SlideShare a Scribd company logo

Practical Security Monitoring with ELKStack

Eguardian Global Services, profile picture
Eguardian Global Services

The document outlines the implementation of continuous security monitoring using the ELK stack, which includes Elasticsearch, Kibana, and Logstash, along with setup instructions and configuration files. It discusses the functions and benefits of Security Information and Event Management (SIEM) systems, emphasizing cost-effective deployment options. Additionally, it provides minimum hardware requirements for installation and details on using the tools for real-time data analysis and log management.

Technology
1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Practical Security Monitoring with ELKStack
Practical Security Monitoring with ELKStack
Contents  Why continuous security monitoring  Intro to ELK Stack  Install Elasticsearch and Cerebro  Install Kibana and create dashboards  Install Logstash and create config files  Install filebeat agent and forward logs
CONTINUOUS SECURITY MONITORING INTRODUCTION TO
Security Systems In Use  Firewall  Antivirus software  Web application firewall (waf)
SIEM
"In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM).They provide real-time analysis of security alerts generated by applications and network hardware." Wikipedia SIEM
The general perception is that setting up SIEM is a very expensive exercise, however with the right knowledge and skill it can be done at a fraction of the cost.
Functions of a SIEM Logs Log Aggregator Log Broker Correlation rules Logs Logs Logs Storage Visualization
Continuous Security Monitoring  End point security monitoring  Network security monitoring
ELK STACK PRACTICAL SECURITY MONITORING WITH
Practical Security Monitoring with ELKStack
Functions of a SIEM Logs Log Aggregator Log Broker Correlation rules Logs Logs Logs Storage Visualization
Elastic Stack vs Commercial SIEM  Elastic Stack  Free, Paid support features  Outstanding visualizations  Advanced log enrichments  Capable handling high volume • Commercial SIEM • Licensed on volume, log sources, events per second • Limited log enrichment • High volume = High cost
Minimum Hardware Requirements  Ram: 8GB  Storage: 40GB  2 Network interfaces  CPU: 64-bit 2.0+ GHz processor or higher
ELASTICSEARC H
Install Elasticsearch #sudo dpkg -i elasticsearch-6.0.0.deb Config files locations:- Elasticsearch has three configuration files:  elasticsearch.yml for configuring Elasticsearch  jvm.options for configuring Elasticsearch JVM settings  log4j2.properties for configuring Elasticsearch logging
Elasticsearch  Distributed, real-time data store, real-time analysis full text search engine  Opensource  Highly scalable
Indices, Shards and Replicas  An index is stored on a node, which is a part of a cluster  Indices are broken into shards  Each shard is either a primary or replica  Each log item is a document that contains fields and values
CEREBRO
Cerebro  Cerebro is an opensource Elasticsearh web admin tool  Displays cluster health  Makes index managements easy
Install Cerebro #sudo unzip cerebro-0.7.1.zip -d /opt #sudo mv /opt/cerebro-0.7.1/ /opt/cerebro/ Create a user for cerebro #sudo useradd cerebro Give permissions for the user #sudo chown -R cerebro: /opt/cerebro/ Create a service for cerebro #sudo cp cerebro.service /etc/systemd/system #sudo systemctl daemon-reload #sudo systemctl enable cerebro.service #sudo service cerebro start
KIBANA
Install Kibana #sudo dpkg -i kibana-6.0.0-amd64.deb Enable kibana service #sudo systemctl enable kibana.service Start kibana service #sudo service kibana start
LOGSTASH
Install Logstash #sudo dpkg -I logstash-6.2.1.deb Config file jvm.options
Logstash Config File Format input{ } filter{ } output{ }
Logstash Config File Format input { stdin { codec => "json" } } filter { if [event_id] == 123 { drop { } } } output { stdout { codec => rubydebug } }
THANK YOU
FOLLOW US ON /econIntconference @econ_int @int.econ

More Related Content

PDF
Router Defense - BRUcon 2010
fropert
 
PPT
OpenStack - Security Professionals Information Exchange
Cybera Inc.
 
PPTX
Best Practices to Secure Your Kubernetes Cluster
Stefano Tempesta
 
PDF
Oscar Cabanillas - Elastic - OSL19
marketingsyone
 
PDF
Microservices: Notes From The Field
Apcera
 
PDF
Apcera: Agility and Security in Docker Delivery
Apcera
 
PPTX
Remediate and secure your organization with azure sentinel
Samik Roy
 
PDF
Docker + App Container = ocp
Apcera
 
Router Defense - BRUcon 2010
fropert
 
OpenStack - Security Professionals Information Exchange
Cybera Inc.
 
