ELK Setup, Log Ingestion & Attack Detection

Required Tasks

• Installing & configuring Elasticsearch

• Installing & configuring Kibana

• Connecting Elasticsearch with Kibana

• Installing & configuring Fluentbit

• Installing & Configuring Winlogbeat

• Writing detection rules & simulating a suspicious activity

Requirements

• VMware / Virtual Box

• Windows 10/11 ISO – Ubuntu (20.0/22.0/24.0) ISO

• 16 GB RAM – 60 GB Disk Space

• 4 CPU Cores

---

PHASE 1 : Installing & configuring Elasticsearch

1. Updating Ubuntu packages

sudo apt update
sudo apt upgrade -y

2. Installing required packages & dependencies

sudo apt update && sudo apt upgrade -y
sudo apt install -y apt-transport-https gnupg wget curl

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | \
  sudo tee /etc/apt/sources.list.d/elastic-8.x.list

3. Installing Elastic

sudo apt install -y elasticsearch

4. Configuring elasticsearch.yml

sudo nano /etc/elasticsearch/elasticsearch.yml

Lines to be uncommented : Network.host & http.port

Lines to be added : discovery.type: single-node

network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node

5. Enabling & starting the Elasticsearch service

sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
sudo systemctl status elasticsearch

6. Elasticsearch-reset-password

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Then you can save your password in a txt file for later use

PHASE 2 : Installing & configuring Kibana

1. Installing Kibana

sudo apt install kibana -y

2. configuring Kibana

sudo nano /etc/kibana/kibana.yml

3. Only uncomment the server.port & server.host

server.port: 5601
server.host: "0.0.0.0"

4. Enabling & starting the kibana.service

sudo systemctl enable kibana
sudo systemctl start kibana
sudo systemctl status kibana

5. To check connectivity go to http://<your ip>:5601 , and your will then be asked for an enrollment token

PHASE 3 : Connecting elasticsearch with kibana

1. Generate Token

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollmenttoken -s kibana

2. After getting your token and inserting it into Kibana, a verification code will be created

3. Getting verification code

sudo cd /usr/share/kibana
sudo ./kibana-verification-code

PHASE 4 : Installing & Configuring Fluentbit & sending logs

sudo apt-get update
sudo apt-get install fluent-bit
sudo systemctl enable fluent-bit
sudo systemctl start fluent-bit

For a simple simulation of logs

Create a .log file for example firewall.log and add a few logs to that file and then save it.

2025-09-15 21:19:10 - AUTH: Failed login attempt for user 'service_account_1' from IP '172.16.2.20'. Reason: Incorrect password.
2025-09-15 21:19:11 - AUTH: Failed login attempt for user 'root' from IP '172.16.2.20'. Reason: User does not exist.
2025-09-15 21:19:12 - AUTH: Failed login attempt for user 'backup_user' from IP '172.16.2.20'. Reason: Incorrect password.
2025-09-15 21:19:10 - AUTH: Failed login attempt for user 'backup_user' from IP '172.16.5.25'. Reason: Too many attempts.
2025-09-15 21:19:11 - AUTH: Failed login attempt for user 'sysadmin' from IP '172.16.43.36'. Reason: User does not exist.
2025-09-15 21:19:12 - AUTH: Failed login attempt for user 'service_account_2' from IP '172.16.209.170'. Reason: User does not exist.
2025-09-15 21:19:13 - AUTH: Failed login attempt for user 'service_account_1' from IP '172.16.39.72'. Reason: User does not exist.
2025-09-15 21:19:14 - AUTH: Failed login attempt for user 'guest' from IP '172.16.210.88'. Reason: Incorrect password.
2025-09-15 21:19:15 - AUTH: Failed login attempt for user 'guest' from IP '172.16.77.96'. Reason: Incorrect password.
2025-09-15 21:19:16 - AUTH: Failed login attempt for user 'db_admin' from IP '172.16.24.146'. Reason: User does not exist.
2025-09-15 21:19:17 - AUTH: Failed login attempt for user 'web_user' from IP '172.16.136.135'. Reason: Account locked.
2025-09-15 21:19:18 - AUTH: Failed login attempt for user 'service_account_1' from IP '172.16.24.89'. Reason: Too many attempts.
2025-09-15 21:19:19 - AUTH: Failed login attempt for user 'db_admin' from IP '172.16.181.30'. Reason: Too many attempts.