Visualize Server Security On CentOS 7 With The Elastic Stack

Updated by Linode Contributed by Andrew Lescher

Contribute on GitHub

View Project | View File | Edit File

This is a Linode Community guide. Write for us and earn up to $300 per published guide.


Introduction To This Tutorial

In this tutorial, you will learn how to install and link together ElasticSearch, Logstash, Kibana, and Wazuh OSSEC to aid in monitoring and visualizing security threats to your machine. The resulting structure can be broken down into four core components:

ElasticSearch

  • The heart of the Elastic Stack, ElasticSearch provides powerful search and analytical capabilities. It’s purpose in the Elastic Stack is to centrally store and retrieve data collected by Logstash.

Logstash

  • Receives data input from multiple sources and passes it along to a central database (ElasticSearch)

Kibana

  • A self-hosted, web based tool which provides a multitude of methods to visualize and represent data stored in ElasticSearch.

Wazuh OSSEC

  • An open source branch of the orignal OSSEC HIDS developed for integration into the Elastic Stack. Wazuh provides the OSSEC software with the OSSEC ruleset, as well as a RESTful API Kibana plugin optimized for displaying and analyzing host IDS alerts.

Before You Begin

  1. Working through this tutorial requires the use of a limited user account. If you have yet to create one, follow the steps in the Securing Your Server guide.

  2. Ideally, your Linode should possess at least 4GB of RAM. While the Elastic Stack will run on less RAM, the Wazuh Manager will crash if RAM is depleted at any time during use.

    Some of the commands below require elevated privileges to execute, and should be prefixed with sudo when necessary.

  3. You will need to have either Nginx or Apache installed. If you have yet to install a webserver, follow the instructions in the below guide that best describes your Linux environment.

  4. Configure your webserver for virtual domain hosting. Follow the tutorial best suited for your installed webserver.

    Nginx

    Apache

Set Up The Elastic Stack and Integrate Wazuh OSSEC

Installing the Elastic Stack components can be accomplished in various ways. Installing with RPM is recommended, as this will yield the latest versions.

Update System and Install Prerequisites

  1. Update system packages.

    1
     yum update -y && yum upgrade -y
    
  2. Install Java 8 JDK.

    1
     yum install java-1.8.0-openjdk.x86_64
    

    Once Java is installed, verify the installation by running the following command:

    1
     java -version
    

    Your output should be similar to the lines below:

    1
    2
    3
     openjdk version "1.8.0_144"
     OpenJDK Runtime Environment (IcedTea 3.5.1) (suse-13.3-x86_64)
     OpenJDK 64-Bit Server VM (build 25.144-b01, mixed mode)
    
  3. Install final pre-requisites.

    1
     yum install wget
    

Install Wazuh

  1. Create the file /etc/yum.repos.d/wazuh.repo and paste the following text using your preferred text editor:

    /etc/yum.repos.d/wazuh.repo
    1
    2
    3
    4
    5
    6
    7
    [wazuh_repo]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=CentOS-$releasever - Wazuh
    baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
    protect=1
    
  2. Install the Wazuh Manager:

    1
     yum install wazuh-manager
    
  3. Install the Wazuh API:

    1. Add the EPEL repository and install Node.js:

      1
      2
       yum install epel-release
       yum install nodejs
      
    2. Install Wazuh API:

      1
       yum install wazuh-api
      

Install Elasticsearch, Logstash, and Kibana

Install the Elastic Stack via rpm files to get the latest versions of all the software. Be sure to check the Elastic website for more recent software versions. Version 5.6.2 was the most recent at the time of publishing.

ElasticSearch

  1. Download the ElasticSearch rpm file into the /opt directory.

    1
    2
     cd /opt
     wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.2.rpm
    
  2. Install ElasticSearch.

    1
    rpm -ivh elasticsearch-5.6.2.rpm
    
  3. Enable ElasticSearch on system boot.

    1
    2
     systemctl enable elasticsearch
     systemctl start elasticsearch
    
  4. Load The Wazuh ElasticSearch template.

    1
    2
     wget https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/2.1/server/startup/integration_files/template_file.json
     curl -XPUT http://localhost:9200/_template/wazuh/ -d @template_file.json
    

