Elastic Lab (part 4) - Kibana

Part 3 of this fun exercise finished with installing Elasticsearch. However Elastic is only one piece of the puzzle which becomes our SIEM. Elastic is just the database of data. We need a way to access the data- query, correlate, analyze, visualize the information. That tool is called Kibana.

Getting Kibana to fully integrate with Elasticsearch can be a tricky process. By now you may have listened to the entire concert I linked in Part 1, so here's a newer set from the Mexican trio (and don't worry, their version of "You Oughta Know" is family friendly!)

We're going to be following this Kibana install Guide. (You took a snapshot of your VM already, right?) I recommend reading through all the steps as well as this page before starting.

1- We can skip the PGP key and APT Repository steps because we already completed all of them in part 3.

2- Now it's time to actually download and install Kibana. Remember you can copy from the Guide by clicking the little clipboard icon at the right side of the black boxes:

If this works SKIP the 'manual Download' method.

Take note of any messages at the end of the install! If you get any tokens or passwords, COPY THEM! I missed them and this caused me lots and lots of work in the following steps. The rest of the Install Guide was missing critical pieces:

3- We need the password for the "kibana_system" account. Copy it or change it:

type "cd /usr/share/elasticsearch/bin" to move to the directory with the Elastic utilities.

type "sudo ./elasticsearch-reset-password -u kibana_system". Confirm you want to do this and COPY the password which is displayed to a clipboard (on your Debian VM or your Windows Host). You'll need this password for multiple steps!

4- We need to configure the Kibana settings. Don't forget to take away any "#" on these lines:

type "sudo nano /etc/kibana/kibana.yml" to edit the config file. (Again, you can use other text editors.)

Change "server.host" to the IP address you're running on the machine.

Change "elasticsearch.hosts:" and change it to read "https://[IP address]:9200" (unless you're using some other port!) There should not be any quotes or brackets on this line. ENSURE you changed the default http to https!!!

Uncomment "elasticsearch.username: "kibana_system"" (and leave ONE set of quotes around the username).

Uncomment and paste the password from step #3 into "elasticsearch.password" (with quotes around the password"

SAVE the changes to this config file.

5- The next section is setting up the Kibana keystore. Much of these instructions are from this page. The kibana files are installed in /usr/share/kibana. Change directories to that location.

Create the keystore by typing "sudo ./kibana-keystore create" and over-write if prompted.

Type "sudo ./kibana-keystore add elasticsearch.password" and enter the password (paste) when prompted. If you don't remember it, you'll need to look for the "reset password" method in step #3 above and reset it. Store it somewhere safe for future use!

6- Now we can work an enrollment token. This is used to validate that Kibana is allowed to talk with Elasticsearch. These tokens expire after 30 minutes!!!

Change to the /usr/share/elasticsearch/bin directory.

Run this command: "sudo ./elasticsearch-create-enrollment-token -s kibana" and copy the results.

Type "cd /usr/share/kibana/bin"

Then "sudo ./kibana-setup" and paste the token when the prompt asks for it.

7- NOW we can startup Kibana: "sudo systemctl start kibana". Wait 30-60seconds for the service to boot up. You can check status by typing "sudo systemctl status kibana".

To make Kibana startup when the VM boots type "sudo systemctl daemon-reload" and "sudo systemctl enable kibana".

8- And finally we get to the moment when all that hard work pays off- open up Firefox (click "Activities" on the top left and look for the Firefox icon:

Click through the startup stuff if this is the first time Firefox is running. Then enter in the address bar: [IP Address]:5601. You should get an elasticsearch login screen. Use the username and password you created in Part 3.

And if everything works correctly, make sure you Take a Snapshot of your VM!!!

NEXT comes the "L" in ELK stack!!!