Monday, October 5, 2020

Security On The Cheap - Beginning Elastic Stack - Installing Kibana 7.9 on Ubuntu 20.04

In the previous post, we installed and configured Elasticsearch on Ubuntu 20.04. In this post, we install and configure Kibana on Ubuntu 20.04.

Since we already installed some of the prerequisites in the previous post, let's focus now on installing and configuring Kibana.

root@securitynik-monitoring:/etc/elasticsearch# apt-get update && apt-get install kibana
...
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 kibana amd64 7.9.2 [302 MB]
Fetched 302 MB in 10s (31.3 MB/s)
Selecting previously unselected package kibana.
(Reading database ... 88849 files and directories currently installed.)
Preparing to unpack .../kibana_7.9.2_amd64.deb ...
Unpacking kibana (7.9.2) ...
Setting up kibana (7.9.2) ...
Processing triggers for systemd (245.4-4ubuntu3.2) ...

As before, I changed into Kibana directory and made a copy of the original config file.

root@securitynik-monitoring:/etc/elasticsearch# cd /etc/kibana/
root@securitynik-monitoring:/etc/kibana# cp kibana.yml kibana.yml.ORIGINAL

Here are the options I un-commented and or modified.

root@securitynik-monitoring:~# cat /etc/kibana/kibana.yml | grep --perl-regexp "^server.port|^server.host|^server.name|^elasticsearch.host|^elasticsearch.logQueries|run"
server.port: 5601
server.host: "10.0.0.1"
server.name: "kibana.securitynik.local"
elasticsearch.hosts: ["http://10.0.0.1:9200"]
elasticsearch.logQueries: true
pid.file: /var/run/kibana/kibana.pid

To prevent Kibana from throwing the error "message":"{ [Error: EACCES: permission denied, open '/var/run/kibana.pid']", I created a directory named "kibana" under "/var/run/" and made the "kibana" user the owner.

root@securitynik-monitoring:~# mkdir /var/run/kibana
root@securitynik-monitoring:~# chown kibana.kibana /var/run/kibana/
root@securitynik-monitoring:~# ls -al /var/run/
...
drwxr-xr-x  2 kibana        kibana          40 Oct  2 09:37 kibana

Configuring Kibana service.

root@securitynik-monitoring:/etc/kibana# systemctl daemon-reload
root@securitynik-monitoring:/etc/kibana# systemctl enable --now kibana.service
Synchronizing state of kibana.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable kibana
Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service → /etc/systemd/system/kibana.service.

Verify the service is running.

root@securitynik-monitoring:/etc/kibana# systemctl status kibana.service
● kibana.service - Kibana
     Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2020-08-14 00:02:02 UTC; 49s ago
   Main PID: 19495 (node)
      Tasks: 11 (limit: 4563)
     Memory: 429.9M
     CGroup: /system.slice/kibana.service
             └─19495 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli


Aug 14 00:02:02 securitynik-monitoring systemd[1]: Started Kibana.
Aug 14 00:02:06 securitynik-monitoring kibana[19495]: {"type":"log","@timestamp":"2020-08-14T00:02:06Z","tags":["warning","plugins-d>
Aug 14 00:02:06 securitynik-monitoring kibana[19495]: {"type":"log","@timestamp":"2020-08-14T00:02:06Z","tags":["warning","plugins-d>

Looks good! Verify the service is listening on port 5601.

root@securitynik-monitoring:/etc/kibana# ss --numeric --listen --process --tcp --udp
Netid  State   Recv-Q  Send-Q          Local Address:Port   Peer Address:Port  Process
tcp    LISTEN  0       511               10.0.0.1:5601        0.0.0.0:*      users:(("node",pid=19495,fd=18))
tcp    LISTEN  0       4096     [::ffff:10.0.0.1]:9200              *:*      users:(("java",pid=18392,fd=267))
tcp    LISTEN  0       4096     [::ffff:10.0.0.1]:9300              *:*      users:(("java",pid=18392,fd=253))

Looks like the Kibana service is available on port 5601. Time for the final validation. This will be done by connecting to the web UI.

Kibana Welcome Page - No authentication at this point


At this point, you have the option of using the sample data provided by Elastic or explore on your own. We will explore on our own in future posts by taking advantage of the various Beats. Those are Filebeat, Packetbeat, Winlogbeat, Auditbeat and Metricbeat.


With this done, let's now move to the next post, where we provide some basic security to the communication between the Elastic stack components.

Posts in this series:

Security On The Cheap - Beginning Elastic Stack - Installing Elastic 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Installing Kibana 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Providing Basic Security to Elastic and Kibana 7.9 communication on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Metricbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Auditbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Filebeat - Elastic Stack 7.9 on Ubuntu 20.04
Beginning Elastic - Installing, Configuring and Providing Basic Security to Packetbeat
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Winlogbeat


References:
https://www.elastic.co/guide/en/kibana/7.9/deb.html#deb-repo
https://www.elastic.co/guide/en/kibana/7.9/settings.html

No comments:

Post a Comment