How To: Elasticsearch/Kibana Installation and Setup

As part of the on-going MYDFIR 30 days SOC Analyst challenge, I was opportune to setup ELK Stack and also ingest data from various endpoints using elastic agents, managed by a fleet server. In this guide, I will be going through how to successfully install and setup Elasticsearch and Kibana on a Ubuntu Server.

Requirements:

Ubuntu Server - I am using Ubuntu server 24.04 for my setup

Elasticsearch

Kibana

A brief introduction to the ELK Stack tool:

The ELK Stack is a powerful open-source toolset for searching, analyzing, and visualizing large volumes of log data in real-time. ELK stands for:

1. Elasticsearch: A distributed search and analytics engine used for indexing and querying data quickly and efficiently.
2. Logstash: A server-side data processing pipeline that ingests data from various sources, transforms it, and sends it to a "stash" like Elasticsearch.
3. Kibana: A web interface for Elasticsearch that provides visualizations (graphs, charts, maps, etc.) and dashboards to help analyze and make sense of the data stored in Elasticsearch.

ELK stack uses Beats or Elastic-Agents to collect and forward various types of operational data to the Logstash or Elasticsearch engine, and these agents can be easily managed using a Fleet server centrally.

Installation Steps:

Elasticsearch Installs:

Use the cd command to navigate to the directory where the .deb packages are located on your Ubuntu server, then use the dpkg package utility to install the files with the below command.

$ sudo dpkg -i <PackageName>
Example: sudo dpkg -i elasticsearchFileName.deb        

Once the installation complete successfully, you will get something similar to the above image, the difference will be the generated password. Yours will surely be different from mine, do take note of it as you will need it.

The next thing to do is to edit the elasticsearch configuration file located in /etc/elasticsearch to edit the network and port information, this can be done with any text editor. You will need a root privilege to make the required changes. First switch to root user using sudo su, then on the root prompt, type the below.

# vim /etc/elasticsearch/elasticsearch.yml        

Note the IP address of your Ubuntu server, then uncomment the network.host and the http.port section by removing the # sign, then replace the IP address shown there with your machine’s IP.

Note: Only change the IP address and not the port as elasticsearch listen by default on port 9200.

Kibana Installs:

Just as with the elasticsearch installation step, proceed with installing the Kibana package using dpkg. After the installation is complete, edit the configuration file located at /etc/kibana using any text editor.

# vim /etc/kibana/kibana.yml        

As with elasticsearch configuration file, uncomment the server.port and server.host by removing the # sign, then replace “localhost” with your server IP address. So it will be server.host: <your IP address with no quotes>

Next is to enable the elasticsearch and kibana services, use the below commands:

systemctl daemon-reload
systemctl enable --now kibana
systemctl enable --now elasticsearch        

You can now access the kibana web UI using <your IP address>:5601, example 10.0.2.15:5601. This will prompt you to enter an enrollment token, see screenshot:

Enrollment tokens can be generated using the elasticsearch binaries located at /usr/share/elasticsearch/bin. The command to generate the token:

./elasticsearch-create-enrollment-token -s kibana        

Once the enrollment token is generated, copy it and paste in the enrollment token window in kibana web UI and click on Configure Elastic, this will prompt you for a verification code.

Verification code can be generated using the kibana-verification-code binary located in /usr/share/kibana/bin/ directory.

command for this is: 
./kibana-verification-code generate.        

Once generated, copy the generated code and paste in kibana web UI and click verify (see Ref A image). If everything is successful, it will take you to the login page where you can login with the user “elastic” and the password that was generated after elasticsearch was successfully installed.

With all set and done. We have our Kibana and Elasticsearch setup and ready for data ingestion, analysis, and visualization. VIOLA!!

Conclusion

The ELK Stack is a powerful tool that can be leverage across different enterprise environment for data ingestion, analysis, and visualization which can give better insights into enterprise infrastructure and help make informed decision.

Next, I will provide a guide on how to use elastic agent to ingest data into elasticsearch and also use Fleet server to manage the agents. I hope this information provided is enough for you to setup the ELK Stack tool.

Until next time, do take care of yourself and stay well