Elasticstack (ELK), Suricata and pfSense Firewall – Part 2: Elasticstack Installation and Config

Elasticstack (ELK), Suricata and pfSense Firewall – Part 2: Elasticstack Installation and Config

Introduction

This is the second article in a series documenting the implementation of reporting using Elastic Stack of log data from the Suricata IDPS running on the Open Source pfSense firewall.

This part 2 article covers the installation of the Elastic Stack onto and Ubuntu Server and the configuration of LogStash and Kibana to consume and display the logs.

Part 1 covered the installation and configuration of Elastic Filebeat on pfSense to ship logs to this server. Presenting the Suricata information in visualisations and dashboards will be covered in a later part.

This series of articles presumes you have a working pfSense system with the Suricata pfSense package installed, configured and working.

Installation of Elasticstack onto Ubuntu Server

Prerequisites

A server (virtual or physical) running Ubuntu Server is required. The version used for these articles was 16.04.2 LTS. It is probably a good idea to install the SSH server package and your editor of choice to make things easy.

Install Java (JVM)

As detailed in the Elasticsearch Installation pages Elasticstack requires at least Java 8 to run. Only Oracle’s Java and the OpenJDK are supported. Perform the following steps from a command prompt to install Oracle Java:

Add Oracle Java Repository:

sudo add-apt-repository ppa:webupd8team/java

Update downloads the package lists from the repositories:

sudo apt-get update

Install Java8:

sudo apt-get install oracle-java8-installer

Install Elasticstack – Elasticsearch, Logstash and Kibana (V5.x)

Prepare

Download and install apt-transport-https package (Debian) – This allows access to packages available in sources accessible over https

sudo apt-get install apt-transport-https

Download and install the public GPG signing key for Elasticstack

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Add Elasticsearch 5.x Repositories

echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list

Update downloads the package lists from the repositories:

sudo apt-get update

Install

Install each package:

sudo apt-get install elasticsearch
sudo apt-get install logstash
sudo apt-get install kibana

Configure Elasticstack

Configure Kibana

Open the kibana config file in your preferred editor (nano is used here)

sudo nano /etc/kibana/kibana/yml

Amend the file to include the following settings, which set the port the kibana server listens on and which interfaces to bind to (0.0.0.0 indicates all interfaces)

server.port: 5601
server.host: "0.0.0.0"

Configure Logstash Pipeline

To configure Logstash, you create a config file or files that specify which plugins you want to use and settings for each plugin. Logstash processes all of the files in /etc/logstash/conf.d in order to apply pipeline configurations. While a single file can be used this article uses multiple files to separate the logical parts of the logstash ‘pipeline’ to make it slightly easier to edit. Beware, however, that if errors are thrown regarding config then logstash counts lines as if the files are concatenated. This can confuse matters as a file with 20 lines  may have an error but be reported as an error on line 87, for instance. In this instance numbers are used to keep the order deterministic. The order of configuration is important in the Logstash pipeline.

Change to Logstash configuration directory

cd /etc/logstash/conf.d
Create the following configuration file which is used to hold the ‘inputs’ section of the Logstash pipe config:
sudo nano 01-inputs.conf

Paste the following config into the file and save it. These It sets Logstash to accept syslog inputs via port 5140/tcp & udp. It also allows Elasticbeats log shippers to input data via port 5044/tcp.

#tcp syslogs stream via 5140
input {
 tcp {
 type => "syslog"
 port => 5140
 }
}
#udp syslogs stream via 5140
input {
 udp {
 type => "syslog"
 port => 5140
 }
}

# Elastic Beats input
input {
 beats {
 port => 5044
 }
}

Create the following configuration file which is used to hold the ‘outputs’ section of the Logstash pipeline config:

sudo nano 30-outputs.conf

Paste the following config into the file and save it. This sends the output of the pipeline to Elasticsearch on localhost. The output will be sent to an index for each day based upon the timestamp of the event passing through the Logstash pipeline.

output {
elasticsearch {

hosts => localhost

index => "logstash-%{+YYYY.MM.dd}" }
# stdout { codec => rubydebug }
}

Basic pipline configuration is now complete

With the above input and output statements Logstash will accept input from syslog our previously configured Filebeat log forwarder as carried out in Part 1. It will not perform any processing and output the entries into Elasticsearch indexes as received. If the input was syslog messages then this would be a single string field and we would need to configure various processing filters in order to extract the data into relevent field. As we are using Filebeat and a JSON log format from suricata then the fields are described along with the data and the record inserted into Elasticsearch with those fields defined. If you recall, I mentioned in Part 1 that using JSON would require far less processing. In the next article we will configure some processing in the Logstash pipeline to enhance the data and provide more fields to enhance the visualisations.

