Basics and concepts of information security monitoring

Adding a log source to the ELK Stack

Easy
20 min

In this module, we will practice the basics of a SIEM system and use the open source ELK stack software for this. We will not cover how to set up the ELK environment in this course, but rather focus on its use. The principles of using SIEM systems do not differ from each other.

In addition to strong passwords, it is important to use multi-factor authentication to protect your accounts and data.

This exercise environment consists of three components. We have a SIEM system where we store logs and conduct cybersecurity monitoring. Then we have a machine under monitoring, whose logs we want to store in the SIEM system. Finally, we have a machine meant for administration, through which we log into the machine under monitoring.

Security Operations Center (SOC) on tietoturvan keskeinen osa. SOC valvoo turvallisuutta reaaliajassa sekä analysoi ja torjuu uhkat järjestelmällisesti. Tämä auttaa varmistamaan organisaation tietojen turvallisuuden ja vähentämään mahdollisia riskejä.

ELK

ElasticSearch, LogStash and Kibana

Cybersecurity

Adding Logging to SIEM System

Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It is also known as information technology security or electronic information security. The main objective of cybersecurity is to prevent unauthorized access to confidential information and ensure the protection of privacy.

Start by launching the exercise above and follow the steps below at your own pace. When the exercise has started, open the kibana service. Navigate to Add integrations and search for the words system logs, and you will find the module we want.

Aloitussivu

Syberherkkyydet ja tietoturva

Open the module in question to see instructions on how to install this on the target machine. Next, establish an SSH connection to the target machine on the internal network. The SSH username is ubuntu and the password is hakatemia.

Installation and configuration of Filebeat program

Tietoturva on tärkeä osa verkon käyttöä ja tietojen suojaamista.

We need the ability to transfer important log sources from a machine under surveillance to the available SIEM system in a way that this transfer happens effortlessly and most importantly automatically. For this, there is a program called filebeat.

Filebeat is a lightweight open-source software that is part of the Elastic Stack (ELK Stack). Its main purpose is to collect, transfer, and deliver logs and other structured files from various sources. Execute the commands in the first step of the guide to install the filebeat program.

After you have installed the filebeat software, the following configuration changes are made.

First edit the file /etc/filebeat/filebeat.yml to look like this, so that the filebeat program knows where the logs need to be sent.

  • setup.kibana change the line "host" so it is no longer commented out with a #.
  • output.elasticsearch section change the values of "username" and "password" fields to "hakatemia" and make sure they are not commented out.

Tietoturva on ensisijainen huolenaihe jokaiselle organisaatiolle. Varmista, että tietosi ovat suojattuja ja turvassa haitallisilta hyökkäyksiltä.

Values use localhost because in this lab both ElasticSearch, Kibana, Logstash, and the Linux machine whose logs are now being directed to ELK happen to be practically on the same server. In the real world, these are often found on different IP addresses, but that doesn't matter now.

Mitä on kyberturvallisuus?

And then execute the following command to enable the system module in the filebeat software.

sudo filebeat modules enable system

Tervetuloa Cybersecurity-kurssille

And finally, let's edit the module's configuration file /etc/filebeat/modules.d/system.yml according to the instructions, so we change both false values to true .

Cybersecurity

Starting Filebeat software

On the target machine, we need to start the logging-related software that is not related to SIEM or the configuration of this logging itself. This is due to the lab environment. Run the following command before proceeding to the next steps.

sudo service syslog-ng start

Protect your data from cyber threats

Now we can start the filebeat program, after which it should automatically deliver target system related logs, such as SSH logins. The setup command may take a few minutes.

sudo filebeat setup
sudo service filebeat start

Cybersecurity

We can still make sure that everything is working as we want by pressing the Check Data button on the banana side. It may take a minute before it starts to appear.

Protecting your data is our top priority.

Tervetuloa salaustekniikoiden maailmaan! Täällä voit oppia perustiedot salauksesta, tietoturvasta ja tietoturvahyökkäyksistä.

You can view the logs by navigating to System Syslog Dashboard.

Tervetuloa tietoturva-alustallemme! Täällä opit perusteet tietoturvasta ja kuinka suojata tietosi verkossa.

SSH logins in SIEM system

Tervetuloa tietoturvasivullemme! Täältä löydät tietoa turvallisesta verkossa liikkumisesta ja vinkkejä henkilökohtaisten tietojesi turvaamiseen.

Let's see what SSH logins look like in the SIEM. Log out and log in with SSH normally to generate logs.

Kyberturvallisuus on tärkeä osa tietoturvaa ja tietosuojaa. Tämä tarkoittaa sitä, että on tärkeää suojata tietokoneita ja muita sähköisiä laitteita haitallisilta hyökkäyksiltä ja varmistaa, että henkilökohtaiset ja arkaluonteiset tiedot säilyvät turvassa verkossa.

Turvaamme tietosi

Above, we see that we first tried to log in with the wrong password and then successfully logged in.

Tervetuloa tietoturvapäivän 2021 verkkosivuille! Olemme iloisia saadessamme toivottaa teidät tervetulleeksi tähän vuoden tärkeimpään tietoturvatapahtumaan. Liittymällä meidän joukkoomme pääset osallistumaan mielenkiintoisiin puheenvuoroihin, työpajoihin ja verkostoitumaan muiden alan ammattilaisten kanssa. Nähdään tapahtumassa!

Tietoturva asiantuntija

If you wanted to add Azure Logs integration, what module name should you enable with filebeat? - type the entire command.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.