initial commit

ELK.txt

@@ -0,0 +1,80 @@
+sudo apt-get install apache2-utils
+
+#install java8
+sudo add-apt-repository -y ppa:webupd8team/java
+sudo apt-get update
+sudo apt-get -y install oracle-java8-installer
+
+#install logstash
+echo 'deb http://packages.elastic.co/logstash/2.2/debian stable main' | sudo tee /etc/apt/sources.list.d/logstash-2.2.x.list
+sudo apt-get update
+sudo apt-get install logstash
+
+#install elasticsearch
+wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
+echo "deb http://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list
+sudo apt-get update
+sudo apt-get -y install elasticsearch
+
+#install kibana
+echo "deb http://packages.elastic.co/kibana/4.4/debian stable main" | sudo tee -a /etc/apt/sources.list.d/kibana-4.4.x.list
+sudo apt-get update
+sudo apt-get -y install kibana
+
+
+# create the user jeank
+# specify the password mdp
+sudo htpasswd -c /etc/nginx/htpasswd.users jeank
+
+
+#find and replace
+#server.host: "localhost"
+sudo nano /opt/kibana/config/kibana.yml
+
+#find and replace 
+#network.host: localhost
+sudo nano /etc/elasticsearch/elasticsearch.yml
+
+#add the exe to the booting sequence
+sudo update-rc.d kibana defaults 96 9
+sudo update-rc.d elasticsearch defaults 95 10
+
+sudo service kibana start
+sudo service elasticsearch restart
+sudo mkdir -p /etc/pki/tls/certs
+sudo mkdir /etc/pki/tls/private
+
+#Find the [ v3_ca ]
+# add the following under the section title
+#subjectAltName = IP: ELK_server_private_IP
+sudo nano /etc/ssl/openssl.cnf
+cd /etc/pki/tls
+sudo openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
+
+#replace /etc/nginx/sites-available/default by the following
+#server {
+#    listen 80;
+#
+#    server_name example.com;
+
+#    auth_basic "Restricted Access";
+#    auth_basic_user_file /etc/nginx/htpasswd.users;
+
+#    location / {
+#        proxy_pass http://localhost:5601;
+#        proxy_http_version 1.1;
+#        proxy_set_header Upgrade $http_upgrade;
+#        proxy_set_header Connection 'upgrade';
+#        proxy_set_header Host $host;
+#        proxy_cache_bypass $http_upgrade;        
+#    }
+#}
+#
+
+sudo nano /etc/nginx/sites-available/default
+
+#restart the services
+
+sudo service nginx restart
+sudo service kibana start
+sudo service elasticsearch restart

configs/02-beats-input.conf

@@ -0,0 +1,8 @@
+input {
+  beats {
+    port => 5044
+    ssl => true
+    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
+    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
+  }
+}

configs/10-syslog-filter.conf

@@ -0,0 +1,13 @@
+filter {
+  if [type] == "syslog" {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+    }
+  }
+}

configs/30-elasticsearch-output.conf

@@ -0,0 +1,9 @@
+output {
+  elasticsearch {
+    hosts => ["localhost:9200"]
+    sniffing => true
+    manage_template => false
+    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
+    document_type => "%{[@metadata][type]}"
+  }
+}

configs/put_files.txt

@@ -0,0 +1,4 @@
+mkdir /etc/logstash/conf.d/
+cp -i /media/thth/PORO/configs/02-beats-input.conf /etc/logstash/conf.d
+cp -i /media/thth/PORO/configs/10-syslog-filter.conf /etc/logstash/conf.d
+cp -i /media/thth/PORO/configs/30-elasticsearch-output.conf /etc/logstash/conf.d

init.txt

@@ -0,0 +1,7 @@
+sudo apt-get update 
+sudo apt-get upgrade 
+sudo apt-get install gnome-core -y
+sudo apt install startx -y
+sudo apt install xinit -y
+sudo apt-get install plank nginx selinux-basics selinux-policy-default auditd gedit dkms build-essential linux-headers-generic -y
+sudo reboot