Logstash

  1. Download the Logstash rpm file into the /opt directory.

    1
    2
     cd /opt
     wget https://artifacts.elastic.co/downloads/logstash/logstash-5.6.2.rpm
    
  2. Install Logstash.

    1
     rpm -ivh logstash-5.6.2.rpm
    
  3. Enable Logstash on system boot.

    1
    2
    3
     systemctl daemon-reload
     systemctl enable logstash
     systemctl start logstash
    
  4. Download the Wazuh config and template files for Logstash.

    1
    2
     curl -o /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/logstash/01-wazuh.conf
     curl -o /etc/logstash/wazuh-elastic5-template.json https://raw.githubusercontent.com/wazuh/wazuh/2.0/extensions/elasticsearch/wazuh-elastic5-template.json
    
  5. Modify the 01-wazuh.conf file to indicate a single-host architecture. Replicate the contents below into your own file. The changes consist of commenting out the “Remote Wazuh Manager” section and uncommenting the “Local Wazuh Manager” section.

    /etc/logstash/conf.d/01-wazuh.conf
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    # Wazuh - Logstash configuration file
    ## Remote Wazuh Manager - Filebeat input
    #input {
    #    beats {
    #        port => 5000
    #        codec => "json_lines"
    ##        ssl => true
    ##        ssl_certificate => "/etc/logstash/logstash.crt"
    ##        ssl_key => "/etc/logstash/logstash.key"
    #    }
    #}
    # Local Wazuh Manager - JSON file input
    input {
       file {
           type => "wazuh-alerts"
           path => "/var/ossec/logs/alerts/alerts.json"
           codec => "json"
       }
    }
    
    . . .
    
  6. Add the Logstash user to the “ossec” group to allow access to restricted files.

    1
     usermod -aG ossec logstash
    
  7. Follow this step if you are using CentOS 6 or RHEL 6.

    1. Edit the file /etc/logstash/startup.options and in line 30 change the LS_GROUP=logstash to LS_GROUP=ossec.
    /etc/logstash/startup.options
    1
    2
    3
    4
    5
    6
    7
    . . .
    
    # user and group id to be invoked as
    LS_USER=logstash
    LS_GROUP=ossec
    
    . . .
    
    1. Update the service with the new parameters.

      1
       /usr/share/logstash/bin/system-install
      
    2. Restart Logstash.

      1
       systemctl restart logstash
      

Install Kibana

  1. Download the Kibana rpm file into the /opt directory.

    1
    2
     cd /opt
     wget https://artifacts.elastic.co/downloads/kibana/kibana-5.6.2-x86_64.rpm
    
  2. Install Kibana.

    1
     rpm -ivh kibana-5.6.2-x86_64.rpm
    
  3. Enable Kibana on system boot.

    1
    2
     systemctl enable kibana
     systemctl start kibana
    
  4. Install the Wazuh app for Kibana.

    1
     /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
    

    The Kibana app installation process takes several minutes to complete and it may appear as though the process has stalled; wait patiently and it will finish.

  5. If you will be accessing Kibana remotely online, you will need to configure it to listen on your IP address. Replace the following values in /etc/kibana/kibana.yml with the correct parameters. If you are accessing Kibana from a localhost, you can leave the server.host value alone.

    Value Parameter
    server.port Change this value if the default port, 5601, is in use.
    server.host Set this value to your Linode’s external IP address.
    server.name This value is used for display purposes only. Set to anything you wish, or leave it alone.
    logging.dest Specify a location to log program information. /var/log/kibana.log is recommended.

    You may modify other values in this file as you see fit, but this configuration should work for most.

  6. Create a log file for Kibana and give it appropriate permissions. Make sure the file path in the command matches the logging.dest you set in /etc/kibana/kibana.yml.

    1
    2
     touch /var/log/kibana.log
     chmod 777 /var/log/kibana.log
    
  7. Restart Kibana.

    1
     systemctl restart kibana
    

Configure The Elastic Stack

The Elastic Stack will require some tuning before it can be accessed via the Wazuh API.

  1. Enable memory locking in ElasticSearch to mitigate poor performance. Uncomment or add this line to /etc/elasticsearch/elasticsearch.yml:

    1
     bootstrap.memory_lock: true
    
  2. Edit locked memory allocation. Follow the instructions under the appropriate init system used in your system.

    SystemD

    Edit the systemd init file and add the following line.

