#6 LAVAEL: Deploy Elastic Stack VM
In this stage, we will deploy ELK as the SIEM solution for this lab environment. You can either refer to the Elasticsearch cluster setup for a manual installation or use the provided Ansible playbook to install the Elastic Stack on a single node. If you follow the instructions without changing the LAN network configuration, you can use the Ansible playbook as-is. This playbook will also install Logstash and configure an agent policy with some integrations.
Manual Installation: https://diadenkov.medium.com/setup-elasticsearch-cluster-with-custom-fortigate-log-collector-42700c0381b3
Installation with Ansible Playbook: https://diadenkov.medium.com/deploying-elastic-stack-with-fortidragons-custom-logstash-pipelines-on-a-single-node-using-ansible-1bffc745fd9e
It is also possible to implement the Elastic Stack using Docker Compose. You can refer to this guide: https://diadenkov.medium.com/elastic-stack-with-docker-compose-a660eef22971
I created an Ansible playbook after facing issues with the Fleet Server on nested virtualization while using Docker Compose. You can try the Elastic Stack with Docker Compose if you do not encounter these issues.
The Vagrantfile used to initialize the VM:
Vagrant.configure("2") do |config|
config.vm.define "elk" do |elk|
elk.vm.box = "debian/bullseye64"
elk.ssh.insert_key = false
elk.vm.hostname = "elk"
elk.nfs.verify_installed = false
elk.vm.synced_folder '.', '/vagrant', disabled: true
elk.vm.provider :libvirt do |libvirt|
libvirt.management_network_name = 'lab_lan_users'
libvirt.management_network_address = '192.168.100.0/24'
libvirt.management_network_mac = '52:54:00:00:01:05'
libvirt.cpus = 10
libvirt.memory = 32768
end
elk.vm.provision "shell", privileged: true, inline: <<-SHELL
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
SHELL
end
endRun Vagrant VM:
vagrant up elkConfigure networking, change /etc/network/interfaces
source-directory /etc/network/interfaces.d
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.100.50/24
gateway 192.168.100.254
dns-nameservers 192.0.2.14Add default route
sudo ip route add default via 192.168.100.254 dev eth0 onlinkOverwrite the /etc/resolv.conf file with a new DNS server address
sudo cat <<EOF > /etc/resolv.conf
nameserver 192.0.2.14
EOFRestart networking
sudo systemctl restart networkingThe Example Using Ansible
In this example, I will cover a scenario using Ansible to set up the Elastic Stack. First, install the required packages:
sudo apt update
sudo apt install -y python3-pip python3-apt git curlInstall a specific version of ansible-core
pip3 install ansible-core==2.15.12Add local bin to PATH
export PATH="$HOME/.local/bin:$PATH"Add ANSIBLE_COLLECTIONS_PATHS to .bashrc
echo 'export ANSIBLE_COLLECTIONS_PATHS="$HOME/.ansible/collections"' >> ~/.bashrcPersist the PATH change to .bashrc
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrcApply changes immediately to the current session
source ~/.bashrcClone the repository:
git clone https://github.com/celeroon/ansible-elastic-stack.gitRun the installation. If you’re creating a non-Vagrant VM or using a different network, remember to update the variables in roles/elk_vm/vars/main.yml accordingly:
cd ansible-elastic-stack/
ansible-playbook --ask-become-pass deploy_elastic_stack.ymlIf you encounter issues with locale settings, especially when using a Vagrant VM, run the following commands:
echo "export LC_ALL=C.UTF-8" >> ~/.bashrc
echo "export LANG=C.UTF-8" >> ~/.bashrcThen, generate the locale:
sudo locale-gen C.UTF-8
sudo update-locale LC_ALL=C.UTF-8 LANG=C.UTF-8Reboot the system or restart the session:
sudo rebootAfter rebooting, run the playbook again:
ansible-playbook --ask-become-pass deploy_elastic_stack.ymlThe Example with Docker Compose
Download the Docker installation script:
sudo curl -fsSL https://get.docker.com -o get-docker.sh
sudo chmod 0755 ./get-docker.shExecute the Docker installation script:
sudo sh get-docker.shGet the latest Docker Compose version:
docker_compose_version=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4)Download the Docker Compose binary:
sudo curl -L "https://github.com/docker/compose/releases/download/${docker_compose_version}/docker-compose-linux-x86_64" -o /usr/local/bin/docker-compose
sudo chmod 0755 /usr/local/bin/docker-composeCreate a symbolic link for Docker Compose:
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-composeClone the repository:
git clone https://github.com/celeroon/docker-compose-elastic-stack.gitRun the installation. Remember to create a .env file and follow the instructions provided in the repository’s README for the proper setup.
cd ansible-elastic-stack/
docker compose up -d