Best Practices to Secure Your Kubernetes Cluster
Stefano Tempesta
 
Oscar Cabanillas - Elastic - OSL19
marketingsyone
 
Microservices: Notes From The Field
Apcera
 
Apcera: Agility and Security in Docker Delivery
Apcera
 
Remediate and secure your organization with azure sentinel
Samik Roy
 
Docker + App Container = ocp
Apcera
 

Similar to Practical Security Monitoring with ELKStack (20)

PDF
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Janith Malinga
 
PPTX
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
PPTX
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
PDF
2015 03-16-elk at-bsides
Jeremy Cohoe
 
PPTX
Installation of Elastic search Blue Teams.pptx
PhongTrn639136
 
PDF
Log analysis with the elk stack
Vikrant Chauhan
 
PPTX
The Elastic Stack as a SIEM
John Hubbard
 
PDF
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
PPTX
It Shore Beats Working: Configuring Elasticsearch to get the Most out of Clo...
Ipro Tech
 
PPTX
ELK Ruminating on Logs (Zendcon 2016)
Mathew Beane
 
PPTX
MySQL Audit using Percona audit plugin and ELK
YoungHeon (Roy) Kim
 
PDF
Null Bachaav - May 07 Attack Monitoring workshop.
Prajal Kulkarni
 
PDF
ELK stack introduction
abenyeung1
 
PDF
Log analysis with elastic stack
Bangladesh Network Operators Group
 
PDF
Logs aggregation and analysis
Divante
 
PPTX
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
PPTX
Elk ruminating on logs
Mathew Beane
 
PDF
Elasticsearch
Shagun Rathore
 
PDF
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
PDF
The elastic stack on docker
SmartWave
 
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Janith Malinga
 
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
2015 03-16-elk at-bsides
Jeremy Cohoe
 
Installation of Elastic search Blue Teams.pptx
PhongTrn639136
 
Log analysis with the elk stack
Vikrant Chauhan
 
The Elastic Stack as a SIEM
John Hubbard
 
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
It Shore Beats Working: Configuring Elasticsearch to get the Most out of Clo...
Ipro Tech
 
ELK Ruminating on Logs (Zendcon 2016)
Mathew Beane
 
MySQL Audit using Percona audit plugin and ELK
YoungHeon (Roy) Kim
 
Null Bachaav - May 07 Attack Monitoring workshop.
Prajal Kulkarni
 
ELK stack introduction
abenyeung1
 
Log analysis with elastic stack
Bangladesh Network Operators Group
 
Logs aggregation and analysis
Divante
 
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
Elk ruminating on logs
Mathew Beane
 
Elasticsearch
Shagun Rathore
 
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
The elastic stack on docker
SmartWave
 
Ad

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Encapsulation theory and applications.pdf
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Ad

Practical Security Monitoring with ELKStack

  • 3. Contents  Why continuous security monitoring  Intro to ELK Stack  Install Elasticsearch and Cerebro  Install Kibana and create dashboards  Install Logstash and create config files  Install filebeat agent and forward logs
  • 5. Security Systems In Use  Firewall  Antivirus software  Web application firewall (waf)
  • 7. "In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM).They provide real-time analysis of security alerts generated by applications and network hardware." Wikipedia SIEM
  • 8. The general perception is that setting up SIEM is a very expensive exercise, however with the right knowledge and skill it can be done at a fraction of the cost.
  • 9. Functions of a SIEM Logs Log Aggregator Log Broker Correlation rules Logs Logs Logs Storage Visualization
  • 10. Continuous Security Monitoring  End point security monitoring  Network security monitoring
  • 13. Functions of a SIEM Logs Log Aggregator Log Broker Correlation rules Logs Logs Logs Storage Visualization
  • 14. Elastic Stack vs Commercial SIEM  Elastic Stack  Free, Paid support features  Outstanding visualizations  Advanced log enrichments  Capable handling high volume • Commercial SIEM • Licensed on volume, log sources, events per second • Limited log enrichment • High volume = High cost
  • 15. Minimum Hardware Requirements  Ram: 8GB  Storage: 40GB  2 Network interfaces  CPU: 64-bit 2.0+ GHz processor or higher
  • 17. Install Elasticsearch #sudo dpkg -i elasticsearch-6.0.0.deb Config files locations:- Elasticsearch has three configuration files:  elasticsearch.yml for configuring Elasticsearch  jvm.options for configuring Elasticsearch JVM settings  log4j2.properties for configuring Elasticsearch logging
  • 18. Elasticsearch  Distributed, real-time data store, real-time analysis full text search engine  Opensource  Highly scalable
  • 19. Indices, Shards and Replicas  An index is stored on a node, which is a part of a cluster  Indices are broken into shards  Each shard is either a primary or replica  Each log item is a document that contains fields and values
  • 21. Cerebro  Cerebro is an opensource Elasticsearh web admin tool  Displays cluster health  Makes index managements easy
  • 22. Install Cerebro #sudo unzip cerebro-0.7.1.zip -d /opt #sudo mv /opt/cerebro-0.7.1/ /opt/cerebro/ Create a user for cerebro #sudo useradd cerebro Give permissions for the user #sudo chown -R cerebro: /opt/cerebro/ Create a service for cerebro #sudo cp cerebro.service /etc/systemd/system #sudo systemctl daemon-reload #sudo systemctl enable cerebro.service #sudo service cerebro start
  • 24. Install Kibana #sudo dpkg -i kibana-6.0.0-amd64.deb Enable kibana service #sudo systemctl enable kibana.service Start kibana service #sudo service kibana start
  • 26. Install Logstash #sudo dpkg -I logstash-6.2.1.deb Config file jvm.options
  • 27. Logstash Config File Format input{ } filter{ } output{ }
  • 28. Logstash Config File Format input { stdin { codec => "json" } } filter { if [event_id] == 123 { drop { } } } output { stdout { codec => rubydebug } }
  • 30. FOLLOW US ON /econIntconference @econ_int @int.econ