This document is the property of Al Nafi.

Any unauthorized redistribution or reproduction, including in printed form, is strictly

prohibited. This document can only be read electronically.

Lab 2: Security Monitoring with ELK Stack

OBJECTIVE:
Monitor security-related events in real-time and visualize patterns.
TASKS:
Deploy the ELK Stack using Docker. 2. Ingest and index security logs from various sources. 3.
Create dashboards to monitor login attempts, privilege escalations, and other security events. 4.
Set alerts for suspicious activities.

td
tl
Deploy the ELK Stack Using Docker

Pv
Install Docker:
If Docker is not already installed, follow the steps for your operating system:

ng
For Ubuntu/Debian
sudo apt update
sudo
sudo
apt install docker.io
systemctl start docker
ni
ar
sudo systemctl enable docker
Le

For Windows/Mac: Download Docker Desktop from here.

Create a Docker-Compose file for ELK:

IE

Create a directory for the ELK Stack and navigate to it

AF

mkdir elk-stack && cd elk-stack

version: '3'
N

services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.0
AL

container_name: elasticsearch
environment:
- discovery.type=single-node
- xpack.security.enabled=false
ports:
- "9200:9200"
networks:
- elk
 logstash:
image: docker.elastic.co/logstash/logstash:7.17.0
container_name: logstash
networks:
- elk
volumes:
- ./logstash:/usr/share/logstash/pipeline/

td
ports:
- "5000:5000"

tl
- "5044:5044"
- "9600:9600"

Pv
kibana:
image: docker.elastic.co/kibana/kibana:7.17.0
container_name: kibana

ng
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
ports:
- "5601:5601"
ni
ar
networks:
- elk
Le

networks:
elk:
driver: bridge
IE

Start the ELK Stack:

AF

Run the following command to start the services

docker-compose up -d
N

docker ps
AL

Access Kibana:

Open a web browser and go to: http://localhost:5601.

Kibana should be up and running, connected to Elasticsearch.

Task 2: Ingest and Index Security Logs from Various Sources

Install Filebeat (Log Shipper):

Filebeat is a lightweight shipper that sends logs to Logstash or Elasticsearch.

Pull the Filebeat Docker image

docker pull docker.elastic.co/beats/filebeat:7.17.0

Configure Filebeat:
Create a filebeat.yml file in the elk-stack directory:

td
tl
filebeat.inputs:

Pv
- type: log
enabled: true
paths:

ng
- /var/log/auth.log # Example log path for authentication logs
(adjust as needed)

output.logstash:
hosts: ["logstash:5044"]
ni
ar
Mount the configuration file into the Filebeat container
docker run -d --name=filebeat --user=root
Le

--volume="$(pwd)/filebeat.yml:/usr/share/filebeat/filebeat.yml"
--volume="/var/log:/var/log" --network=elk
docker.elastic.co/beats/filebeat:7.17.0
IE

set Up Logstash Pipeline:

AF

Create a logstash.conf file in the elk-stack/logstash/ directory:

N

input {
beats {
port => "5044"
AL

}
}

filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:logsource}
%{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:log_message}" }
}
 }

output {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "security-logs-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }

td
}
Restart the Logstash container to apply the changes:

tl
docker-compose restart logstash

Pv
Ingest Logs:

Filebeat will now start shipping security logs (such as login attempts) from

ng
/var/log/auth.log to Logstash, which processes the logs and stores them in Elasticsearch.

Task 3: Create Dashboards to Monitor Security Events

ni
Access Kibana Dashboard:
ar
Open Kibana in your browser: http://localhost:5601.
Le

Create Index Pattern:

Go to Stack Management -> Index Patterns -> Create Index Pattern.

IE

Use security-logs-* as the index pattern to match the logs.

AF

Choose the @timestamp field as the time filter.

Create Visualizations:
N

Navigate to Dashboard -> Create new dashboard.

AL

Add visualizations to monitor:

Login Attempts: Use the log_message field and count occurrences of successful/failed
logins.

Privilege Escalation Attempts: Filter by keywords in log_message related to privilege

escalations (e.g., "sudo", "root").
Failed SSH Login Attempts: Count failed login attempts by analyzing /var/log/auth.log
for SSH failures.

Save Dashboards:

Save the visualizations and arrange them on your Kibana dashboard for real-time monitoring.

Task 4: Set Alerts for Suspicious Activities

td
Configure Kibana Alerts:

In Kibana, go to Alerts and Actions under Stack Management.

tl
Create a New Alert:

Pv
Click Create Alert and choose Create Threshold Alert.

ng
Set the conditions for triggering an alert, e.g.:

Failed Login Attempts: Set a threshold to trigger an alert if the count of failed login attempts
ni
exceeds a certain number in a short time (e.g., more than 5 failed logins in 10 minutes).
ar
Privilege Escalation Alerts: Configure an alert if the log contains specific keywords (e.g.,
sudo, root access).
Le

Set Up Email Notifications:

Add an Email action to send notifications to your email or set up integrations with Slack or
IE

webhook.

Monitor Alerts:
AF

Alerts will now trigger based on suspicious activity like brute force login attempts or privilege
escalations.
N

Conclusion
AL

By following these steps, you will have successfully deployed the ELK Stack, ingested security
logs, created dashboards for monitoring security events, and set up alerts for suspicious
activities