Elastic Stack – comprised of Elasticsearch, Kibana, Beats, and Logstash. Allows for managing a sheer volume of data, in a reliably and securely manner that take data from any source, in any format, then search, analyze, and visualize. Built on a foundation of free and open, Elasticsearch and Kibana pave the way for diverse use cases that start with logging and span as far as your imagination takes you. Elastic features like machine learning, security, and reporting compound that value. For the purpose of Auditing & Compliance governance, I am leveraging ELK as a SIEM.
Anyway, I am going to show you the steps I’ve gone thru to install ELK8.3.2 onto Ubuntu 20.04.4 for my Proof-of-Concept(PoC) lab testing environment.
Preparations
| Operating System | Ubuntu 20.04 LTS Server Image |
| Dependency Packages | nginx,openjdk-11-jdk, wget, apt-transport-https, curl, gpgv, gpgsm, gnupg-l10n, gnupg, dirmngr, unzip |
Assuming a clean Ubuntu OS installation on any physical build or logical build(i.e. VM or Cloud provision) is ready, I’ll usually perform the followings to update and upgrade distro
Step 1: su to root user
sudo -i
Step 2: update distro
apt-get update; apt-get upgrade -y
Step 3: install all dependencies
apt-get install nginx,openjdk-11-jdk, wget, apt-transport-https, curl, gpgv, gpgsm, gnupg-l10n, gnupg, dirmngr, unzip -y
Step 4: export JAVA_HOME regardlessly
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
Till now, BaseOS & dependencies are ready. I will usually take a snapshot (i.e. “Based Ubuntu Image”)
Install Elastic Stack
Step 1: Add elastic repository
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
Step 2: update APT repo
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list
Step 3: refresh APT repo
apt-get update
Step 4: install elasticsearch
apt-get install elasticsearch
at the end of the installation, superuser password will be generated and prompted per the below illustration
Step 5: Register Elasticsearch as daemon, and fire up
systemctl daemon-reload systemctl enable elasticsearch systemctl start elasticsearch
Step 6: Health check – service level
systemctl status elasticsearch or service elasticsearch status
Step 6: Health check – web output
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200
note: by default, Elasticsearch is opening 192.168.0.1:9200 for service
Install Logstash
Step 1: install logstash
apt-get install logstash -y
Step 2: Register Logstash as daemon, and fire up
systemctl daemon-reload systemctl enable logstash systemctl start logstash
Install Kibana
Step 1: install Kibana
apt-get install Kibana -y
Step 2: Register Kibana as daemon, and fire up
systemctl daemon-reload systemctl enable kibana systemctl start kibana
Install nginx as proxy (optional)
Step 1: install nginx
apt-get install nginx -y
Step 2: config nginx
pick your favour editor to update /etc/nginx/sites-enabled/default
vi /etc/nginx/sites-enabled/default
or
nano /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
} Step 3: restart nginx
systemctl restart nginx
Access Kinana
without nginx proxy
http://ip-address:5601
with nginx
http://ip-address
