Elasticsearch Stack Install Part 1 Elasticsearch

Posted on by Marcus Edmondson

So in this blog post I am going to start a series of posts dealing with installing the Elasticsearch stack and then using Winlogbeat to forward Windows event logs and Filebeat to forward bro logs and then finally we will build out some cool visualizations and dashboards. I will be installing the Elasticsearch stack on a single Ubuntu VM for demonstration purposes. This post will be covering installation of Elasticsearch which is the back end of the stack that stores all the logs.

Step 1. Install Java

First I changed to a root prompt and installed java with Ubuntu’s package manager apt.

Java_Install

Step 2. Install Elasticsearch

So next we will install Elasticsearch. These next screenshots are the process.

wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –

Elasticsearch_install

sudo apt-get install apt-transport-https

Screen Shot 2018-02-19 at 8.27.25 AM

echo “deb https://artifacts.elastic.co/packages/5.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
Screen Shot 2018-02-19 at 8.34.53 AM
apt-get update && sudo apt-get install elasticsearch
Screen Shot 2018-02-19 at 8.37.38 AM
Step 3. Change default IP Address in elasticsearch.yml file
-nano /etc/elasticsearch/elasticsearch.yml
-Delete the # sign to enable the feature
-Delete the default IP address and type “localhost”
-Type CTR+ X to Exit
-Type Y to accept changes and ENTER to save it on the original config file.
Screen Shot 2018-02-19 at 8.42.17 AM
Now we need to start the Elasticsearch service and ensure it starts at reboot. Ensure your VM has ample memory or your Elasticsearch service will fail to start. I ran into this problem during install because I left the VM at it’s default configuration. I gave my VM 4GB.
Step 4. Reload the daemon and enable and start the elasticsearch service
-/bin/systemctl daemon-reload
-/bin/systemctl enable elasticsearch.servic
-sudo systemctl start elasticsearch.service
-sudo systemctl status elasticsearch.service
Screen Shot 2018-02-19 at 8.55.13 AM
So that is the process to install Elasticsearch. In the next blog post we will install Logstash, which is the log aggregator or Kibana, which is your front end GUI interface to Elasticsearch.
Happy Hunting,
Marcus

One thought on “Elasticsearch Stack Install Part 1 Elasticsearch

  1. Pingback: Elasticsearch Stack Install Part 2 Kibana – Threat Hunting and Security Data Analytics

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Published by Marcus Edmondson

DFIR and threat hunting with PowerShell and Python are my passion. I love learning and researching new ways to find the adversary.