/Elusive

Student project for SIEM center using ELK stack

Primary LanguageShellMIT LicenseMIT

Elusive - SIEM SIIT 2016

Faculty of Technical Science

Subject: Security in E-Business Systems

Academic Staff:

  • Sladic Goran (Professor)
  • Luburic Nikola (Teaching Assistant)

Students:

  • Bratic Stefan
  • Vojnovic Milorad
  • Vladisavljev Arsenije

Description

Student project that consists of creating SIEM center using ELK stack.

Requirements

  • Python 2.x.x or 3.x.x
  • Docker Machine
  • Docker Compose
  • Docker
  • Bash
  • Powershell v3 (if on Windows)

Instructions

  1. Run docker-compose -f deployments/docker-compose-local.yml up --build -d to start elastic stack. Make sure Docker is up and running in your environment. If you can to run images from docker registry run instead docker-compose -f deployments/docker-compose.yml up --build -d It will download already built docker images for this project and create containers for them.

  2. cd log_generator && python main.py to start generation of logs

  3. After system is up, go to: https://localhost:5601 which represents kibana client for elastics stack and log in with username elastic and password changeme

  4. Navigate to Management -> Index Patterns

  5. In the text field in the middle of the current screen write firebeat-*, then click out of text field to refresh loading and lastly in the options box below text field, select '@timestamp' as time field and click 'Create'.

  6. Repeat 5. for appbeat-*, apachebeat-*, linuxbeat-*, winlogbeat-*

  7. In Discover menu you can watch in real time logs that are coming to elasticsearch from different sources separated by indexes you defined above.

  8. Folders located in resources folder(resources/apachebeat, resources/appbeat and resources/firebeat) contain visualization and dashboards exports for kibana. In order to import them, you need navigate in kibana to path Management -> Saved Objects and press Import. When file dialog is opened select json file that represents Visualization or Dashboard export.

  9. For elastic stack rules you need to run ./scripts/load-rules.sh . It will run a script that will add all existing rules for this project. Make sure elastic stack is up and running.

Project structure

  • cryptography folder contains scripts and resources needed for creating and managing certificates.
  • deployment folder contains docker-compose and dockerfile configuration of the whole system
  • documents folder pdf, markdown files that contain information related to project and also rule design and rules payload.
  • log_generator folder contains python implementation of simulator for generating custom logs.
  • resources folder contain assets related to project
  • scripts folder contain files that are used to configure system properly.
  • test_logs is default location where log will be generated

Useful resources