The objectives will be to:<\/p>\n
- \n
- Setup a VM separate from your Raspberry PI with Linux;<\/li>\n
- Install Elasticsearch, Logstash, Kibana (ELK Stack) and Nginx on the VM;<\/li>\n
- Install Filebeat from your Zeek sensor on Raspberry Pi;<\/li>\n
- Make sure everything is working (logs, queries, services);<\/li>\n<\/ul>\n
Virtual Machine Creation<\/strong><\/p>\n
I have an old PC that has been repurposed into a virtual machine host. I use VirtualBox as my hypervisor, but using VMware works as well.<\/p>\n
For the purposes of this project, I downloaded an Ubuntu 20.04 LTS server image and installed it with the following settings:<\/p>\n
- \n
- 4 GB of RAM;<\/li>\n
- 100 GB Hard Drive;<\/li>\n
- 2 CPUs;<\/li>\n
- Bridged network adapter.<\/li>\n<\/ul>\n
I won’t go into the specifics of how to setup VirtualBox and setting up the VM. A quick web search can show many ways to go about this. I used the automated install utility in Ubuntu and made sure my network card had a static IP address and used all the hard drive space through the partition tool. Make sure you install ssh to login to your new server and apply the latest patches through<\/p>\n
sudo apt-get update;apt-get dist-upgrade<\/pre>\n
Installing Elasticsearch, Logstash and Kibana (ELK) on the VM<\/strong><\/p>\n
Again, not to turn this into a HOWTO on Elasticsearch installation, I used the instructions provided at:<\/p>\n
https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-20-04<\/a><\/p>\n
Make sure you pay particular attention to the JAVA and Nginx installation instructions. It’s mostly installed from binaries available at Elastic. I am not an expert in Elasticsearch, I just took the stock settings.\u00a0 This will get the vanilla Elasticsearch app going.\u00a0 No SSL, no extras with the X-pack modules.<\/p>\n
Install Filebeat on your Zeek Sensor<\/strong><\/p>\n
Here comes the fun part. Because Elastic doesn’t compile it’s binaries for ARM architecture, we will have to compile Filebeat from source with multiple dependencies. Filebeat also makes use of Golang.\u00a0 If you want to save yourself some grief, you can also clone and run Josh Thurston’s easyBeats<\/a> github repository which will do much of the heavy lifting explained below:<\/p>\n
The steps to retrieve and install are as follows:<\/p>\n
First we need pip and git.<\/p>\n
sudo apt-get install python-pip git<\/pre>\n
Then virtualenv.<\/p>\n
sudo pip install virtualenv<\/pre>\n
We’re ready to download and decompress Go (for raspi) and set the environment variable in the shell.<\/p>\n
wget https:\/\/dl.google.com\/go\/go1.16.3.linux-armv6l.tar.gz\r\nsudo tar -C \/usr\/local -xzf go1.16.3.linux-armv6l.tar.gz\r\nexport PATH=$PATH:\/usr\/local\/go\/bin\r\n<\/pre>\n
Then we test to make sure all is running as it should type in go version<\/em>:<\/p>\n
go version<\/em> \r\n\r\ngo version go1.16.3 linux\/arm<\/pre>\n
Now we setup the environment for filebeat:<\/p>\n
export GOPATH=$HOME\/go\r\nmkdir go\r\nmkdir -p ${GOPATH}\/src\/github.com\/elastic\r\ncd ${GOPATH}\/src\/github.com\/elastic<\/pre>\nFinally we retreive and build filebeat. You should be in the ~\/go\/src\/github.com\/elastic directory.<\/p>\n
3 things to watch out for.<\/p>\n
- \n
- On some installs I had an issue with memory filling up and not swapping. I usually reboot the device before building filebeat.<\/li>\n
- This is the filebeat version I installed from the git repository at the time of writing. It may not be the most recent version or the version you want to use. You can consult the different branches here: https:\/\/github.com\/elastic\/beats<\/a>. As of the writing of this, the latest release of beats on github is 8.0 (Oct 2021)<\/li>\n
- I compiled with the newest version of GO (1.16.x), but was having x.509 issues in the logs.\u00a0 If anyone with Golang experience can get the environment variable: GODEBUG=x509ignoreCN=0, and have it work in filebeat without error, let me know, or just use SANs in your x.509 cert as well…<\/li>\n<\/ol>\n
The commands to input are in italics<\/em>, the messages are in normal text.<\/p>\n
git clone https:\/\/github.com\/elastic\/beats.git \r\ncd beats\/ \r\ncd filebeat\/ \r\nmake\r\n\r\n<\/em><\/pre>\n
On make, the prompt should appear similar to this:<\/p>\n
go build -ldflags \"-X github.com\/elastic\/beats\/libbeat\/version.buildTime=2021-03-14T16:50:53Z -X github.com\/elastic\/beats\/libbeat\/version.commit=1d9cced55410003f5d0b4594ff5471d15a4e2900\"\r\n<\/em><\/pre>\n
If things went swimmingly you should have a new executable file named filebeat. To perform some tests to see that it’s responsive you can type:<\/p>\n
.\/filebeat -e -v<\/pre>\n
