FortiGate SysLog Build (Elastic Search and Kibana
DRAFT
Based on this video
Installing and Configuring Elasticsearch and Kibana 8.x
And guide from elasticseach website
https://www.elastic.co/guide/en/elasticsearch/reference/8.8/rpm.html
Elastic Search installation server
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Work around for sha1 issue
Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9 (redhat.com)
Edit repo file
sudo nano /etc/yum.repos.d/elasticsearch.repo
Copy this to file
[elasticsearch] name=Elasticsearch repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=0 autorefresh=1 type=rpm-md
Start installation
sudo dnf install --enablerepo=elasticsearch elasticsearch
Press Y
Wait for security autoconfig info
Copy information to file for password and other information
To auto start on boot
sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable elasticsearch.service sudo systemctl start elasticsearch.service sudo systemctl stop elasticsearch.service
To change the password of elastic account
/user/share/elasticsearch/bin/elasticsearch-reset-password -i-u elastic
To check the status of elasticsearch
systemctl status elasticsearch.service
curl –cacert /etc/elasticseach/certs/http_ca.crt -u elastic https://localhost:9200
Password for elasctic account
Backup copy config file
cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.backup
To make sure file copied
ls
Edit Config file
nano /etc/elasticsearch/elasticsearch.yml
Change this lines
cluster.name: elasticsarch node.name (node.name: server_name) network host (network.host_ip_of_server) http.port: 9200 (http.port:9200)
Firewall Change
sudo firewall-cmd –-add-port=9200/tcp --permanent sudo firewall-cmd –-add-port=9200/udp --permanent firewall-cmd –-reload firewall-cmd –-list-all
Installation of Kibana Server
Guide from Elastic website
https://www.elastic.co/guide/en/kibana/8.8/rpm.html
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Work around for sha1 issue
Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9 (redhat.com)
Edit repo file
sudo nano/etc/yum.repos.d/kibana.repo
Copy to repo file
[kibana-8.x] name=Kibana repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
Start installation of Kibana
sudo dnf install kibana
Press Y
Auto start service
sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable kibana.service sudo systemctl start kibana.service sudo systemctl stop kibana.service
Backup Copy config file
cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml.backup
Make sure filed copied
ls
Edit Config File
nano /etc/kibana/kibana.yml
Change this lines
Server.port: 5601 Network host: “localhost” change to IP address Server.publicBaseURL: “http:// ip and port“ Elasticsearch.hots: Elasticsearch.username: “kibana_system” Elasticseach.password: “password” Elasticsearch.ssl.certificateAuthorities: [ “/etc/kibana/certs/http_ca.crt” ]
Copy cert from elasticsearch cert from server to /etc/kibana/certs/http_ca.crt
cp /etc/elasticseach/certs/http_ca.crt root@kibina ip: /etc/kibana/certs/http_ca.crt
To change password
/user/share/elasticsearch/bin/elasticsearch-reset-password -i-u kibana_system
Firewall Change
firewall-cmd –-add-port=5601/tcp --permanent firewall-cmd –-add-port=5601/udp --permanent firewall-cmd –-reload firewall-cmd –-list-all