Select Git revision
README.md 4.23 KiB
Welcome to (pfSense/OpnSense) + ELK
You can view installation guide guide on 3ilson.org YouTube Channel.
Prerequisites
- Ubuntu Server v18.04+
- pfSense v2.4.4+ or OPNsense 19.7.3+
Preparation
1. Add Oracle Java Repository
sudo add-apt-repository ppa:linuxuprising/java2. Download and install the public GPG signing key
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -3. Download and install apt-transport-https package
sudo apt-get install apt-transport-https4. Add Elasticsearch|Logstash|Kibana Repositories (version 7+)
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list5. Update
sudo apt-get update6. Install Java 12
sudo apt-get install oracle-java12-installerInstall
- Elasticsearch v7+ | Kibana v7+ | Logstash v7+
7. Install Elasticsearch|Kibana|Logstash
sudo apt-get install elasticsearch && sudo apt-get install kibana && sudo apt-get install logstashConfigure Kibana|v7+
8. Configure Kibana
sudo nano /etc/kibana/kibana.yml9. Amend host file (/etc/kibana/kibana.yml)
server.port: 5601
server.host: "0.0.0.0"Configure Logstash|v7+
10. Change Directory
cd /etc/logstash/conf.d11. Download the following configuration files
sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/01-inputs.confsudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/05-syslog.confsudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/10-pf.conf- Commit either line 6 or 8 depending on PFsense or OPNsense
sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/50-outputs.conf12. Make Patterns Folder
sudo mkdir /etc/logstash/conf.d/patterns13. Navigate to Patterns Folder
cd /etc/logstash/conf.d/patterns/14. Download the following configuration file
sudo wget https://raw.githubusercontent.com/a3ilson/pfelk/master/pf-09.2019.grok15. Edit (10-syslog.conf)
sudo nano /etc/logstash/conf.d/10-syslog.conf16. Revise/Update w/pf IP address (10-syslog.conf)
Change line 3; the "if [host]..." should point to your pf IP address
Change line 9 to point to your second Pf IP address or comment out17. Edit (11-pf.conf)
sudo nano /etc/logstash/conf.d/11-pf.conf18. Revise/Update timezone
Change line 12 to the same timezone as your pf configuration
_Note if the timezone is offset or mismatched, you may not see any logs_19. Download and install the MaxMind GeoIP database
cd /etc/logstash20. Download and install the MaxMind GeoIP City database
sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz21. Download and install the MaxMind GeoIP City database
sudo gunzip GeoLite2-City.mmdb.gz22. Download and install the MaxMind GeoIP ASN database
sudo wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz23. Download and install the MaxMind GeoIP ASN database
sudo tar -xvzf GeoLite2-City.mmdb.gz24. Download and install the MaxMind GeoIP ASN database
Replace YYYYMMDD below with the correct date from your extracted directory
sudo mv GeoLite2-ASN_YYYYMMDD/GeoLite2-ASN.mmdb25. Download and install the MaxMind GeoIP ASN database
Replace YYYYMMDD below with the correct date from your extracted directory
sudo rm -rf GeoLite2-ASN_YYYYMMDDConfigure Services
Start Services on Boot as Services (you'll need to reboot or start manually to proceed)
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo /bin/systemctl enable kibana.service
sudo /bin/systemctl enable logstash.serviceStart Services Manually
sudo -i service elasticsearch start
sudo -i service kibana start
sudo -i service logstash start