Awesome Kali Purple Docs

Elastic Stack

Dec 09, 20243 min read

This guide no longer works, a rewrite is planned

Installation

The Elastic stack has several components that each have their own installation guides.

Install Elasticsearch

This guide is adapted from the official guide and the guide written by Frankline Bett.

Install from APT repository

The elastic APT repository is installed by default on Kali Purple, run the following command to install elasticsearch

sudo apt install elasticsearch

Configure Elasticsearch

Open the configuration file…

sudo nano /etc/elasticsearch/elasticsearch.yml

And set the following options:

cluster.name: kali-puprle
network.host: 0.0.0.0
http.port: 9200

Set the default user’s password:

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i

Start Elasticsearch

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch

Test that Elasticsearch is running

sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

This result means that Elasticsearch is fully functional

Install Logstash

Install from APT repository

sudo apt install logstash

Configure Logstash

Create the config file /etc/logstash/conf.d/beats.conf with the following content.

input {
  beats {
    port => 5044
  }
}
filter {
  if [type] == "syslog" {
     grok {
        match => { "message" => "%{SYSLOGLINE}" }
  }
     date {
        match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
     }
  }
}
output {
  elasticsearch {
    hosts => ["127.0.0.1:9200"]
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
}

Start Logstash service

sudo systemctl enable logstash.service
sudo systemctl start logstash

Install Beats

To gather data, we will set up Filebeat, Metricbeat, and Packetbeat.

Filebeat

Install from APT repository
sudo apt install filebeat
Configure Filebeat

Open /etc/filebeat/filebeat.yml and make the following changes:

  1. Comment out all lines in the “Elasticsearch output” section
  2. Uncomment the lines for “Logstash output”
  3. Set the “Filebeat inputs” section ‘enabled’ flag to true
  4. Save and close the file
Start Filebeat service
sudo systemctl enable filebeat
sudo systemctl start filebeat

Metricbeat

Install from APT repository
sudo apt install metricbeat
Configure Metricbeat

Open /etc/metricbeat/metricbeat.yml and make the following changes:

  1. Comment out all lines in the “Elasticsearch output” section
  2. Uncomment the lines for “Logstash output”
Start Metricbeat service
sudo systemctl enable metricbeat
sudo systemctl start metricbeat

Packetbeat (TODO: Reassess)

Install from APT repository
sudo apt install packetbeat
Configure Packetbeat

Open /etc/packetbeat/packetbeat.yml and make the following changes:

  1. Comment out all lines in the “Elasticsearch output” section
  2. Uncomment the lines for “Logstash output”
Start Packetbeat Service
sudo systemctl enable packetbeat
sudo systemctl start packetbeat

Install Kibana

Install from APT repository

sudo apt install kibana

Configure Kibana

Open the configuration file /etc/kibana/kibana.yml and ensure the following configuration values are set:

server.port: 5601
server.host: "0.0.0.0"

Start Kibana Service

sudo systemctl enable kibana.service
sudo systemctl start kibana

Access Kibana Web Interface

  1. Get the Kibana enrollment token:
sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
  1. Copy the output of the command
  2. Open the Kibana web interface at http://localhost:5601
  3. Paste the enrollment token and click “Configure Elastic”
  4. To get the code from the verification code run:
sudo /usr/share/kibana/bin/kibana-verification-code

6. Wait for the configurations to complete 7. Select “Explore on my own” 8. Enable beats modules

sudo filebeat modules enable system
sudo metricbeat modules enable logstash

Awesome Kali Purple Docs by David Jones is licensed under CC BY-SA 4.0

Graph View

Backlinks