CentOS 7, ELK Stack

ELK Stack with CentOS7

Supporting Tools

sudo yum install java-1.8.0-openjdk nano wget net-tools telnet htop

Nginx & Configuration

sudo yum install epel-release
sudo yum install nginx
sudo systemctl start nginx

sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload

sudo systemctl enable nginx

Elasticsearch & Configuration

sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

sudo vi /etc/yum.repos.d/elasticsearch.repo
[elastic-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

sudo yum install elasticsearch

Change and Add Config below
network.host: hostip
http.port: 9200
discovery.zen.ping.unicast.hosts: ["hostip ", " hostip:9200"]
cluster.initial_master_nodes: hostip
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

Change password for default elastic account
bin/elasticsearch-setup-passwords interactive
Enter password for [elastic]
Enter password for [kibana]
Enter password for [logstash_system]
Enter password for [apm_system]
Enter password for [beats_system]
Enter password for [remote_monitoring_user]

sudo firewall-cmd --permanent --zone=public --add-port=9200/tcp
sudo firewall-cmd --permanent --zone=public --add-port=9200/udp
sudo firewall-cmd --reload

Configure Data Directory
sudo mv /var/lib/elasticsearch /folder/destination
Change elasticsearch.yml
path.data: /folder/destination
sudo chown elasticsearch:elasticsearch /folder/destination

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

curl -X GET "localhost:9200" -u username:password

Kibana & Configuration

sudo yum install kibana

sudo systemctl enable kibana
sudo systemctl start kibana

Configure Kibana.yml
server.port: 5601
server.host: " hostip "
elasticsearch.hosts: http://hostip:9200
elasticsearch.username: "kibana"
elasticsearch.password: "whateverpasswordyouset"

Creating Self Sign Cert for NGINX Reverse Proxy
openssl pkcs12 -in domain.pfx -nocerts -out domain.key
openssl rsa -in domain.key -out domain_nopem.key
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt

Copy Cert & Key file to different location example below
sudo cp /cert/folder/ /etc/nginx/certfolder
sudo chown nginx:nginx domain.key
sudo chown nginx:nginx domain.crt

sudo firewall-cmd --permanent --zone=public --add-port=5601/tcp
sudo firewall-cmd --permanent --zone=public --add-port=5601/udp
sudo firewall-cmd --reload

Nginx Conf

sudo vi /etc/nginx/conf.d/domain.conf

server {
    listen 443;
    ssl on;
    ssl_certificate /folder/location/certfilename.crt;
    ssl_certificate_key /folder/location/certfilename.key;
    ssl_protocols TLSv1.1 TLSv1.2;
server_tokens off;

    server_name hostname privateip;
    auth_basic ""Restricted Access"";

    location / {
        proxy_pass http:// hostip:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

SELinux
sudo setsebool httpd_can_network_connect 1 -P

sudo systemctl restart nginx	

Logstash & Configuration

sudo yum install logstash

sudo systemctl start logstash
sudo systemctl enable logstash

sudo firewall-cmd --permanent --zone=public --add-port=5044/tcp
sudo firewall-cmd --permanent --zone=public --add-port=5044/udp
sudo firewall-cmd --reload

Multiple Config Setup

sudo nano /etc/logstash/pipelines.ym

Disable default config
#- pipeline.id: main
#  path.config: "/etc/logstash/conf.d/*.conf"

Add new config based on requirement, sample below
- pipeline.id: elastiflow
  path.config: "/etc/logstash/elastiflow/conf.d/*.conf"
- pipeline.id: sophos
  path.config: "/etc/logstash/conf.d/sophos/*.conf"
- pipeline.id: CISCO
  path.config: "/etc/logstash/conf.d/CISCO/*.conf"

Account & Roles Creation

Create Users
Management – Security – Users Create Users
Click “Create user”Create Users

Create Roles
Management – Security – Roles
Click “Create role”Create Roles

Design a site like this with WordPress.com
Get started