    /etc/systemd/system/multi-user.target.wants/elasticsearch.service
    1
    2
    3
    4
    5
    . . .
    
    LimitMEMLOCK=infinity
    
    . . .
    

    System V

    Edit the /etc/sysconfig/elasticsearch file. Add or change the following line.

    /etc/sysconfig/elasticsearch
    1
    2
    3
    4
    5
    . . .
    
    MAX_LOCKED_MEMORY=unlimited
    
    . . .
    
  3. Configure the ElasticSearch heap size. This figure will determine how much memory ElasticSearch is allowed to consume. You must determine the optimum heap size for ElasticSearch based on your system’s hardware resources. However, the following two rules always apply:

  • No more than 50% of available RAM
  • No more than 32GB of RAM
  • The -Xmsg and -Xmxg values must be the same in order to avoid performance issues.

    Open the jvm.options file and navigate to the following block:

    /etc/elasticsearch/jvm.options
    1
    2
    3
    4
    5
    6
    7
    8
    9
    . . .
    
    # Xms represents the initial size of total heap space
    # Xmx represents the maximum size of total heap space
    
    -Xms4g
    -Xmx4g
    
    . . .
    

This configuration configures ElasticSearch with 4GB of allotted RAM. You may also use the M letter to specify megabytes. View your current RAM consumption with the htop command. If you do not have htop installed, install it with your distribution’s package manager. Allocate as much RAM as you can, up to 50% of the max, while leaving enough available for other daemon and system processes.

Set this value carefully. If the system RAM is completely depleted, ElasticSearch will crash.

Connect The Elastic Stack With The Wazuh API

## Open The Kibana Port

Kibana’s default access port, 5601, must be opened for TCP traffic. Instructions are presented below for UFW, Iptables, and FirewallD.

UFW

1
    ufw allow 5601/tcp comment "Kibana port"

Iptables

1
    iptables -A INPUT -p tcp --dport 5601 -m comment --comment "Kibana port" -j ACCEPT

To avoid losing iptables rules after a server reboot, save your rules to a file using iptables-save, or install iptables-persistent to automatically save rules.

FirewallD

1
    firewall-cmd --add-port=5601/tcp --permanent

Access The Wazuh API

Now you are ready to access the API and begin making use of your OSSEC Elastic Stack!

  1. The Wazuh API requires users to provide credentials in order to log in. Switch to a root session and configure user credentials:

    1
    2
    3
    4
     su -
     cd /var/ossec/api/configuration/auth
     node htpasswd -c user NewUserName
     exit
    
  2. Restart the Wazuh API.

    1
     systemctl restart wazuh-api
    
  3. Check the status of all daemon components and verify they are running.

    1
    2
    3
    4
    5
    6
     systemctl -l status wazuh-api
     systemctl -l status wazuh-manager
     systemctl -l status elasticsearch
     systemctl -l status logstash
     systemctl -l status kibana
     systemctl -l status nginx
    

If the Wazuh Manager fails to start and you determine the cause to be one of the OSSEC rules or decoders, disable that specific rule/decoder for now. You will find the rules and decoders in the var/ossec/ruleset directory. To disable, rename the file with any other file extension.

  1. In a web browser, navigate to the Kibana homepage. If you created a subdomain for Kibana, the URL might look like kibana.your_domain.com. You can also reach Kibana by navigating to your server’s IP address and specifying port 5601. Login with the credentials you set up for your Kibana site.

  2. If everything is working correctly, you should have landed on the Discover page. Navigate to the Wazuh page using the left hand side menu. You will be immediately presented with the API configuration page. Underneath the ADD NEW API button, enter the user credentials you created for Wazuh. For URL and Port, enter “http(s)://your_ip_address” and “55000”, respectively. Click SAVE.

Where To Go From Here

Your OSSEC Elastic Stack setup is now complete! At this point, you will want to customize and configure your OSSEC rules to better suit the needs in your environment. The Wazuh API contains pre-configured charts and queries, and more information on how to use them can be found in the official Wazuh documentation. Links for further examination of these topics can be found in the External Resources section in this guide.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This guide is published under a CC BY-ND 4.0 license.