Securitynik on 2020-10-05 12:59:47
We have made significant progress so far, let's continue to building on it.
The first post
, we installed Elasticsearch. In the second post
we installed Kibana. This was followed by the third post
where we provided basic security to Elastic and Kibana. In the fourth post
, we installed, configured and secured Metricbeat and the fifth post,
we installed, configured and secured Auditbeat
. The sixth post
, we installed, configured and provided basic security to Filebeat.
Once again, keeping things simple and using the package manager.
root@securitynik-monitoring:~# apt-get install packetbeat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 26.2 MB of archives.
After this operation, 90.9 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 packetbeat amd64 7.9.2 [26.2 MB]
Fetched 26.2 MB in 1s (22.1 MB/s)
Selecting previously unselected package packetbeat.
(Reading database ... 176062 files and directories currently installed.)
Preparing to unpack .../packetbeat_7.9.2_amd64.deb ...
Unpacking packetbeat (7.9.2) ...
Setting up packetbeat (7.9.2) ...
Processing triggers for systemd (245.4-4ubuntu3.2) ...
Next up, we configure "packetbeat.yml
root@securitynik-monitoring:~# cd /etc/packetbeat/
root@securitynik-monitoring:/etc/packetbeat# cp packetbeat.yml packetbeat.yml.ORIGINAL
Here are the changes I made to the "packetbeat.ym
root@securitynik-monitoring:~# cat /etc/packetbeat/packetbeat.yml | grep --perl-regexp "ssh|\[22\]|^\s+host|^\s+protocol|^\s+username|^\s+password"
- type: ssh
Like we did in the previous post, we take the last 8 lines from the "metricbeat.yml
" and insert them into "packetbeat.yml
root@securitynik-monitoring:~# tail --lines 8 /etc/metricbeat/metricbeat.yml >> /etc/packetbeat/packetbeat.yml
root@securitynik-monitoring:~# tail --lines 8 /etc/auditbeat/auditbeat.yml
# SSL Configuration enabled by Nik
Testing the Packetbeat configuration.
root@securitynik-monitoring:~# packetbeat test config
Looking at the interfaces which I can capture on.
root@securitynik-monitoring:~# packetbeat devices
0: enp0s25 (No description available) (10.0.0.1 fe80::224:e8ff:fef0:f679)
1: any (Pseudo-device that captures on all interfaces) (Not assigned ip address)
2: lo (No description available) (127.0.0.1 ::1)
3: nflog (Linux netfilter log (NFLOG) interface) (Not assigned ip address)
4: nfqueue (Linux netfilter queue (NFQUEUE) interface) (Not assigned ip address)
I also changed the interface for which Filebeat was listening on to represent what we are doing in this series.This more relates to the previous post on Filebeat.
root@securitynik-monitoring:~# cat /etc/filebeat/modules.d/netflow.yml
# Module: netflow
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.8/filebeat-module-netflow.html
- module: netflow
Load the Packetbeat dashboards in Kibana and the appropriate indexes.
root@securitynik-monitoring:~# packetbeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Enabling and starting the Packetbeat service.
root@securitynik-monitoring:~# systemctl enable --now packetbeat.service
Synchronizing state of packetbeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable packetbeat
Created symlink /etc/systemd/system/multi-user.target.wants/packetbeat.service → /lib/systemd/system/packetbeat.service.
root@securitynik-monitoring:~# systemctl status packetbeat.service
● packetbeat.service - Packetbeat analyzes network traffic and sends the data to Elasticsearch.
Loaded: loaded (/lib/systemd/system/packetbeat.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-08-14 12:56:30 EDT; 9s ago
Main PID: 34364 (packetbeat)
Tasks: 10 (limit: 4563)
└─34364 /usr/share/packetbeat/bin/packetbeat -environment systemd -c /etc/packetbeat/packetbeat.yml -path.home /usr/share/packetbeat -path.config /etc/packet>
Looking at the Packetbeat data.
Looks like we have some data from Packetbeat.
Well that is it for this post. See you in the next where we look at Winlogbeat
, where we also wrap-up this series..
Posts in this series: