Introduction
Code on Github: Elasticsearch and Beats
This tutorial is a continuation of Auditbeat with Elasticsearch Part 1 Install and Secure.
In this tutorial, we will set up Alerts in Kibana, and use Logstash to email you alerts.
Requirements
Resources from Auditbeat with Elasticsearch Part 1 Install and Secure.
Steps
Step 1 - Decide on Rules [01:05]
First, confirm that you have information around system or user activity in your system. Or any other records of interest that you want to create your alerts and rules around.
Step 2 - Configure Kibana [08:16]
Go to Kibana in the Stack Management > Rules and Connectors. If you see Create your first rule, then skip this step. If you see Additional setup required, then continue with this step.
Kibana Alert Setup
Go to your Kibana server shell window and type:
/usr/share/kibana/bin/kibana-keystore add xpack.encryptedSavedObjects.encryptionKey
When prompted, paste in a secret that is at least 32 characters long.
Then restart kibana:
systemctl restart kibana
Visit Kibana in your browser again and visit Stack Management > Rules and Connectors. Now you should be allowed to create your first rule.
Kibana Alert First Rule
Step 3 - Setup Rule [11:40]
We will create a simple rule to detect any failed ssh login attempt.
Click on Create rule and then fill out the initial fields:
Name: failed login
Check every: 1 minute
Notify: On check intervals
For the Rule Type, select Elasticsearch query > KQL or Lucene as shown in this image:
Creating rule type
Then define your query as show in this image:
Creating rule query
The define your query is event.dataset: "login" and event.outcome: "failure"
Set the threshold and time window to IS ABOVE = 1, FOR THE LAST = 1 minute
To test the rule, login in to ur ssh server/machine and putting in the wrong password such that it triggers the rule. Press save.
Step 4 - Prepare Email Alert Message - Create Server Log Connector [14:40]
We want to output the alerts to a different location so that Logstash can email alerts on our behalf.
Click on Connectors and choose Server logs.
Kibana Alert Server Log
Click Create a connector and type anything meaningful for Connector name in the pop up.
Set the Level to anything that reflects what you deem the alert to be. You can use it as a helpful way to tell Logstash how to filter and transform messages.
If desired, edit the Message. The Message field is what will be delivered via email.
Press save.
After a few minutes, go to your Kibana server and confirm that messages appear in /var/log/kibana.log.
Step 5 - Send Emails with Logstash [18:41]
Go to your Kibana server and install Logstash with this command:
sudo apt-get install -y logstash
Download this logstash file: Logstash file to email alerts
You can place this file anywhere you want. For now we will assume that you placed it in /root/logstash.conf.
In the output stage, fill out the appropriate values for the email connection.
To run logstash and start sending emails as they happen, type this command:
/usr/share/logstash/bin/logstash -f /root/logstash.conf
Step 6 - Setup Another Rule [24:18]
We will create another rule to detect if there are package changes in any of the servers.
Click on Create rule and then fill out the initial fields:
Name: package change
Check every: 1 minute
Notify: On check intervals
For the Rule Type, select Elasticsearch query > KQL or Lucene as shown in this image:
Creating rule type
Then define your query as show in this image:
Creating rule query
The define your query is event.dataset: "package"
Set the threshold and time window to IS ABOVE = 1, FOR THE LAST = 1 minute
Press save.
Test the rule by installing any package in any of the servers. for example install Apache2
apt-get install apache2