Install Kibana Ubuntu, Welcome back to Dixmata.com, this time the Dixmata team will share about installing Kibana or better known as the ELK Stack.
“ELK” is an acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Elasticsearch is a search and analytics engine. Logstash is a server-side data processing pipeline that simultaneously ingests data from multiple sources, converts it, and then sends it to a “store” such as Elasticsearch. Kibana allows users to visualize data with charts and graphs in Elasticsearch.
Elastic Stack is the next evolution of ELK Stack.
- Open source, distributed, RESTful, JSON based search engine. Easy to use, scalable and flexible, it is gaining high popularity among users and the companies formed around it, you know, for search.
- A search engine at heart, users are starting to use Elasticsearch for logs and want to easily digest and visualize them. Include Logstash, a powerful absorption channel, and Kibana, a flexible visualization tool.
- Beats on the other hand is a log sender that collects logs from different endpoints and sends them to Logstash or directly to Elasticsearch.
Precondition
- For OS We recommend Debian 10/11 & Ubuntu 18.04/20.04
- RAM 4GB (8GB Recommended)
- HDD 50GB
Step 1 – System Update (Install Kibana Ubuntu)
Before starting to install an application or service on the server, it is recommended to do an update first.
apt update -y apt upgrade -y
Step 2 – Install Java (Install Kibana Ubuntu)
For ELK Server installation using Java at least with Java Version 8 or 11. Run the following command to install OpenJDK 11.
apt install openjdk-11-jdk -y
Check Java Version after installation process
java --version openjdk 11.0.12 2021-07-20 OpenJDK Runtime Environment (build 11.0.12+7-post-Debian-2) OpenJDK 64-Bit Server VM (build 11.0.12+7-post-Debian-2, mixed mode, sharing)
Step 3 – Install Elasticsearch (Install Kibana Ubuntu)
For installation, we suggest that it is better to use the Repository from Elasticsearch, so that the installation process is easier, faster and simpler. Ubuntu/Debian packages for Elasticsearch can be Here di Elastic Official website, or from repositori APT.
Before adding GPG-KEY Install first:
apt install gnupg -y
Add Elastic Repository
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
If successful then:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK
Install from APT repository
Before starting the installation process, you need the apt-transport-https package Debian
apt-get install apt-transport-https
Save the defined Repo using the following command:
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Doing an Update on the System, so that the Repo is also updated into the System:
apt update
Step 4 – Install Elasticsearch
After successfully adding the ELK repo, you continue to install one of the components from ELK, namely Elastcisearch. To install it can use the following command.
apt install elasticsearch
Now you need to configure Elasticsearch, as for the standard configuration that you need to configure, namely the Cluster name, IP Address and Port used. Here we use the IP 192.168.1.11 for the ELK Server.
nano /etc/elasticsearch/elasticsearch.yml
# ---------------------------------- Cluster ----------------------------------- .. cluster.name: Dixmata-Cluster # ---------------------------------- Network ----------------------------------- ... network.host: 192.168.1.11 .. http.port: 9200 # --------------------------------- Discovery ---------------------------------- .. xpack.security.enabled: false discovery.seed_hosts: [] discovery.type: single-node
Be careful and also thorough in the configuration, if there is an error it is likely that Elastic will not run, if you are sure you can save it.
Then friends – friends set the JVM memory size according to the needs of the System. this is very influential at the time of logs that will enter the ELK Server. To set the memory follow the following command:
nano /etc/elasticsearch/jvm.options
################################################################ ## IMPORTANT: JVM heap size ################################################################ .. -Xms1g -Xmx1g
Save, then run and activate the Elasticsearch service as below:
systemctl enable --now elasticsearch systemctl restart elasticsearch.service
Confirm the status with the following command:
systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-10-14 22:54:04 WIB; 26s ago
Docs: https://www.elastic.co
Main PID: 5605 (java)
Tasks: 61 (limit: 4675)
Memory: 1.4G
CPU: 1min 39.068s
CGroup: /system.slice/elasticsearch.service
├─5605 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch ->
└─5798 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Oct 14 22:53:40 elk systemd[1]: Starting Elasticsearch...
Oct 14 22:54:04 elk systemd[1]: Started Elasticsearch.
lines 1-14/14 (END)
Step 5 – Install Kibana (Install Kibana Ubuntu)
After Elasticsearch is active and running well, then friends install Kibana with the following command:
apt install kibana
Similar to the previous Elasticsearch, you have to configure the IP Address and Port in the Kibana Default configuration file.
nano /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use. server.port: 5601 .. # To allow connections from remote users, set this parameter to a non-loopback address. server.host: "192.168.1.11" .. # The URLs of the Elasticsearch instances to use for all your queries. elasticsearch.hosts: ["http://192.168.1.11:9200"] ..
