Install directions:

I am root! So, sudo in the following steps is superfluous.

Install Elastic Search

1. Get the GPG key from elasticsearch

•     wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg

2. Install apt-transport-https (may already be installed)

•     apt-get install apt-transport-https

3. Add the repository for elastic (my latest was 8.x)

•    echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list

4. Update and install elasticsearch

•     sudo apt-get update && sudo apt-get install elasticsearch

5. Copy the security and setup information from the output. You can find this in the [security](#security-information) section.

6. Complete the operations ins [startup](#startup)

•     systemctl enable elasticsearch
      systemctl start elasticsearch

Installing Kibana

Assuming you have completed the installation of Elastic Search above:

1. Install kibana

•     apt install kibana

2. Generate an enrollment token for kibana

•     /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana 

  resulted in:

      eyJ2ZXIiOiI4LjUuMyIsImFkciI6WyIxNzIuMTYuMC41MDo5MjAwIl0sImZnciI6ImMyNTU5NTIzNzgwM2EzOGRiNDI2ZGIzNmVlM2EwNjg2ZjQwNzlkZWUwN2RiNmEwYTNjYjBhZDY0ZmZiMTRhOGUiLCJrZXkiOiJ3bS14TUlVQko5S0I3X2hCMXZJdjpJWGVYalB2eVQ4LWFXUllQcFQ5ZmFRIn0=

  NOTE: I did not change any settings in /etc/kibana/kibana.yml You can observe the settings the install created by looking at the end of the file.

3. Start kibana

•     systemctl enable kibana
      systemctl start kibana

4. Go to the webpage elk.home.scotnpatti.com and past the above token for kibana in. Again did not change any other elements. At this point, it asked for a verification code which can be recovered at:

•     /usr/share/kibana/bin/kibana-verification-code

Connecting pfSense

In order to connect pfSense, we have to install the agent, but this agent does not run on pfSense, instead it appears that pfSense must forward its logs to a server that is running the agent. The agent takes very little resources, so I don't see why we shouldn't run it on the "single server" setup above. Here are the steps for connecting pfSense.

1. In kibana go to Management, Integration, search for pfSense 2. Set integration name, set syslog host to be 0.0.0.0 so that it can receive logs from pfSense. Leave pretty much everything else as default. Save and Add 3. Add a fleet server 4. Add the integration add --insecure to get it to install with a self-signed certificate.

Security information

Authentication and authorization are enabled. TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : 9srX8=zAaO2szAwgItQs

If this node should join an existing cluster, you can reconfigure this with

/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Generate an enrollment token for Kibana instances with

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

Generate an enrollment token for Elasticsearch nodes with

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node

Startup

NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service

You can start elasticsearch service by executing

sudo systemctl start elasticsearch.service

Original was written in in Mark Down: ElasticSearchVMConfig.md