sudo add-apt-repository ppa:linuxuprising/java

sudo add-apt-repository ppa:maxmind/ppa

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

sudo apt-get install apt-transport-https

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

sudo apt-get update

sudo apt-get install oracle-java12-installer

sudo apt install geoipupdate

sudo nano /etc/GeoIP.conf

EditionIDs GeoLite2-City GeoLite2-Country GeoLite2-ASN

sudo geoipupdate

sudo nano /etc/cron.weekly/geoipupdate

00 17 * * 0 geoipupdate

sudo apt-get install elasticsearch && sudo apt-get install kibana && sudo apt-get install logstash

sudo nano /etc/kibana/kibana.yml

cd /etc/logstash/conf.d

sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/01-inputs.conf

sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/05-syslog.conf

sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/10-pf.conf

sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/50-outputs.conf

sudo mkdir /etc/logstash/conf.d/patterns

cd /etc/logstash/conf.d/patterns/

sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/pf-09.2019.grok

sudo nano /etc/logstash/conf.d/05-syslog.conf

Change line 3; the "if [host]..." should point to your pf IP address
Change line 9 to point to your second PF IP address or comment out

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo /bin/systemctl enable kibana.service
sudo /bin/systemctl enable logstash.service

sudo -i service elasticsearch start
sudo -i service kibana start
sudo -i service logstash start

systemctl status elasticsearch.service
systemctl status kibana.service
systemctl status logstash.service

cat/nano/vi the files within this location to view Logstash logs