This Bash script is designed to automate the installation and configuration of the Elasticsearch, Kibana, and Filebeat components for managing and analyzing log data.
Here's a breakdown of what each section of the script does:
-
Elasticsearch Installation:
- Downloads Elasticsearch package (version 7.17.9) for AMD64 architecture.
- Installs Elasticsearch using dpkg.
- Reloads the systemd daemon and starts the Elasticsearch service.
-
Kibana Installation:
- Downloads Kibana package (version 7.17.9) for AMD64 architecture.
- Installs Kibana using dpkg.
- Starts the Kibana service.
-
Filebeat Installation:
- Downloads Filebeat package (version 7.17.9) for AMD64 architecture.
- Installs Filebeat using dpkg.
-
Check Elasticsearch and Kibana Status:
- Checks if Elasticsearch is running on the default settings (http://127.0.0.1:9200) and prints the status.
- Checks if Kibana is running on the default settings (http://127.0.0.1:5601) and prints the status.
-
Filebeat Configuration and Service Setup:
- Checks if Filebeat is installed.
- If Filebeat is installed, it performs the following tasks:
- Creates specific directories for various log data sets.
- Copies service files to the required systemd locations.
- Reloads systemd daemon.
- Creates pipelines for specific data sets.
- Moves Filebeat configuration files.
- Creates directories for storing data forwarded to ELK stack.
- Starts Filebeat services for different data sets.
- Enables the listed services.
- Downloads a Python script for converting Nmap XML to CSV.
- Copies CSV datasets to specific directories.
-
Final Message:
- Displays a message instructing the user to open their browser and go to http://127.0.0.1:5601 to access Kibana.
Note: The script also includes commented-out sections related to exporting and importing Kibana index patterns, as well as a sleep delay before importing saved objects to allow Elastic time to ingest data.
** FOR TRAINING PURPOSES ONLY **
We will be able to index and visualize nmap scans, breakdown wireless beacons and probes, and find vendors based off of OUI data sets.
I've attached some example data for this install. There are scripts to automate the network and wireless collection if needed.
The bash script ello-stack.sh will install Elasticsearch, Kibana and Filebeat on a PRE-BUILT KALI VM.
The user name all the scripts use are kali and the location of all files and directories are /home/kali.
It creates the proper "log" and "lib" directories for the "Filebeat.services".
It will copy the modified "Filebeat.service" files for the different data types.
After, other scripts gets called to create the proper pipelines, objects, and DASHBOARDS.
Based off the data sets that are indexed, we will use my pre-built Index Patterns, Query Sets, and DASHBOARDS.
Lastly, it will copy all the "filebeat conf files" to /etc/filebeat/.
Create a local copy of the script.
git clone https://github.com/bwithe/shelk
!!! MAKE SURE TO CD INTO THE "shelk" DIRECTORY BEFORE RUNNING THE FOLLOWING SCRIPT !!!
Make the script executable:
sudo chmod +x ello-stack.sh
Then run the script:
sudo ./ello-stack.sh or sudo bash ello-stack.sh
Once the script is finished running, you will be asked to open your web-browser and go to 127.0.0.1:5601
Click on the top left menu button and look for "Dashboard"
Let's select the pre-built "Dashboard" we've made.
This dashboard is an example of a wireless collection.
For example, I used fake restaurants.
If the "Client-MACaddress" pairs up with an "AP-MACaddress", it means there is an association between the two.
However, if you see a "Client-MACaddress" paired with "(not associated)" but then an AP-SSID. That means the client device has probed for that "SSID" but is not in range, or able to connect.
Click on the top left menu button again, and look for "Discover"
On the left, you can see the "Search Patterns" that we've uploaded. Let's focus in on "local-aps"
On the top right menu, we want to filter the data to be read in a faster and cleaner way.
So lets select "open" and then "aps-discover"
Again, this is another "pre-built" query to make this easier.
Finally, we can see based off of our "Search-Pattern" (blue arrow)
We have filtered our data to be read at a quick glance. (red arrows)
