ELK-Stack Project
The files in this repository were used to configure the network depicted below.
https://github.com/Dharmawp/CyberSecurityProject1/blob/main/Images/Network-Diagram.png
These files have been tested and used to generate a live ELK deployment on Azure. They can be used to either recreate the entire deployment pictured above. Alternatively, select portions of the playbook file may be used to install only certain pieces of it, such as Filebeat.
https://github.com/Dharmawp/CyberSecurityProject1/blob/main/Ansible/filebeat-playbook.yml https://github.com/Dharmawp/CyberSecurityProject1/blob/main/Ansible/metricbeat-playbook.yml
This document contains the following details:
- Description of the Topologu
- Access Policies
- ELK Configuration
- Beats in Use
- Machines Being Monitored
- How to Use the Ansible Build
The main purpose of this network is to expose a load-balanced and monitored instance of DVWA, the D*mn Vulnerable Web Application.
Load balancing ensures that the application will be highly available, in addition to restricting access to the network.
- What aspect of security do load balancers protect? What is the advantage of a jump box? When we talk about the aspect of security, load balancers can protect the servers from denial-of-service attacks (DDoS). Load balancer analyses the traffic coming in and determines what server to send the traffic to. This prevents one server from getting overloaded with traffic because the load balancer allows traffic to be distributed evenly among the servers that are connected to it. When load balancers have a health probe, it periodically checks that a machine is working properly before sending traffic. If there is any issue with a sever, the load balancer will divert traffic from the malfunctioning server. Jump box a secure computer that all admins first connect to before launching any administrative task. It can be well hardened and then use for monitoring device that controls access to other internal network devices.
Integrating an ELK server allows users to easily monitor the vulnerable VMs for changes to the logs and system traffic. -What does Filebeat watch for? Filebeat collects data about the file system. Filebeat enables analysts to monitor files for suspicious changes. Filebeat helps generate and organize log files to send to Logstash and Elasticsearch. Specifically, it logs information about the file system, including which files have changed and when. Filebeat is often used to collect log files from very specific files, such as those generated by Apache, Microsoft Azure tools, the Nginx web server, and MySQL databases. Since Filebeat is built to collect data about specific files on remote machines, it must be installed on the VMs you want to monitor.
-What does Metricbeat record?_ A metric is simply a measurement about an aspect of a system that tells analysts how "healthy" it is. In other words, Metricbeat makes it easy to collect specific information about the machines in the network such as uptime, CPU usage. By using Elasticsearch or Logstash, we can visualize the metrics and statistics that Metricbeat generates.
The configuration details of each machine may be found below. Note: Use the Markdown Table Generator to add/remove values from the table.
| Name | Function | IP Address | Operating System |
|---|---|---|---|
| Jump Box | Gateway | 10.0.0.4 | Linux |
| Web-1 | Web server running DVWA | 10.0.0.5 | Linux |
| Web-2 | Web server running DVWA | 10.0.0.6 | Linux |
| ELK-VM | ELK server | 10.1.0.4 | Linux |
The machines on the internal network are not exposed to the public Internet.
Only the Jump-Box-Provisioner machine can accept connections from the Internet. Access to this machine is only allowed from the following IP addresses: -Add whitelisted IP addresses: Only my home network public IP address 141.168.65.2
Machines within the network can only be accessed by Jump-Box-Provisioner. -Which machine did you allow to access your ELK VM? Jump-Box-Provisioner -What was its IP address? 20.248.199.19/10.0.0.4
A summary of the access policies in place can be found in the table below.
| Name | Publicly Accessible | Allowed IP Addresses |
|---|---|---|
| Jump Box | Yes(SSH) | 141.168.65.2 |
| Web-1 | Yes(HTTP/SSH) | HTTP:any,SSH:10.0.0.4 |
| Web-2 | Yes(HTTP/SSH) | HTTP:any,SSH:10.0.0.4 |
| ELK-VM | Yes(HTTP/SSH) | HTTP:any,SSH:10.0.0.4 |
Ansible was used to automate configuration of the ELK machine. No configuration was performed manually, which is advantageous because resulting in a more streamlined process. It also allowed more control over what was being installed and/or performed on the machine.
The playbook implements the following tasks:
- The elk playbook installs docker.io on the Elk virtual machine
- Python3-pip is then installed on the Elk VM
- Install the docker python module, required by Ansbile to control the state of Docker containers
- Elk requires more virtual memory so increases the memory to 262144
- Downloads, installs and executes the docker elk container on the Elk vm with published ports on restart so the elk container doesn't need to be manually started
- Enables docker on boot
The following screenshot displays the result of running docker ps after successfully configuring the ELK instance.
https://github.com/Dharmawp/CyberSecurityProject1/blob/main/Images/docker_ps_output.PNG
This ELK server is configured to monitor the following machines: Web-1 (10.0.0.5) Web-2 (10.0.0.6)
We have installed the following Beats on these machines: Filebeat and Metricbeat
These Beats allow us to collect the following information from each machine: Filebeat collects log information about the file system and specifies which files have been changed and when a file was changed to either Elasticsearch or Logstash. If we wanted to see the output from Filebeat, we would connect to Kibana and check the logs for any changes that have been made to the file system over a specific or more general time interval. For example, you would specify the container, the beat and the argument we are looking for. we can further specify by date and time range. Metricbeat shows statistics for the every process running on our system including memory, CPU usage, file system, Network IO and disk IO statics. To view the data collected, we would navigate to Kibana (assuming that our VM is already running), select the system we'd like to review and from there can view the metrics of the system.
In order to use the playbook, you will need to have an Ansible control node already configured. Assuming you have such a control node provisioned:
SSH into the control node and follow the steps below:
- Copy the filebeat-config.yml file to /etc/ansible/files/
- Update the filebeat-config.yml file to include host "10.1.0.4:9200" with username "elastic" and password "changeme" and setup.Kibana host to "10.1.0.4:5601".
- Run the playbook, and navigate to Kibana (Elk GUI interface) and click "Check Data" to check that the installation worked as expected.
Answer the following questions to fill in the blanks:
-
Which file is the playbook? Filebeat-playbook.yml
-
Where do you copy it? /etc/ansible/roles/
-
Which file do you update to make Ansible run the playbook on a specific machine? Filebeat-config.yml
-
How do I specify which machine to install the ELK server on versus which to install Filebeat on? Have to update the /etc/ansible/hosts file with right groups.[webservers] and [elk] are groups. When we run playbooks with Ansible, we specify which group to run them on.
https://github.com/Dharmawp/CyberSecurityProject1/blob/main/Ansible/Hosts.txt -
Which URL do you navigate to in order to check that the ELK server is running? http://20.190.121.165:5601/app/kibana
_As a Bonus, provide the specific commands the user will need to run to download the playbook, update the files, etc. Create/update a playbook: Nano playbookname.yml
Before running the playbook, make sure to update etc/ansible/hosts file with right groups with IP addresses.
To run your playbook: Ansible-playbook playbookname.yml