SIEM implementation with ELK stack for windows and Linux
What is SIEM
Security, information, and event management (SIEM) is a term used to describe the management of security, information, and events. SIEM technology combines log data, security warnings, and events into a centralized platform that allows for real-time security monitoring analysis.
SIEM software is used by security operation centers (SOCs) to improve visibility across their organization’s environments, examine log data for incident response to cyberattacks and data breaches, and comply with local and federal compliance regulations.
How dose it work
SIEM software collects log and event data from applications, devices, networks, infrastructure, and systems in order to do analysis and offer a comprehensive picture of an organization’s information technology (IT).
SIEM systems can be installed on-premises or in the cloud. SIEM systems employ rules and statistical correlations to provide actionable information during forensic investigations by analyzing all data in real time. SIEM technology analyses all data, categorizing threat behavior by risk level to assist security teams in swiftly identifying malicious actors and mitigating assaults.
Architecture of the ELK stack
what is ELK
ELK stack is collection of three product those are Elasticsearch, Logstash and kibana To discover problems with servers or apps, ELK stack provides centralized logging. You may search in only one spot for all logs. It also helps to discover problems on several servers by linking logs over a certain period of time.
- Elasticsearch is used for storing logs
- Logstash is used to send and receive storing and processing logs
- kibana is used as a dashboard for the logs that we can see in the interface
This is the basic architecture for the ELK stack
First collect the log file from all the service. Then collect all the logs using beats files after collecting all the logs from the beats using Logstach its process the data in a format that can be store in Elasticsearch. In the last step it send data to the Kibana to represent in a visually appealing way.
How to install ELK in Linux
For this example i am going to use centos as my main machine
First we need import the elasticsearch GPG keys
run rpm — — import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Here i am going to install this using Repo so i am going to create yum repository for Elasticsearch
Now create repo file call elasticsearch.repo in /etc/yum.repos.d/ directory
name=Elasticsearch repository for 7.x packages
Then run sudo yum install — enablerepo=elasticsearch elasticsearch
After installing we need to run the Elasticsearch with system for that run the following commands
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl stop elasticsearch.service
To check weather this work run the following command
curl http://<IP>:9200 when you go to this link you might get a result like shown in here.
next step is to install the kibana dashboard
In previous step we imported the PGP key so we do not need to import that key here again
then create repo file call kibana.repo in /etc/yum.repos.d/ directory
name=Kibana repository for 7.x packages
After creating the repo we can run sudo yum install kibana
then run kibana with system
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service
sudo systemctl start kibana.service
sudo systemctl stop kibana.service
Then we need configure the following items
after configuring them we can go the http://<kibana_IP>:5601 to see the dashboard. which is look like the image shown below
In here if we went to discovery tab we wont be able to any log because we did not install any beat files to collect logs form the machine. for this i am going to use a beatfile call Auditbeat which will help to audit the system for us.
To add the Beats repository for YUM:
- Download and install the public signing key:
- sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
2.Create a file with a
.repoextension (for example,
elastic.repo) in your
/etc/yum.repos.d/directory and add the following lines:
name=Elastic repository for 7.x packages
3. the run the following commands
- sudo yum install auditbeat
sudo auditbeat setup
- sudo service auditbeat start
after installing go to /etc/audibeat DIR and open auditbeat.yml file
Go to the following settings and configure them as you needed.
Then go to the Kibana interface and go to discovery tab to see the auditing logs is may look like this
If you enable the dashboard function in auditbeat file you a see couple of auditbeat dashboards
Some of the example dashboards
Before we install winlogbeat we need to install Sysmon form given link ( https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon )
Then run following command
sysmon -accepteula -i c:\windows\config.xml to install the Sysmon
then go to service and start the service
then we need to download winlogbeat setup form the given link ( https://www.elastic.co/downloads/beats/winlogbeat )
Extract the contents into C:\Program Files.
Rename the winlogbeat-<version> directory to Winlogbeat.
Open a PowerShell prompt as an Administrator (right-click on the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, run the following commands to install the service.
Cmd- PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
like before we need to configure them to pass the data to the Kibana and Elasticsearch
Then run the following command
- PS > .\winlogbeat.exe setup -e
Then start the winlogbeat service and login to the kibana interface and we can see the audit
Go to discovery to find all the logs
There are some of the dashboard in winlogbeat
That all for the This blog see you soon…