Activate and run Kibana Service
systemctl enable --now kibana systemctl restart --now kibana
Confirm Kibana’s status
systemctl status --now kibana
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-10-14 23:10:10 WIB; 9s ago
Docs: https://www.elastic.co
Main PID: 6030 (node)
Tasks: 18 (limit: 4675)
Memory: 183.3M
CPU: 11.707s
CGroup: /system.slice/kibana.service
├─6030 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kiban>
└─6044 /usr/share/kibana/node/bin/node --preserve-symlinks-main --preserve-symlinks /usr/share/kibana/src/cli/dist --logging.dest=/var/log/kibana/kibana.l>
Oct 14 23:10:10 elk systemd[1]: Started Kibana.
The process of running the Kibana Dashboard may take a few seconds. If the status of the Kibana is running and active, you have successfully completed the ELK Server installation and to access the Kibana Dashboard on the Browser, you can use the IP Server and Kibana Port 5601:
http://<server-ip-address>:5601
Step 5 – Install Filebeat (Install Kibana Ubuntu)
Congratulations, friends, you have successfully installed Kibana ELK Sever, now you need to install and configure Filebeat. What is Filebeat?, Filebeat is responsible for sending data from various source hosts to Elastic or Logstash. For this Documentation, Dixmata.com friends will try to transfer Log data from Suricata which was previously installed to ELK Server. friends can see the Documentation at Install Suricata Dixmata.com
NOTES
You can also install and configure the ELK Server on localhost, depending on where you will send the log file data. Here we will try on the Suricata Server which the Dixmata.com Team installed previously
Install filebeat on the Suricata Server, you can follow the command below. Because we are going to install on a different server, we need to install the GPG-Key and define the repo from ELK, if you install on the same server as ELK, you don’t need to do this.
- Download and install the Public Signing Key:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
- Install the apt-transport-https package on Debian before proceeding,
apt-get install apt-transport-https
- Save repository definition to
/etc/apt/sources.list.d/elastic-7.x.list
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list
- Run apt-get update, and the repository is ready to go. For example, you can install Filebeat by running:
apt-get update && apt-get install filebeat
Once done, Now configure filebeat to send data to Elastic:
Note :
Define the Host or IP Address on the Kibana Server on the previous Suricata Server. Filebeat configuration in Suricata using IP 192.168.1.11
Step 6 – Transfer Suricata Logs to ELK Server (Install Kibana Ubuntu)
nano /etc/filebeat/filebeat.yml
# This requires a Kibana endpoint configuration. setup.kibana: # Kibana Host .. host: "192.168.1.11:5601" .. output.elasticsearch: # Array of hosts to connect to. hosts: ["192.168.1.11:9200"]
Activate Filebeat Suricata Module
filebeat modules enable suricata
List of Modules on Filebeat can be viewed using the following command:
filebeat modules list
Enabled: suricata Disabled: activemq apache auditd ..
Then Activate and Restart the Filebeat service
systemctl enable filebeat.service systemctl restart filebeat.service
Confirm Filebeat status
systemctl status filebeat.service
To determine, parse, index, and visualize your data, you have to setup Filebeat into the Kibana ELK Server, the goal is for the Suricata Dashboard agent to appear on the ELK Server.
filebeat setup -e
The Setup process will take a few minutes, so wait for it to finish. If it is finished it will be like below:
... 2021-10-15T16:44:37.567+0700 INFO [load] cfgfile/list.go:129 Stopping 1 runners ... Loaded Ingest pipelines
Wait for a few minutes, when you are done, check on “Index Management”, whether the filebeat file from Suricata has been sent to the ELK Server.
On the left Sidebar > select “Stack Management” > then “Index Management”
if it looks like the picture above, then the index filebeat Suricata has been successfully transferred to the ELK Server. Now you can create a Suricata Dashboard using the module that was previously setup on the ELK Server using the command “filebeat setup -e”
If the filebeat Suricata has been successfully transferred, friends, you can check in the “Discover” section, a Suricata Log will appear.
Step 7 – Creating Suricata Dashboard (Install Kibana ELK Stack Ubuntu)
Now the last process is to display the log data that has been sent from Suricata to Kibana, the funds will be displayed in the form of Virtualization.
On the Sidebar > select “Dashboard” > in the search field, search for “suricata” > then select [Filebeat Suricat] Alert Overview
Click the Edit button at the top right of the Dashboard
Then scroll at the bottom and edit the chart/virtualization section “Alert[Filebeat Suricata]” by clicking on the “Gear” symbol.
Close/Click the x, on the Filter “event.kind: alert” and “event.module: suricata”
Then the log on the Suricata server host will appear as shown below
Then Save according to the name you want.
Dashboard results data will be as shown below.
Congratulations, friends, you have successfully installed and configured the ELK Server, then integrated it with the Suricata IDS Server. Here you create a Central Log Management, and it is very easy for you to monitor events on your server. For the next post we will discuss about sending Logs from Access Web into ELK Server. That’s all the Documentation from the Dixmata Team, sorry if there are shortcomings, if you have any questions you can ask in the comments column, and we ask for criticism and suggestions. Thank you Greetings from us.
To activate the login page, friends can check the documentation Enable Login Kibana Dixmata.com
