As per my promise or I can say mention of pfSense installation I am presenting the installation guide. By the way, I just copied every step from the GitHub repository document if anyone is wondering. Steps given in the official documentation are perfect and straight forward. I honestly rewrote it because I was running out of ideas and I promised it in the previous post. <\/p>\n\n\n\n
But one thing I would say that if you are a beginner like me don’t use scripted install, do it manually. It is good to know what components are being installed to get it done. <\/p>\n\n\n\n
The one important thing I would say about ELK (btw, I have told this many times before but I need content, JK ;)) is that it is a base for so many SIEM and cannot be neglected from learning it from the base. You can customize it so much to basically make it look like you :). Now enough of these fillers let’s get straight into the content.<\/p>\n\n\n\n
Note: This is tested in ubuntu<\/p>\n\n\n\n
sudo add-apt-repository ppa:linuxuprising\/java<\/code><\/pre>\n\n\n\n- Adding Maxmind repository <\/li><\/ul>\n\n\n\n
sudo add-apt-repository ppa:maxmind\/ppa<\/code><\/pre>\n\n\n\n- Download and install the public GPG signing key <\/li><\/ul>\n\n\n\n
wget -qO - https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | sudo apt-key add -<\/code><\/pre>\n\n\n\n- Install apt-transport-https package <\/li><\/ul>\n\n\n\n
sudo apt-get install apt-transport-https<\/code><\/pre>\n\n\n\n- Add ELK repository<\/li><\/ul>\n\n\n\n
echo \"deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main\" | sudo tee -a \/etc\/apt\/sources.list.d\/elastic-7.x.list<\/code><\/pre>\n\n\n\n- Update the repository <\/li><\/ul>\n\n\n\n
sudo apt-get update<\/code><\/pre>\n\n\n\n- Install Java 13 <\/li><\/ul>\n\n\n\n
sudo apt-get install oracle-java13-installer<\/code><\/pre>\n\n\n\n- Install Maxmind GeoIP database provider package <\/li><\/ul>\n\n\n\n
sudo apt install geoipupdate<\/code><\/pre>\n\n\n\n- Configuring Maxmind
- Create Maxmind account by going to following link https:\/\/www.maxmind.com\/en\/geolite2\/signup<\/li>
- Login to your Max Mind Account; navigate to “My License Key” under “Services” and Generate new license key
- If asked create a config file. Select one that will create one. <\/li><\/ul><\/li><\/ul><\/li>
- Now edit the config file for max mind <\/li><\/ul>\n\n\n\n
sudo nano \/etc\/GeoIP.conf<\/code><\/pre>\n\n\n\n- Modify lines 7 & 8 as follows (Replace 000 with your number) <\/li><\/ul>\n\n\n\n
AccountID 0000\nLicenseKey 0000<\/code><\/pre>\n\n\n\n- Modify line 13 as follows <\/li><\/ul>\n\n\n\n
EditionIDs GeoLite2-City GeoLite2-Country GeoLite2-ASN<\/code><\/pre>\n\n\n\n- Download the GeoIP database <\/li><\/ul>\n\n\n\n
sudo geoipupdate -d \/usr\/share\/GeoIP\/<\/code><\/pre>\n\n\n\n- Add cron job to update GeoIP database
- Create a new cron job file <\/li><\/ul><\/li><\/ul>\n\n\n\n
sudo nano \/etc\/cron.weekly\/geoipupdate<\/code><\/pre>\n\n\n\n- Add following line into the file <\/li><\/ul>\n\n\n\n
0 1 * * * geoipupdate -d \/usr\/share\/GeoIP<\/code><\/pre>\n\n\n\n- Let’s get to the installation of ElasticStack <\/li><\/ul>\n\n\n\n
sudo apt-get install elasticsearch && sudo apt-get install kibana && sudo apt-get install logstash<\/code><\/pre>\n\n\n\n- Edit Kibana Configuration <\/li><\/ul>\n\n\n\n
sudo nano \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n- Modify the following items <\/li><\/ul>\n\n\n\n
server.port: 5601\nserver.host: \"0.0.0.0\"<\/code><\/pre>\n\n\n\n- Change the directory add logstash configuration <\/li><\/ul>\n\n\n\n
cd \/etc\/logstash\/conf.d<\/code><\/pre>\n\n\n\n- Download configuration files for logstash parsing and filtering <\/li><\/ul>\n\n\n\n
sudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/01-inputs.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/05-firewall.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/30-geoip.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/50-outputs.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/10-others.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/20-suricata.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/25-snort.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/35-rules-desc.conf\nsudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/45-cleanup.conf<\/code><\/pre>\n\n\n\n- Make new patterns folder and navigate<\/li><\/ul>\n\n\n\n
sudo mkdir \/etc\/logstash\/conf.d\/patterns\ncd \/etc\/logstash\/conf.d\/patterns\/<\/code><\/pre>\n\n\n\n- Download pattern config file <\/li><\/ul>\n\n\n\n
sudo wget https:\/\/raw.githubusercontent.com\/3ilson\/pfelk\/master\/etc\/logstash\/conf.d\/patterns\/pfelk.grok<\/code><\/pre>\n\n\n\n- Get back to the previous folder and open 01-inputs.conf file in a text editor <\/li><\/ul>\n\n\n\n
cd ..\nnano 01-inputs.conf<\/code><\/pre>\n\n\n\n- Edit the following things in the file<\/li><\/ul>\n\n\n\n
Change line 9; the \"if [host] =~ ...\" should point to your pfSense\/OPNsense IP address\nChange line 12-16; (OPTIONAL) to point to your second PF IP address or ignore\n\nIf you are using pfSense uncommit line 28 and commit out line 25\nor if using OPNsense uncommit line 25 and commit out line 28<\/code><\/pre>\n\n\n\n- Disable Swap to increase performance<\/li><\/ul>\n\n\n\n
sudo swapoff -a<\/code><\/pre>\n\n\n\n- Set current time zone <\/li><\/ul>\n\n\n\n
sudo timedatectl set-timezone EST<\/code><\/pre>\n\n\n\n- Configure service to start on boot and restart the services<\/li><\/ul>\n\n\n\n
sudo \/bin\/systemctl daemon-reload\nsudo \/bin\/systemctl enable elasticsearch.service\nsudo \/bin\/systemctl enable kibana.service\nsudo \/bin\/systemctl enable logstash.service\n\nsystemctl start elasticsearch \nsystemctl start kibana \nsystemctl start logstash<\/code><\/pre>\n\n\n\nThis was all server-side configuration. Let’s configure the pfSense firewall<\/p>\n\n\n\n
- In pfSense navigate to Status->System Logs, then click on Settings. <\/li>
- In OPNsense navigate to System->Settings->Logging<\/li>
- At the bottom check “Enable Remote Logging”<\/li>
- (Optional) Select a specific interface to use for forwarding<\/li>
- Enter the ELK local IP into the field “Remote log servers” with port 5140 (eg 192.168.100.50:5140)<\/li>
- Under “Remote Syslog Contents” check “Everything”<\/li>
- Click Save<\/li><\/ul>\n\n\n\n
Now we need to define index pattern to get the data to in the kibana. It is generally used for the segregation of logs. <\/p>\n\n\n\n
- In\u00a0your\u00a0web\u00a0browser\u00a0go\u00a0to\u00a0the\u00a0ELK\u00a0local\u00a0IP\u00a0using\u00a0port\u00a05601\u00a0(ex:\u00a0192.168.0.1:5601)\u00a0<\/span><\/li>
- Click\u00a0the\u00a0gear\u00a0icon\u00a0(management)\u00a0in\u00a0the\u00a0lower\u00a0left<\/li>
- Click\u00a0Kibana\u00a0->\u00a0Index\u00a0Patters<\/li>
- Click\u00a0Create\u00a0New\u00a0Index\u00a0Pattern<\/li>
- Type\u00a0“pf-*”\u00a0into\u00a0the\u00a0input\u00a0box,\u00a0then\u00a0click\u00a0Next\u00a0Step <\/li>
- Now select Timestamp<\/li><\/ul>\n\n\n\n
Help on index pattern defining. https:\/\/www.elastic.co\/guide\/en\/kibana\/current\/index-patterns.html<\/a> <\/p>\n\n\n\n You can make your own dashboard as per your needs but you use the following link to get json files to import the dashboard. https:\/\/github.com\/3ilson\/pfelk\/tree\/master\/Dashboard\/v5.5<\/a><\/p>\n\n\n\n- In your web browser go to the ELK local IP using port 5601 (ex: 192.168.0.1:5601)<\/li>
- Click Management -> Saved Objects<\/li>
- You can import the dashboards found in the Dashboard folder via the Import bottom in the top-right corner. <\/li><\/ul>\n\n\n\n
That it, for now, you are ready to use the Elastic stack for pfSense firewall. <\/p>\n\n\n\n
All credit: https:\/\/github.com\/a3ilson\/pfelk<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"