Scribd
Upload
2 views

ELK_Setup_Guide

This setup guide provides instructions for creating a Log File Analyzer for Intrusion Detection using the ELK stack. It includes steps to create a project folder, configure a docker-compose.yml file for Elasticsearch, Kibana, and Logstash, and set up a logstash.conf file to process log data. Finally, it instructs users to start the ELK stack and access Kibana to explore the data.

Uploaded by

kushwahraushan93160
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

ELK_Setup_Guide

This setup guide provides instructions for creating a Log File Analyzer for Intrusion Detection using the ELK stack. It includes steps to create a project folder, configure a docker-compose.yml file for Elasticsearch, Kibana, and Logstash, and set up a logstash.conf file to process log data. Finally, it instructs users to start the ELK stack and access Kibana to explore the data.

Uploaded by

kushwahraushan93160
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Log File Analyzer for Intrusion Detection - Setup Guide

1. Create Project Folder

Run the following command:

mkdir elk-ids && cd elk-ids

2. Create docker-compose.yml

Run: nano docker-compose.yml

Paste the following:

version: "3.8"

services:

elasticsearch:

image: docker.elastic.co/elasticsearch/elasticsearch:8.13.2

container_name: elasticsearch

environment:

- discovery.type=single-node

- xpack.security.enabled=false

- ES_JAVA_OPTS=-Xms1g -Xmx1g

ports:

- "9200:9200"

networks:

- elk
Log File Analyzer for Intrusion Detection - Setup Guide

kibana:

image: docker.elastic.co/kibana/kibana:8.13.2

container_name: kibana

ports:

- "5601:5601"

environment:

- ELASTICSEARCH_HOSTS=http://elasticsearch:9200

depends_on:

- elasticsearch

networks:

- elk

logstash:

image: docker.elastic.co/logstash/logstash:8.13.2

container_name: logstash

ports:

- "5044:5044"

volumes:

- ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf

- ./sample_auth.log:/var/log/auth.log

depends_on:

- elasticsearch

networks:

- elk
Log File Analyzer for Intrusion Detection - Setup Guide

networks:

elk:

driver: bridge

3. Create logstash.conf

Run: nano logstash.conf

Paste:

input {

file {

path => "/var/log/auth.log"

start_position => "beginning"

sincedb_path => "/dev/null"

filter {

grok {

match => { "message" => "Failed password for .* from %{IP:ip}" }

date {

match => ["timestamp", "MMM dd HH:mm:ss"]

target => "@timestamp"


Log File Analyzer for Intrusion Detection - Setup Guide

output {

elasticsearch {

hosts => ["http://elasticsearch:9200"]

index => "ssh-logs"

4. Create Sample Log File

Run: nano sample_auth.log

Paste:

Apr 30 14:00:01 server sshd[1001]: Failed password for invalid user admin from 192.168.1.10 port 22 ssh2

Apr 30 14:00:05 server sshd[1001]: Failed password for invalid user admin from 192.168.1.10 port 22 ssh2

Apr 30 14:00:09 server sshd[1001]: Failed password for invalid user admin from 192.168.1.10 port 22 ssh2

Apr 30 14:00:15 server sshd[1001]: Failed password for invalid user admin from 192.168.1.10 port 22 ssh2

Apr 30 14:00:21 server sshd[1001]: Failed password for invalid user admin from 192.168.1.10 port 22 ssh2

5. Start the ELK Stack

Run the command:


Log File Analyzer for Intrusion Detection - Setup Guide

docker-compose up

Then open http://localhost:5601 in your browser to access Kibana.

Create an index pattern 'ssh-logs' to explore the data.

You might also like