<kibana_IP>:5601 to see the dashboard. which is look like the image shown below

In here if we went to discovery tab we wont be able to any log because we did not install any beat files to collect logs form the machine. for this i am going to use a beatfile call Auditbeat which will help to audit the system for us.

Audibat installation

To add the Beats repository for YUM:

  1. Download and install the public signing key:

2.Create a file with a .repo extension (for example, elastic.repo) in your /etc/yum.repos.d/ directory and add the following lines:
[elastic-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

3. the run the following commands

  • sudo yum install auditbeat
    sudo auditbeat setup
  • sudo service auditbeat start

after installing go to /etc/audibeat DIR and open auditbeat.yml file

Go to the following settings and configure them as you needed.

Then go to the Kibana interface and go to discovery tab to see the auditing logs is may look like this

If you enable the dashboard function in auditbeat file you a see couple of auditbeat dashboards

Some of the example dashboards

Winlogbeat installation

Before we install winlogbeat we need to install Sysmon form given link ( https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon )

Then run following command

sysmon -accepteula -i c:\windows\config.xml to install the Sysmon

then go to service and start the service

then we need to download winlogbeat setup form the given link ( https://www.elastic.co/downloads/beats/winlogbeat )

Extract the contents into C:\Program Files.

Rename the winlogbeat-<version> directory to Winlogbeat.

Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator).

From the PowerShell prompt, run the following commands to install the service.

Cmd-  PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.

like before we need to configure them to pass the data to the Kibana and Elasticsearch

Then run the following command

  1. PS > .\winlogbeat.exe setup -e

Then start the winlogbeat service and login to the kibana interface and we can see the audit

Go to discovery to find all the logs

There are some of the dashboard in winlogbeat

That all for the This blog see you soon…

--

--

--

Associate security Engineer At Hsenid mobile

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Laravel Educational — ACL (Person Roles) — #2 Database Setup & Migrations

Programming Obstacle Avoidance for the Robot

How TextMaster reduced deployment time by using multi-stages dockerfile in its CI pipeline

Python Hidden Features That You Probably Never Heard Of

hidden features of python

5 Vital and Short Advices to Developers

Smart Contract Verification

Scala Vs Python in In-Depth

Why your ASP.NET Core 6.x web app is NOT working on the non-shared App Service Plan

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
mohomed arfath

mohomed arfath

Associate security Engineer At Hsenid mobile

More from Medium

SOC implementation with TheHive, Cortex & Elasticsearch

PingCastle vs Purple Knight — Active Directory Security

Shield with a blue window emblem

Extracting Hancitor’s Configuration with Ghidra part 1

Windows Memory Forensics using Open Source Tools