You should see some messages outlining the log and executable paths.<\/p>\n
Next is to setup the ‘standard’ directories and files for configuration.<\/p>\n
sudo mkdir \/usr\/share\/filebeat \/usr\/share\/filebeat\/bin \/etc\/filebeat \/var\/log\/filebeat \/var\/lib\/filebeat\r\nsudo mv filebeat \/usr\/share\/filebeat\/bin\r\nsudo mv module \/usr\/share\/filebeat\/\r\nsudo mv modules.d\/ \/etc\/filebeat\/\r\nsudo cp filebeat.yml \/etc\/filebeat\/\r\nsudo chmod 750 \/var\/log\/filebeat\r\nsudo chmod 750 \/etc\/filebeat\/\r\nsudo chown -R root:root \/usr\/share\/filebeat\/*<\/pre>\n
Create the file for the filebeat service to make it start on boot and can be stopped through the service layer. Use your own favorite text editor for this (I like joe for my default editor).<\/p>\n
sudo joe \/lib\/systemd\/system\/filebeat.service<\/pre>\n
Fill in the file with:<\/p>\n
[Unit]\r\nDescription=filebeat\r\nDocumentation=https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/current\/index.html\r\nWants=userwork-online.target\r\nAfter=network-online.target\r\n\r\n[Service]\r\nEnvironment=\"GODEBUG='madvdontneed=1'\"\r\nEnvironment=\"BEAT_LOG_OPTS=\"\r\nEnvironment=\"BEAT_CONFIG_OPTS=-c \/etc\/filebeat\/filebeat.yml\"\r\nEnvironment=\"BEAT_PATH_OPTS=--path.home \/usr\/share\/filebeat --path.config \/etc\/filebeat --path.data \/var\/lib\/filebeat --path.logs \/var\/log\/filebeat\"\r\nExecStart=\/usr\/share\/filebeat\/bin\/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS\r\nRestart=always\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
And now to add the service to the regular rotation of services:<\/p>\n
sudo systemctl enable filebeat.service<\/em>\r\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/filebeat.service \u2192 \/lib\/systemd\/system\/filebeat.service.\r\nsudo service filebeat start\r\nsudo service filebeat status<\/em>\r\n\u25cf filebeat.service - filebeat\r\n Loaded: loaded (\/lib\/systemd\/system\/filebeat.service; enabled; vendor preset:\r\n Active: active (running) since Sun 2020-06-28 16:25:20 BST; 8s ago\r\n Docs: https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/current\/index.html\r\n Main PID: 18536 (filebeat)\r\n Tasks: 14 (limit: 4915)\r\n Memory: 7.7M\r\n CGroup: \/system.slice\/filebeat.service\r\n \u2514\u250018536 \/usr\/share\/filebeat\/bin\/filebeat -c \/etc\/filebeat\/filebeat.ym\r\n\r\nJun 28 16:25:20 raspi systemd[1]: Started filebeat.\r\n\r\n\r\n<\/pre>\n
The filebeat configuration file can be found in \/etc\/filebeat\/filebeat.yml. You’ll want to modify it to reflect:<\/p>\n
- \n
- Where your elasticsearch server IP is (replace xxx with the IP of your server.)<\/li>\n<\/ol>\n
My filebeat.yml looks like this, changed this to input directly to elasticsearch and remove logstash.\u00a0 The areas I modified are in kibana, elasticsearch and added the setup.ilm lines at the end of the file.\u00a0 Also if you go to Tag Country, State and City Information to Zeek Elasticsearch Entries<\/a> you can add some geotagging information for your local traffic from this filebeat config file.<\/p>\n
setup.kibana:\r\n host: \"xxx.xxx.xxx.xxx:5601\"\r\n\r\noutput.elasticsearch:\r\n hosts: [\"http:\/\/xxx.xxx.xxx.xxx:9200\"]\r\n \r\n\r\nsetup.ilm.rollover_alias: \"filebeat-%{[agent.version]}\"\r\nsetup.ilm.pattern: \"{now\/M{yyyy.MM}}-000001\"\r\n\r\n<\/pre>\nNext to modify the \/etc\/filebeat\/modules.d\/zeek.yml<\/strong><\/em> file to ensure filebeat picks up the distinct logs Zeek can produce.\u00a0 You can mix and match what logs are most important to you.\u00a0 Also remember the more logs, the more power needed to crunch and transmit to the Elastic hub.\u00a0 My zeek.yml file is below:<\/p>\n
# Module: zeek\r\n# Docs: https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/7.11\/filebeat-module-zeek.html\r\n\r\n- module: zeek\r\n capture_loss:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/capture_loss.log\"]\r\n connection:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/conn.log\"]\r\n dce_rpc:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/dce_rpc.log\"]\r\n dhcp:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/dhcp.log\"]\r\n dnp3:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/dnp3.log\"]\r\n dns:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/dns.log\"]\r\n dpd:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/dpd.log\"]\r\n files:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/files.log\"]\r\n ftp:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/ftp.log\"]\r\n http:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/http.log\"]\r\n intel:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/intel.log\"]\r\n