attachment:ElasticSearchVMConfig.md of ElasticSearch

Attachment 'ElasticSearchVMConfig.md'

Download

# Install directions:

I am root! So, sudo in the following steps is superfluous.

## Install Elastic Search

1. Get the GPG key from elasticsearch

    ```
    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
    ```

1. Install apt-transport-https (may already be installed)

    ```
    apt-get install apt-transport-https
    ```

1. Add the repository for elastic (my latest was 8.x)

   ```
   echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list


    ```

1. Update and install elasticsearch

    ```
    sudo apt-get update && sudo apt-get install elasticsearch
    ```

1. Copy the security and setup information from the output. You can find this in the [security](#security-information) section. 

1. Complete the operations ins [startup](#startup)

    ```
    systemctl enable elasticsearch
    systemctl start elasticsearch
    ```

## Installing Kibana

Assuming you have completed the installation of Elastic Search above:

1. Install kibana

    ```
    apt install kibana
    ```

1. Generate an enrollment token for kibana

    ```
    /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana 
    ```` 

    resulted in: 
   
    ```
    eyJ2ZXIiOiI4LjUuMyIsImFkciI6WyIxNzIuMTYuMC41MDo5MjAwIl0sImZnciI6ImMyNTU5NTIzNzgwM2EzOGRiNDI2ZGIzNmVlM2EwNjg2ZjQwNzlkZWUwN2RiNmEwYTNjYjBhZDY0ZmZiMTRhOGUiLCJrZXkiOiJ3bS14TUlVQko5S0I3X2hCMXZJdjpJWGVYalB2eVQ4LWFXUllQcFQ5ZmFRIn0=
    ```

    NOTE: I did not change any settings in /etc/kibana/kibana.yml You can observe the settings the install created by looking at the end of the file.

1. Start kibana

    ```
    systemctl enable kibana
    systemctl start kibana
    ```

1. Go to the webpage elk.home.scotnpatti.com and past the above token for kibana in. Again did not change any other elements. At this point, it asked for a verification code which can be recovered at: 

    ```
    /usr/share/kibana/bin/kibana-verification-code
    ```

## Connecting pfSense

In order to connect pfSense, we have to install the agent, but this agent does not run on pfSense, instead it appears that pfSense must forward its logs to a server that is running the agent. The agent takes very little resources, so I don't see why we shouldn't run it on the "single server" setup above. Here are the steps for connecting pfSense. 

1. In kibana go to Management, Integration, search for pfSense
2. Set integration name, set syslog host to be 0.0.0.0 so that it can receive logs from pfSense. Leave pretty much everything else as default. Save and Add
3. Add a fleet server
4. Add the integration add --insecure to get it to install with a self-signed certificate. 



# Security information 

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : ```9srX8=zAaO2szAwgItQs```

If this node should join an existing cluster, you can reconfigure this with

```
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
```

# You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with

```
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.
```

Generate an enrollment token for Kibana instances with

 ```
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.
 ```

Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

# Startup
NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd

```
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
```
You can start elasticsearch service by executing

`sudo systemctl start elasticsearch.service`

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.

• [get | view] (2023-07-07 15:02:25, 4.1 KB) [[attachment:ElasticSearchVMConfig.md]]

 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.