This repository has been archived by the owner on Aug 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Andrew
authored
Oct 21, 2020
1 parent
9b6ba78
commit 7eb1c7e
Showing
1 changed file
with
105 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| # Templates | ||
| ### 1. Import required templates | ||
| - In your web browser go to the pfELK local IP using port 5601 (ex: 192.168.0.1:5601) | ||
| - Click ☰ in the upper left corner | ||
| - Click on Dev Tools located near the bottom under the Management heading | ||
| - Paste the contents of each template file located [here](https://github.com/3ilson/pfelk/tree/master/etc/logstash/conf.d/templates) | ||
| - [pfelk.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk.json) | ||
| - [pfelk-geoip.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-geoip.json) | ||
| - [pfelk-firewall.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-firewall.json) | ||
| - [pfelk-dhcp.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-dhcp.json) | ||
| - [pfelk-suricata.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-suricata.json) | ||
| - [pfelk-snort.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-snort.json) | ||
| - [pfelk-unbound.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-unbound.json) | ||
| - [pfelk-squid.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-squid.json) | ||
| - [pfelk-haproxy.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/haproxy.json) | ||
| - Click the green triangle after pasting the contents (one at a time) into the console | ||
|  | ||
|
|
||
| # Kibana | ||
| ### 2. Import required dashboards | ||
| [YouTube Guide](https://www.youtube.com/watch?v=r7ZXQH4UFX8) | ||
| - In your web browser go to the pfELK local IP using port 5601 (ex: 192.168.0.1:5601) | ||
| - Click the menu icon (☰ three horizontal lines) in the upper left | ||
| - Under Management click -> Stack Management | ||
| - Under Kibana click -> Saved Objects | ||
| - You can import the dashboards found in the [dashboard](https://github.com/3ilson/pfelk/tree/master/Dashboard) folder via the Import button in the top-right corner. | ||
| - [pfELK Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Firewall.ndjson) | ||
| - [Unbound Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Unbound.ndjson) | ||
| - [Squid Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Squid.ndjson) | ||
| - [Suricata Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Suricata.ndjson) | ||
| - [Snort Dashboard](#) - Coming Soon | ||
| - [HAProxy Dashboard](#) - Coming Soon | ||
|
|
||
| # Firewall | ||
| ### 3a. Login to pfSense and forward syslogs | ||
| - In pfSense navigate to Status->System Logs, then click on Settings. | ||
| - At the bottom check "Enable Remote Logging" | ||
| - (Optional) Select a specific interface to use for forwarding | ||
| - Enter the ELK local IP into the field "Remote log servers" with port 5140 (eg 192.168.100.50:5140) | ||
| - Under "Remote Syslog Contents" check "Everything" | ||
| - Click Save | ||
|  | ||
| ### 3b. Login to OPNsense and forward syslogs | ||
| - In OPNsense navigate to System->Settings->Logging/Targets | ||
| - Add a new Logging/Target (Click the plus icon) | ||
|  | ||
| - Transport = UDP(4) | ||
| - Applications = Nothing Selected | ||
| - Levels = Nothing Selected | ||
| - Facilities = Nothing Selected | ||
| - Hostname = Enter the IP address of where pfELK is installed (eg 192.168.100.50) | ||
| - Port = 5140 | ||
| - Description = pfELK | ||
| - Click Save | ||
|  | ||
| ### 3c. Configure Suricata for log forwarding - pfSense (Optional) | ||
| - On your pfSense web UI got to Services / Suricata / Interfaces, and enable Suricata on desired interfaces | ||
| - You can have separate configuration on each of your interfaces, you can edit them via clicking on the pencil icon | ||
| - You sould enable the EVE JSON output format for log forwarding, you should have the following options enabled at the EVE Output Settings section: | ||
| - Eve JSON log: Suricata will output selected info in JSON format to a single file or to syslog. | ||
| - EVE Output type: SYSLOG | ||
| - EVE Syslog Output Facility: AUTH | ||
| - EVE Syslog Output Priority: NOTICE | ||
| - EVE Log Alerts: Suricata will output Alerts via EVE | ||
| - Saving this will auto-enable settings at the Logging Settings menu, the Log Facility here should be LOCAL1, and the Log Priority should be NOTICE. | ||
| ### 3d. Configure Suricata for log forwarding - OPNsense (Optional) | ||
| [In-Depth Guide Here](https://github.com/3ilson/pfelk/wiki/How-To:-Suricata-on-pfSense) | ||
| - In OPNsense navigate to Services->Intrusion Detection->Administration | ||
| - Enable = [X] | ||
| - IPS mode = [ ] or [X] | ||
| - Promiscuous mode = [ ] or [X] | ||
| - Enable syslog alerts = [ ] or [X] | ||
| - Enable eve syslog output [X] | ||
| - Pattern matcher = Default / Aho-Corasick /Hyperscan | ||
| - Interfaces = Select As Nessessary (must have at least one or nothing will be detected) | ||
| - Rotate log = Default / Weekly / Daily | ||
| - Save logs = Any Value You Desire | ||
| - Click Apply | ||
|  | ||
| ### 3e. Configure Snort for log forwarding - pfsense (Optional) | ||
| - In pfsense navigate to Services->Snort->Snort Interfaces | ||
| - For each interface you have configured, choose the edit pencil to the right (repeat these steps for each) | ||
| - In each "Interface" Settings -> under Alert Settings check Send Alerts to System Log | ||
| - Scroll down and Choose Save | ||
|  | ||
| ### 3f. Configure HAProxy for log forwarding - OPNsense (Optional) | ||
| - In OPNsense navigate to Services->HAProxy->Settings->Settings->Logging Configuration | ||
| - Log Host = ELK IP | ||
| - Syslog facility = local0[default] | ||
| - Filter syslog level = info[default] | ||
| - Add the "httplog" under HAProxy->Settings->Virtual Services->Public Servers -> edit your public service | ||
| - Enable "advanced mode" and scroll down | ||
| - Under "Option pass-through" add "option httplog" | ||
|  | ||
| ### 3g. Configure Squid for log forwarding - OPNsense (Optional) | ||
| - In OPNsense navigate to Services->Web Proxy->Administration->General Proxy Settings | ||
| - Enable "advanced mode" | ||
| - Access log target = Syslog(Json) | ||
|  | ||
| ### 3h. Configure Unbound DNS for full query log forwarding - OPNsense (Optional) | ||
| - In OPNsense navigate to Services->Unbound DNS->Advanced | ||
| - Log Queries = [X] | ||
|  | ||
| # Finished | ||
| ### 4. Wait a few mintues after configuring the above and explore the enriched visualizations. |