irc:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/irc.log\"]\r\n kerberos:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/kerberos.log\"]\r\n modbus:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/modbus.log\"]\r\n mysql:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/mysql.log\"]\r\n notice:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/notice.log\"]\r\n ntlm:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/ntlm.log\"]\r\n ocsp:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/ocsp.log\"]\r\n pe:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/pe.log\"]\r\n radius:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/radius.log\"]\r\n rdp:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/rdp.log\"]\r\n rfb:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/rfb.log\"]\r\n# signatures:\r\n# enabled: true\r\n# var.paths: [\"\/usr\/local\/zeek\/logs\/current\/signatures.log\"]\r\n sip:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/sip.log\"]\r\n smb_cmd:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/smb_cmd.log\"]\r\n smb_files:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/smb_files.log\"]\r\n smb_mapping:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/smb_mapping.log\"]\r\n smtp:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/smtp.log\"]\r\n snmp:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/snmp.log\"]\r\n socks:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/socks.log\"]\r\n ssh:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/ssh.log\"]\r\n ssl:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/ssl.log\"]\r\n stats:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/stats.log\"]\r\n syslog:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/syslog.log\"]\r\n traceroute:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/traceroute.log\"]\r\n tunnel:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/tunnel.log\"]\r\n weird:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/weird.log\"]\r\n x509:\r\n enabled: true\r\n var.paths: [\"\/usr\/local\/zeek\/logs\/current\/x509.log\"]<\/pre>\n
Activate the module.\u00a0 From the \/etc\/filebeat directory:<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/zeek-enable.png\")
<\/p>\nI also enable the system module to keep track of syslog and other linux logs outside of Zeek.<\/p>\n
You can list the available modules as well (and see what else can be integrated with filebeat)<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/moduleslist.png\")
<\/p>\n<\/p>\n
Make sure you restart your filebeat service once the configuration file is modified.<\/p>\n
sudo service filebeat restart<\/pre>\n
An additional useful command:\u00a0 journalctl -u filebeat.service –since “5 minutes ago”<\/em><\/p>\n
This will allow to see all the startup logs for the service and troubleshoot any issues.\u00a0 Invaluable in case you don’t see any activity on the service or towards your elasticstack.<\/p>\n
Checking Elastic for Logs<\/strong><\/p>\n
Lets check to make sure the new logs are making it into Elasticsearch and that we can see them in Kibana. Browse to your Kibana instance and you should be presented with a home page similar to the one below.<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/elastichome.png\")
<\/p>\nThis main menu shows you the fundamental features of Elastic.\u00a0 You can also dive deeper by pressing the three parallel line icon in the top left corner and get more choices:<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/menuparallel.png\")
<\/p>\nTo check whether your elastic server is picking up logs, go to the Analytics<\/em> Menu and click on Discover<\/em>.\u00a0 If you see logs, this is good.\u00a0 It should look similar to the image below.\u00a0 If not, recheck your steps above.<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/elasticdiscover.png\")
<\/p>\nAnother tip, in the past Elasticsearch and Kibana don’t necessarily capture all the fields from the messages sent from the Zeek sensor. This is where remaking the index patterns is important once information starts flowing to ensure that elastic is processing your JSON key pairs correctly. You can do this through the Management<\/em> menu item and click on Stack Management<\/em> at the bottom of the menu choices.\u00a0 This will bring you to a new page.\u00a0 Once you’re in the Stack Managemen<\/em>t menu, click on Index Management<\/em><\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/mangement.jpg\")
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/management.png\")
