-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathKali Purple ELK SIEM Installation Guide.txt
91 lines (56 loc) · 3.48 KB
/
Kali Purple ELK SIEM Installation Guide.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Caution:
Before begining the installation make sure you have configured manual IP address and Internet accessability
# Elastic stack installation
# 1. Install dependencies:
# ------------------------
sudo apt-get install curl
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/elastic-archive-keyring.gpg
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo bash -c "export HOSTNAME=kali-purple.kali.purple; apt-get install elasticsearch -y"
# take note of "elastic" user password
# 2. Convert to single-node setup (or replace fqdn name in initial_master_nodes list with IP address):
# -----------------------------------------------------------------------------------------------------
sudo sed -e '/cluster.initial_master_nodes/ s/^#*/#/' -i /etc/elasticsearch/elasticsearch.yml
echo "discovery.type: single-node" | sudo tee -a /etc/elasticsearch/elasticsearch.yml
# 3. Install Kibana:
# ------------------
sudo apt install kibana
sudo /usr/share/kibana/bin/kibana-encryption-keys generate -q
# Add keys to /etc/kibana/kibana.yml
echo "server.host: \"kali-purple.kali.purple\"" | sudo tee -a /etc/kibana/kibana.yml
# Ensure kali-purple.kali.purple is only mapped to 192.168.253.5 in /etc/hosts in order to bind Kibana to that interface
sudo systemctl enable elasticsearch kibana --now
# 4. Enroll Kibana:
# -----------------
sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
# open browser and navigate to http://192.168.253.5:5601
# enter username=elastic and password as displayed after installation
# paste token from above
sudo /usr/share/kibana/bin/kibana-verification-code
# enter verification code into Kibana when prompted
# 4.Enable HTTPS for Kibana:
# --------------------------
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns kali-purple.kali.purple,elastic.kali.purple,kali-purple --out kibana-server.p12
sudo openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.crt -clcerts -nokeys
sudo openssl pkcs12 -in /usr/share/elasticsearch/kibana-server.p12 -out /etc/kibana/kibana-server.key -nocerts -nodes
sudo chown root:kibana /etc/kibana/kibana-server.key
sudo chown root:kibana /etc/kibana/kibana-server.crt
sudo chmod 660 /etc/kibana/kibana-server.key
sudo chmod 660 /etc/kibana/kibana-server.crt
echo "server.ssl.enabled: true" | sudo tee -a /etc/kibana/kibana.yml
echo "server.ssl.certificate: /etc/kibana/kibana-server.crt" | sudo tee -a /etc/kibana/kibana.yml
echo "server.ssl.key: /etc/kibana/kibana-server.key" | sudo tee -a /etc/kibana/kibana.yml
echo "server.publicBaseUrl: \"https://kali-purple.kali.purple:5601\"" | sudo tee -a /etc/kibana/kibana.yml
sudo systemctl restart kibana
# After completing the installation install Elastic Agent, Fleet Server and Elastic Endpoint to complete the stack
# Install OpenVas with
sudo systemctl enable postgresql
sudo systemctl start postgresql
sudo apt -y install gvm*
sudo gvm-setup
# Copy the user password for admin and complete installation
sudo gvm-check-setup
sudo gvm-start
# Browse the https://IP:9392 to access OpenVAS application
# Integrate OpenVAS with Elastic Stack XDR platform to share vulnerability assessment reports for Elastic security TI information