From 7eb1c7e0b4a2d603c860e0d938e192b95d58262a Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 21 Oct 2020 11:37:52 -0400 Subject: [PATCH] Create finalize.md --- finalize.md | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 finalize.md diff --git a/finalize.md b/finalize.md new file mode 100644 index 0000000..b5dee11 --- /dev/null +++ b/finalize.md @@ -0,0 +1,105 @@ +# Templates +### 1. Import required templates +- In your web browser go to the pfELK local IP using port 5601 (ex: 192.168.0.1:5601) +- Click ☰ in the upper left corner +- Click on Dev Tools located near the bottom under the Management heading +- Paste the contents of each template file located [here](https://github.com/3ilson/pfelk/tree/master/etc/logstash/conf.d/templates) + - [pfelk.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk.json) + - [pfelk-geoip.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-geoip.json) + - [pfelk-firewall.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-firewall.json) + - [pfelk-dhcp.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-dhcp.json) + - [pfelk-suricata.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-suricata.json) + - [pfelk-snort.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-snort.json) + - [pfelk-unbound.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-unbound.json) + - [pfelk-squid.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/pfelk-squid.json) + - [pfelk-haproxy.json](https://raw.githubusercontent.com/3ilson/pfelk/master/etc/logstash/conf.d/templates/haproxy.json) +- Click the green triangle after pasting the contents (one at a time) into the console +![Templates](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/template-import.PNG) + +# Kibana +### 2. Import required dashboards +[YouTube Guide](https://www.youtube.com/watch?v=r7ZXQH4UFX8) + - In your web browser go to the pfELK local IP using port 5601 (ex: 192.168.0.1:5601) + - Click the menu icon (☰ three horizontal lines) in the upper left + - Under Management click -> Stack Management + - Under Kibana click -> Saved Objects + - You can import the dashboards found in the [dashboard](https://github.com/3ilson/pfelk/tree/master/Dashboard) folder via the Import button in the top-right corner. + - [pfELK Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Firewall.ndjson) + - [Unbound Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Unbound.ndjson) + - [Squid Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Squid.ndjson) + - [Suricata Dashboard](https://raw.githubusercontent.com/3ilson/pfelk/master/Dashboard/v6.0/v6.0%20-%20Suricata.ndjson) + - [Snort Dashboard](#) - Coming Soon + - [HAProxy Dashboard](#) - Coming Soon + +# Firewall +### 3a. Login to pfSense and forward syslogs +- In pfSense navigate to Status->System Logs, then click on Settings. +- At the bottom check "Enable Remote Logging" +- (Optional) Select a specific interface to use for forwarding +- Enter the ELK local IP into the field "Remote log servers" with port 5140 (eg 192.168.100.50:5140) +- Under "Remote Syslog Contents" check "Everything" +- Click Save +![pfSense](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/pfsenselogs.png) +### 3b. Login to OPNsense and forward syslogs +- In OPNsense navigate to System->Settings->Logging/Targets +- Add a new Logging/Target (Click the plus icon) +![OPNsense](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/opnsense-logs.png) +- Transport = UDP(4) +- Applications = Nothing Selected +- Levels = Nothing Selected +- Facilities = Nothing Selected +- Hostname = Enter the IP address of where pfELK is installed (eg 192.168.100.50) +- Port = 5140 +- Description = pfELK +- Click Save +![OPNsense](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/opnsense-remote.png) +### 3c. Configure Suricata for log forwarding - pfSense (Optional) + - On your pfSense web UI got to Services / Suricata / Interfaces, and enable Suricata on desired interfaces + - You can have separate configuration on each of your interfaces, you can edit them via clicking on the pencil icon + - You sould enable the EVE JSON output format for log forwarding, you should have the following options enabled at the EVE Output Settings section: + - Eve JSON log: Suricata will output selected info in JSON format to a single file or to syslog. + - EVE Output type: SYSLOG + - EVE Syslog Output Facility: AUTH + - EVE Syslog Output Priority: NOTICE + - EVE Log Alerts: Suricata will output Alerts via EVE + - Saving this will auto-enable settings at the Logging Settings menu, the Log Facility here should be LOCAL1, and the Log Priority should be NOTICE. +### 3d. Configure Suricata for log forwarding - OPNsense (Optional) +[In-Depth Guide Here](https://github.com/3ilson/pfelk/wiki/How-To:-Suricata-on-pfSense) + - In OPNsense navigate to Services->Intrusion Detection->Administration + - Enable = [X] + - IPS mode = [ ] or [X] + - Promiscuous mode = [ ] or [X] + - Enable syslog alerts = [ ] or [X] + - Enable eve syslog output [X] + - Pattern matcher = Default / Aho-Corasick /Hyperscan + - Interfaces = Select As Nessessary (must have at least one or nothing will be detected) + - Rotate log = Default / Weekly / Daily + - Save logs = Any Value You Desire + - Click Apply +![OPNsense-Suricata](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/opnsense-suricata.png) +### 3e. Configure Snort for log forwarding - pfsense (Optional) +- In pfsense navigate to Services->Snort->Snort Interfaces + - For each interface you have configured, choose the edit pencil to the right (repeat these steps for each) + - In each "Interface" Settings -> under Alert Settings check Send Alerts to System Log + - Scroll down and Choose Save + ![Snort-Log-Settings](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/snort-log-settings.png) +### 3f. Configure HAProxy for log forwarding - OPNsense (Optional) + - In OPNsense navigate to Services->HAProxy->Settings->Settings->Logging Configuration + - Log Host = ELK IP + - Syslog facility = local0[default] + - Filter syslog level = info[default] + - Add the "httplog" under HAProxy->Settings->Virtual Services->Public Servers -> edit your public service + - Enable "advanced mode" and scroll down + - Under "Option pass-through" add "option httplog" + ![OPNsense-HAProxy](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/opnsense_haproxy_http_log.PNG) +### 3g. Configure Squid for log forwarding - OPNsense (Optional) + - In OPNsense navigate to Services->Web Proxy->Administration->General Proxy Settings + - Enable "advanced mode" + - Access log target = Syslog(Json) + ![OPNsense-Squid](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/opnsense_squid_syslog.PNG) +### 3h. Configure Unbound DNS for full query log forwarding - OPNsense (Optional) + - In OPNsense navigate to Services->Unbound DNS->Advanced + - Log Queries = [X] + ![OPNsense-Unbound](https://raw.githubusercontent.com/3ilson/pfelk/master/Images/opnsense_unbound_queries.PNG) +# Finished +### 4. Wait a few mintues after configuring the above and explore the enriched visualizations.