<\/p>\nA new page will be loaded, in the top center area there will be some tab choices.\u00a0 Click on Index Templates.<\/em><\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/Indexmgmt.png\")
<\/p>\nUse the Search bar to look for your index.\u00a0 It’s probably called filebeat-*<\/em> or something similar and is at the bottom of the page as this is a ‘legacy’ index.\u00a0 Mouse over the template name so that the pencil and trash icons appear.\u00a0 Click on the trash icon to start deleting the index.<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/legacytemplate.png\")
<\/p>\nUpon pressing the trash bin, a popup to confirm the deletion will appear.\u00a0 Click on the Delete template <\/em>button.<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/deletetemp.png\")
<\/p>\nOnce you have deleted the template, go back to your Zeek sensor and restart the filebeat service, I also check the status just in case it doesn’t come up correctly.\u00a0 Wait a few minutes, refresh your browser screen on the Index Management<\/em> page and your index should regenerate in the Index Templates<\/em> menu.\u00a0 Note: You may have to reset filebeat a few times if it’s not coming back up.<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/filebeatstat.png\")
<\/p>\n<\/p>\n
Viewing the Security Dashboards
\n<\/strong><\/p>\nNow we get to the part we’ve all been waiting for, how do we get out data into graphs and tables?\u00a0 Click on the three parallel line icon and choose Security<\/em>.<\/p>\n
If the steps above were followed and successful you should see some additional details in this menu through the Overview<\/em> tab similar to below.<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/secoverview1.png\")
<\/p>\nThese bar graphs show different information from the Zeek logs that are being sent.\u00a0 The top graph is for the Elastic internal detection alerts.\u00a0 Elastic has some rules that it uses to detect alerts through the Security -> Rules <\/em> screen.\u00a0 In this case Zeek is detecting a PPTP VPN attempt on my local network.\u00a0 All sorts of other detection rules can be configured.<\/p>\n
The second graph is the threat intel hits from the intel.log and weird.log files from Zeek.\u00a0 If you click on the View alerts button, it will filter the raw logs from the Discovery<\/em> page for further analysis.<\/p>\n
You can then scroll down further and see some of the more nitty gritty statistics from the ingest pipelines going into your Elastic instance.\u00a0 In this case since i’m only using Zeek and filebeat it will only show results from those applications.\u00a0 The top graphs can be drilled down further for the different types of logs (IE DNS, SSL etc).<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/secognition.com\/wp-content\/uploads\/2020\/09\/overview2.png\")
<\/p>\nOther logs can be added and if you scroll down further a new functionality around Threat Intelligence<\/em> can be added.\u00a0 Click through the different screens on the Security<\/em> menu\u00a0 to view more visualization options.\u00a0 One that always gets oohs and ahhs from the more network inclined folks is the hosts map where Elastic can use the geolocation of logs to show traffic between points on a world map, top talkers from source and destination IP perspectives and top traffic to different countries.<\/p>\n
I sincerely hope this has helped you on your journey to better visualize\u00a0 your Zeek information.\u00a0 let me know in the comments if you have come up with other visualizations or ways of doing things.<\/p>\n
Stay safe<\/p>\n
–David<\/p>\n
<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Updated 03-14-2021 – added new beats, golang version, extra warnings Updated 10-02-2021 – Redid screenshots reflecting Elastic 7.15, move to Zeek filebeat module & pre-canned reports Hi Folks! It has been awhile, thank you for your patience. I have been doing some work in respect to the visualization of Zeek logs. This is a long…
Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,5,7],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ids","category-security","category-zeek"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=192"}],"version-history":[{"count":0,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions"}],"wp:attachment":[{"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- I compiled with the newest version of GO (1.16.x), but was having x.509 issues in the logs.\u00a0 If anyone with Golang experience can get the environment variable: GODEBUG=x509ignoreCN=0, and have it work in filebeat without error, let me know, or just use SANs in your x.509 cert as well…<\/li>\n<\/ol>\n