Installing Elastic Stack (ELK) from Scratch

Hey there red team….I mean BLUE TEAM cadet 😅 I don’t just focus on red team stuff you know…and it’s been long overdue that I do a writeup on not just red team tools, but more emphasis on blue team defensive measures/tools. Today, we learn how to install Elastic ELK stack from start to finish. Well, let’s get to it!

First off, I’m using Debian. You’ll likely want to use either Debian or Ubuntu for your experience to most closely mimic mine. We will need the following in order to successfully Install Elastic Stack 8 (ELK 8) on Debian:

Version of Debian I’m using:

root@debian:/usr/bin# lsb_release -a

No LSB modules are available.

Distributor ID: Debian

Description: Debian GNU/Linux 12 (bookworm)

Release: 12

Codename: bookworm

Resource Requirements:

I use VirtualBox. You can use whatever flavor of VM environment you like.

3 CPUs, 6.5 GB RAM (8GB ram is ideal)

50-75GB harddrive storage

OpenJDK/Oracle Java

root privileges

also worth mentioning is enabling your shared clipboard. for VirtualBox, that’s here:

Get all your packages up-to-date!!!

sudo apt update && sudo apt upgrade -y

Install Java

Java must be installed before ELK can be used. I’m using the following version:

root@debian:/usr/bin# java –version

openjdk 17.0.8 2023-07-18

OpenJDK Runtime Environment (build 17.0.8+7-Debian-1deb12u1)

OpenJDK 64-Bit Server VM (build 17.0.8+7-Debian-1deb12u1, mixed mode, sharing)

sudo apt install openjdk-17-jdk -y

Add Elastic Stack 8 Repositories

(you’ll want to switch to root user for this and all remaining steps)

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/elastic.gpg

apt install apt-transport-https

echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list

now let’s update our package index:

apt update

Install Elastic Search!

apt install vim elasticsearch -y

edit the config once it is finished installing:

nano /etc/elasticsearch/elasticsearch.yml

uncomment (remove the hash/pound sign # ) from the following lines in your config file:

cluster.name: elkcluster-1

network.host: 0.0.0.0

http.port: 9200

save + quit

now, create and edit this file: nano /etc/elasticsearch/jvm.options.d/jvmconf.conf

add the following inside the file:

-Xms1g

-Xmx1g

save + quit

restart elasticsearch and enable the service at startup

sudo systemctl restart elasticsearch

sudo systemctl enable elasticsearch

Reset the password of the elastic superuser:

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i

check to make sure it’s responding to our queries:

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

[Install Logstash]

apt install logstash

Setup logstash to listen for filebeat input:

nano /etc/logstash/conf.d/beats.conf

input {
  beats {
    port => 5044
  }
}
filter {
  if [type] == "syslog" {
     grok {
        match => { "message" => "%{SYSLOGLINE}" }
  }
     date {
        match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
     }
  }
}
output {
  elasticsearch {
    hosts => ["https://127.0.0.1:9200"]
    user => "elastic"
    password => "[your elastic password here!!!]"
    ssl => true
    ssl_certificate_verification => false
    index => "logstash-%{+YYYY.MM.dd}"
    #index => "beats-%{+YYYY.MM}" } } 
 }
}

start and enable logstash!

sudo systemctl start logstash

sudo systemctl enable logstash

[Install Kibana]

apt install kibana

nano /etc/kibana/kibana.yml

uncomment/edit the following:

server.port: 5601

server.host: "0.0.0.0"

comment out the following:

# =================== System: Elasticsearch ===================

# The URLs of the Elasticsearch instances to use for all your queries.

#elasticsearch.hosts: ["https://localhost:9200"]

add/uncomment this line:

elasticsearch.ssl.verificationMode: certificate

this part should be added for you automatically. Adjust accordingly:

elasticsearch.hosts: ['https://192.168.1.50:9200'] <–I added in my server’s IP

elasticsearch.serviceAccountToken: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <– your token should be here

restart and enable kibana

systemctl restart kibana

systemctl enable kibana

[Install Filebeat]

apt install filebeat

nano /etc/filebeat/filebeat.yml

make sure these lines look as follows:

comment out the following:

#-------------------------- Elasticsearch output ------------------------------

#output.elasticsearch:

# Array of hosts to connect to.

#hosts: ["localhost:9200"]

enable logstash:

#----------------------------- Logstash output --------------------------------

output.logstash:

# The Logstash hosts

hosts: ["localhost:5044"]

Now, enable and restart filebeat!

systemctl enable filebeat

systemctl restart filebeat

Finalize Kibana

generate your Kibana enrollment token:

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

Now open your browser and point it to http://localhost:5601 or http://your-server-ip:5601 if you set it to that, and enter your token:

now generate and paste in your verification code:

/usr/share/kibana/bin/kibana-verification-code

now let it finish finalizing everything:

(this sometimes hangs at the “Completing Setup” part. I’d just open another tab and browse to http://localhost:5601 to see if it finished)

Now browse to your Discover tab and you should see logs coming in!

Stay tuned for part 2 where we setup Sysmon and Fleet integrations, and thanks as always for reading!