ELK installation and configuration

This guide walks you through the installation and configuration of Elasticsearch and Kibana on an Ubuntu machine.

Before starting, ensure the following

  • A clean Ubuntu installation (22.04 LTS recommended).

  • At least 4GB of RAM (8GB or more preferred).

  • System Update

sudo apt update && sudo apt upgrade -y

  • Install Java (Elasticsearch requires Java to run. Install the OpenJDK package) and then Verify the installation

sudo apt install openjdk-17-jdk -y
java -version

Installing Elasticsearch

I'll be using manually downloaded .deb packages.

  1. Download the .deb package for Elasticsearch

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.17.1-amd64.deb

  1. Download the SHA-512 checksum file, which is used in the next step to verify that the Elasticsearch .deb package was downloaded correctly and was not corrupted or tampered with.

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.17.1-amd64.deb.sha512

  1. Compare the SHA of the downloaded Debian package and the published checksum

shasum -a 512 -c elasticsearch-8.17.1-amd64.deb.sha512

  1. Use dpkg to install the package

sudo dpkg -i elasticsearch-8.17.1-amd64.deb

  1. Edit the elasticsearch.yaml , which can be accessed by

sudo nano /etc/elasticsearch/elasticsearch.yml

We updated the network.host to the local IP to restrict Elasticsearch access to the local machine only, We don't need remote connections for now.

http.port is to set the http port for Elasticsearch to 9200 , Which is the default.

  1. Start the Elasticsearch service and Enable it to start on boot

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

  1. Check the status of the service

sudo systemctl status elasticsearch

  1. Try accessing the Elasticsearch by https://localhost:9200

Installing Kibana

  1. Do the same steps we did with Elasticsearch earlier, Download the .deb package for Kibana and the SHA512, After the comparison, we can install the package 

wget https://artifacts.elastic.co/downloads/kibana/kibana-8.17.1-amd64.deb
wget https://artifacts.elastic.co/downloads/kibana/kibana-8.17.1-amd64.deb.sha512
shasum -a 512 kibana-8.17.1-amd64.deb 
sudo dpkg -i kibana-8.17.1-amd64.deb

  1. Edit the kibana.yaml file 

sudo nano /etc/kibana/kibana.yml

server.port: 5601 This confirms Kibana will run on port 5601, which is the default.

server.host: "localhost" This ensures Kibana is only accessible from the localhost, meaning it cannot be accessed remotely. If you want to allow remote access to Kibana, you can change it to 0.0.0.0 or any specific IP address.

elasticsearch.hosts: ["http://localhost:9200"] This tells Kibana where to find Elasticsearch. In this case, Kibana will connect to an Elasticsearch instance running on the same machine.

  1. Start the Kibana service and Enable it to start on boot

sudo systemctl start kibana
sudo systemctl enable kibana
sudo systemctl status kibana

  1. Try accessing the kibana by http:\\localhost:5601

  1. To create the enrollment token:

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

  1. The verification code will then be requested, which we can obtain by:

sudo journalctl -u kibana --no-pager | grep "verification code"

  1. The login page will appear, and we will reset the password of the default user (elastic):

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

  1. Finally, we are in!

PreviousBuilding a SOC Home LabNextWinlogbeat – Collecting and Forwarding Windows Event Logs.

Last updated