By
Securitynik on 2020-10-05 12:59:47
We have made significant progress so far, let's continue to building on it.
The first post, we installed Elasticsearch. In the second post we installed Kibana. This was followed by the third post where we provided basic security to Elastic and Kibana. In the fourth post, we installed, configured and secured Metricbeat and the fifth post, we installed, configured and secured Auditbeat. The sixth post, we installed, configured and provided basic security to Filebeat.
Once again, keeping things simple and using the package manager.
root@securitynik-monitoring:~# apt-get install packetbeat Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: packetbeat 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 26.2 MB of archives. After this operation, 90.9 MB of additional disk space will be used. Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 packetbeat amd64 7.9.2 [26.2 MB] Fetched 26.2 MB in 1s (22.1 MB/s) Selecting previously unselected package packetbeat. (Reading database ... 176062 files and directories currently installed.) Preparing to unpack .../packetbeat_7.9.2_amd64.deb ... Unpacking packetbeat (7.9.2) ... Setting up packetbeat (7.9.2) ... Processing triggers for systemd (245.4-4ubuntu3.2) ...
root@securitynik-monitoring:~# cd /etc/packetbeat/ root@securitynik-monitoring:/etc/packetbeat# cp packetbeat.yml packetbeat.yml.ORIGINAL
root@securitynik-monitoring:~# cat /etc/packetbeat/packetbeat.yml | grep --perl-regexp "ssh|\[22\]|^\s+host|^\s+protocol|^\s+username|^\s+password" - type: ssh ports: [22] host: "https://10.0.0.1:5601" hosts: ["10.0.0.1:9200"] protocol: "https" username: "elastic" password: "WelcomeToSecurityNikElastic"
root@securitynik-monitoring:~# tail --lines 8 /etc/metricbeat/metricbeat.yml >> /etc/packetbeat/packetbeat.yml root@securitynik-monitoring:~# tail --lines 8 /etc/auditbeat/auditbeat.yml
# SSL Configuration enabled by Nik ssl.enabled: true output.elasticsearch.hosts: ["https://10.0.0.1:9200"] output.elasticsearch.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"] setup.kibana.ssl.enabled: true setup.kibana.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]
root@securitynik-monitoring:~# packetbeat test config Config OK
root@securitynik-monitoring:~# packetbeat devices 0: enp0s25 (No description available) (10.0.0.1 fe80::224:e8ff:fef0:f679) 1: any (Pseudo-device that captures on all interfaces) (Not assigned ip address) 2: lo (No description available) (127.0.0.1 ::1) 3: nflog (Linux netfilter log (NFLOG) interface) (Not assigned ip address) 4: nfqueue (Linux netfilter queue (NFQUEUE) interface) (Not assigned ip address)
root@securitynik-monitoring:~# cat /etc/filebeat/modules.d/netflow.yml # Module: netflow # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.8/filebeat-module-netflow.html - module: netflow log: enabled: true var: netflow_host: 10.0.0.1 netflow_port: 2055
root@securitynik-monitoring:~# packetbeat setup Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling. Index setup finished. Loading dashboards (Kibana must be running and reachable) Loaded dashboards
root@securitynik-monitoring:~# systemctl enable --now packetbeat.service Synchronizing state of packetbeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable packetbeat Created symlink /etc/systemd/system/multi-user.target.wants/packetbeat.service → /lib/systemd/system/packetbeat.service. root@securitynik-monitoring:~# systemctl status packetbeat.service ● packetbeat.service - Packetbeat analyzes network traffic and sends the data to Elasticsearch. Loaded: loaded (/lib/systemd/system/packetbeat.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-08-14 12:56:30 EDT; 9s ago Docs: https://www.elastic.co/products/beats/packetbeat Main PID: 34364 (packetbeat) Tasks: 10 (limit: 4563) Memory: 45.4M CGroup: /system.slice/packetbeat.service └─34364 /usr/share/packetbeat/bin/packetbeat -environment systemd -c /etc/packetbeat/packetbeat.yml -path.home /usr/share/packetbeat -path.config /etc/packet>