Beginning Elastic - Installing, Configuring and Providing Basic Security to Packetbeat - Elastic Stack 7.9 on Ubuntu 20.04
By Securitynik on 2020-10-05 12:59:47
We have made significant progress so far, let's continue to building on it. The first post, we installed Elasticsearch. In the second post we installed Kibana. This was followed by the third post where we provided basic security to Elastic and Kibana. In the fourth post, we installed, configured and secured Metricbeat and the fifth post, we installed, configured and secured Auditbeat. The sixth post, we installed, configured and provided basic security to Filebeat. Once again, keeping things simple and using the package manager.
root@securitynik-monitoring:~#  apt-get install packetbeat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  packetbeat
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 26.2 MB of archives.
After this operation, 90.9 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 packetbeat amd64 7.9.2 [26.2 MB]
Fetched 26.2 MB in 1s (22.1 MB/s)
Selecting previously unselected package packetbeat.
(Reading database ... 176062 files and directories currently installed.)
Preparing to unpack .../packetbeat_7.9.2_amd64.deb ...
Unpacking packetbeat (7.9.2) ...
Setting up packetbeat (7.9.2) ...
Processing triggers for systemd (245.4-4ubuntu3.2) ...
Next up, we configure "packetbeat.yml".
root@securitynik-monitoring:~# cd /etc/packetbeat/
root@securitynik-monitoring:/etc/packetbeat# cp packetbeat.yml packetbeat.yml.ORIGINAL
Here are the changes I made to the "packetbeat.yml" file.
root@securitynik-monitoring:~# cat /etc/packetbeat/packetbeat.yml | grep --perl-regexp "ssh|\[22\]|^\s+host|^\s+protocol|^\s+username|^\s+password"
- type: ssh
  ports: [22]
        host: "https://10.0.0.1:5601"
  hosts: ["10.0.0.1:9200"]
  protocol: "https"
  username: "elastic"
  password: "WelcomeToSecurityNikElastic"
Like we did in the previous post, we take the last 8 lines from the "metricbeat.yml" and insert them into "packetbeat.yml"
root@securitynik-monitoring:~# tail --lines 8 /etc/metricbeat/metricbeat.yml >> /etc/packetbeat/packetbeat.yml
root@securitynik-monitoring:~# tail --lines 8 /etc/auditbeat/auditbeat.yml
# SSL Configuration enabled by Nik
ssl.enabled: true
output.elasticsearch.hosts: ["https://10.0.0.1:9200"]
output.elasticsearch.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]
setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]
Testing the Packetbeat configuration.
root@securitynik-monitoring:~# packetbeat test config

Config OK
Looking at the interfaces which I can capture on.
root@securitynik-monitoring:~#  packetbeat devices
0: enp0s25 (No description available) (10.0.0.1 fe80::224:e8ff:fef0:f679)
1: any (Pseudo-device that captures on all interfaces) (Not assigned ip address)
2: lo (No description available) (127.0.0.1 ::1)
3: nflog (Linux netfilter log (NFLOG) interface) (Not assigned ip address)
4: nfqueue (Linux netfilter queue (NFQUEUE) interface) (Not assigned ip address)
I also changed the interface for which Filebeat was listening on to represent what we are doing in this series.This more relates to the previous post on Filebeat.
root@securitynik-monitoring:~# cat /etc/filebeat/modules.d/netflow.yml
# Module: netflow
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.8/filebeat-module-netflow.html

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 10.0.0.1
      netflow_port: 2055
Load the Packetbeat dashboards in Kibana and the appropriate indexes.
root@securitynik-monitoring:~#  packetbeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Enabling and starting the Packetbeat service.
root@securitynik-monitoring:~# systemctl enable --now packetbeat.service
Synchronizing state of packetbeat.service with SysV service script with /lib/systemd/systemd-sysv-install.

Executing: /lib/systemd/systemd-sysv-install enable packetbeat
Created symlink /etc/systemd/system/multi-user.target.wants/packetbeat.service → /lib/systemd/system/packetbeat.service.

root@securitynik-monitoring:~# systemctl status packetbeat.service
● packetbeat.service - Packetbeat analyzes network traffic and sends the data to Elasticsearch.
     Loaded: loaded (/lib/systemd/system/packetbeat.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2020-08-14 12:56:30 EDT; 9s ago
       Docs: https://www.elastic.co/products/beats/packetbeat
   Main PID: 34364 (packetbeat)
      Tasks: 10 (limit: 4563)
     Memory: 45.4M
     CGroup: /system.slice/packetbeat.service
             └─34364 /usr/share/packetbeat/bin/packetbeat -environment systemd -c /etc/packetbeat/packetbeat.yml -path.home /usr/share/packetbeat -path.config /etc/packet>
Looking at the Packetbeat  data.
Packetbeat
Looks like we have some data from Packetbeat. Well that is it for this post. See you in the next where we look at Winlogbeat, where we also wrap-up this series.. Posts in this series:

References: https://www.elastic.co/beats/ https://www.elastic.co/downloads/beats/packetbeat