Configure Services for automatic start at boot-time

The following commands will set the services to start at boot time:

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo /bin/systemctl enable kibana.service
sudo /bin/systemctl enable logstash.service

 

Manual Start

If you don’t wish to reboot your server at this time you can start the services manually with these commands. [start] can be replaced with [restart] or [stop] to control the services manually in later:

sudo -i service elasticsearch start
sudo -i service kibana start
sudo -i service logstash start

Configure an index pattern and discover data

As long as the services are started and active your server should start to receive data and place into the indexes. In order to see the data in the indexes Kibana needs to have an Index Pattern configured:

Access Kibana by pointing your browser to: http://ip-or-host-name:5601 and go to management..Index patterns page:

Pick @timestamp as the time filter field name and click ‘create’. You may have to wait for Indexes to be populated before this will work so make sure Filebeats is started on the pfSense box.

 

Troubleshooting

This section details some commands to check the services are running and to check their status

Elasticsearch

Command to check service is active and communicating:

curl -X GET http://localhost:9200

Output is expected similar to the following:

{
 "name" : "BybYZVF",
 "cluster_name" : "elasticsearch",
 "cluster_uuid" : "-AAlgSUUTz6RGMmuNgFglw",
 "version" : {
 "number" : "5.5.0",
 "build_hash" : "260387d",
 "build_date" : "2017-06-30T23:16:05.735Z",
 "build_snapshot" : false,
 "lucene_version" : "6.6.0"
 },
 "tagline" : "You Know, for Search"
}

Command to check service status

systemctl status elasticsearch.service

Expected Output

 elasticsearch.service - Elasticsearch
 Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
 Active: active (running) since Wed 2017-07-12 07:37:27 BST; 1 day 13h ago
 Docs: http://www.elastic.co
 Process: 1252 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 1270 (java)
 Tasks: 72
 Memory: 2.4G
 CPU: 31min 35.976s
 CGroup: /system.slice/elasticsearch.service
 └─1270 /usr/bin/java -Xms2g -Xmx2g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -server

Jul 12 07:37:27 UbuntuELK systemd[1]: Starting Elasticsearch...
Jul 12 07:37:27 UbuntuELK systemd[1]: Started Elasticsearch.

Kibana

Command to check service status

systemctl status kibana.service

Output expected similar to this:

 kibana.service - Kibana
 Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
 Active: active (running) since Wed 2017-07-12 07:37:25 BST; 1 day 13h ago
 Main PID: 997 (node)
 Tasks: 10
 Memory: 80.9M
 CPU: 13min 57.212s
 CGroup: /system.slice/kibana.service
 └─997 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml

Jul 13 20:55:30 UbuntuELK kibana[997]: {"type":"response","@timestamp":"2017-07-13T19:55:30Z","tags":[],"pid":997,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-16x16.png","m

Logstash

Command to check service status:

systemctl status logstash.service

Expected Output:

 logstash.service - logstash
 Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
 Active: active (running) since Wed 2017-07-12 07:37:25 BST; 1 day 13h ago
 Main PID: 980 (java)
 Tasks: 59
 Memory: 636.5M
 CPU: 3h 21min 19.456s
 CGroup: /system.slice/logstash.service
 └─980 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=true -

Jul 12 07:37:25 UbuntuELK systemd[1]: Started logstash.

Logstash logs can be found in the following location, use cat / tail  / your editor to view the logs:

/var/log/logstash
A manual run of Logstash can be carried out using:
/usr/share/logstash/bin/logstash -f ./logstash-filter.conf

Conclusion

Part 1 provided the detail to ship logs, using Elastic Filebeats from SUricata on pfSense to a Logstash process on a remote server. This article has covered setting up an Elasticstack instance on an Ubuntu server with Logstash configured to consume those logs and populate an elastic search index. The next part in the series (Part 3) will cover more advanced configuration of Logstash to add further information to each record as it is processed. This will then feed into providing advanced visualizations in further parts.