Cloud-Hosted ELK Stack Deployment

A SIEM, or Security Information and Events Manager, is a security analysts primary tool used for monitoring security events and logs across a network. I wanted to get some hands-on experience with this type of software before I land my first cyber security role. Today I am going to be configuring and deploying ELK Stack in the cloud and then deploying the ELK stack agent on my Linux and Windows computers and servers.

ELK Stack works by combining four separate applications to achieve a fully functional SIEM solution. ELK stack is composed of Elasticsearch, Kibana, Beats, and Logstash.

A SIEM solution will provide me with a central hub to manage the security of my network as a whole. It enables me to parse through logs on my devices and most importantly detect any potential attacks. A SIEM will greatly increase my security posture once fully integrated.

For this project I am using Elastic’s free cloud trial. This will give me access to a fully functional ELK Stack hosted in the AWS cloud for 150 days. I plan on having a self-hosted instance of ELK stack on my HomeLab by then, so the cloud instance will be a temporary solution.

I followed the instructions to sign up for my free trial and deployed my cloud instance. After waiting for the setup to finish, I was then in my home dashboard. From here I could access all the separate ELK applications. I started by making an agent policy, this is used as a policy for the agents, or computers I want to collect security information and logs from.

At this point it provided me with commands to install and deploy the ELK agent on my Linux and Windows computers. I created documentation, noting these commands down for future reference.

Firstly, I wanted to install the agents on my Windows computers. I installed an agent on my Windows 10 PC as well as my Windows 10 laptop. To do this I launched the terminal and created a new directory to install the agent on. I named this directory elk to keep things simple. Next, I simply ran the PowerShell command I was provided. This script downloaded the proper zip file with all of the downloads necessary and unpacked it into my new elk directory. After the command finished, I checked my ELK dashboard and could see my new Windows agent was connected.

Now I wanted to focus on adding all of my Linux servers. In order to do that I needed to SSH into each of my Linux servers, and then run the Bash command provided on the Add Agent section in the dashboard to install the agent software. I then proceeded to install the software on all 3 servers I wanted to monitor. After installation I confirmed my success in the dashboard, and they were all connected and functioning properly.

This image has an empty alt attribute; its file name is Screenshot-22-1024x535.png

I then checked the logs, and all my clients were successfully sending logs.

Here you can see logs from one of my Linux servers about a root user logon.

The only problem is my clients are sending me all of their logs, this means I am receiving thousands of logs from all my different machines, and most of the logs are information logs. I want to use the SIEM for important security events and other important logs. To parse through all this data, I can use filters to only show me only certain log types. And by setting my filters to only show certain logs, I can get to the important security events much more easily.

I started with filters to show me the agent name, event action, network protocol, network direction, and the network bytes. This gave me some readable information about the logs and simplified the interpretation. In an enterprise environment, I would filter by more important events, but my HomeLab network doesn’t have any security events to alert on.

Well now I knew how to apply a stack of filters to parse through data, now I decided to create a dashboard to have a central management screen for log monitoring and security events. I started by creating a simple chart to visualize the number of logs being received. I then made a chart to visualize traffic flows from each client. I also added a log stream tab that displayed all the latest logs. This simple dashboard will work for now.

Next, I wanted to enable security alerts for critical and high-risk vulnerabilities. I navigated to the SIEM detection rules page and created a rule that will automatically send an email to me if any of the specified vulnerabilities are detected.

With that I had all the basics set up. This is only the free trial version of elastic, so it will run out eventually. I plan on migrating my ELK stack to a self-hosted instance on my HomeLab, but until then this will do. I plan to refine my dashboard and use this as a way to practice my SIEM skills.