# Lab 1 - Setting up Elastic in AWS ## Base Setup: ### Setup Instance:

### Update Security Group Port 5601: Kibana Port 9200: Elasticsearch

## Building ELK: ### Install Elasticsearch: SSH into Instance:

Commands to install Elastic Search

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

sudo apt-get update
sudo apt-get install apt-transport-https

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

sudo apt-get update
sudo apt-get install elasticsearch

Now that we have installed Elasticsearch we must change some configs It is a good best practice to bind Elasticsearch to the private IP (like 172.31.something): ``` sudo nano /etc/elasticsearch/elasticsearch.yml ```

Now to start Elasticsearch ``` sudo service elasticsearch start ``` Test Elasticsearch ``` curl http://:9200 ``` ### Install Logstash: ``` sudo apt-get install default-jre ``` Verify the java version with the command below ``` java -version ```

Now install logstash ```bash sudo apt-get install logstash ``` #### Create data pipeline: ```bash mkdir /logstash cd /logstash # pull down sample data sudo chown -R logstash /logstash sudo chgrp -R logstash /logstash ``` #### Create Logstash Configuration File: ```bash sudo nano /etc/logstash/conf.d/apache-01.conf ```

To test config ```bash /usr/share/logstash/bin/logstash --config.test_and_exit -f /etc/logstash/conf.d/apache-01.conf ``` It can take a minute or so to run - but should get a configuration OK message #### Start Logstash ``` sudo service logstash start ``` Test if it's working ``` curl http://:9200/_cat/indices?v ```

### Install Kibana: ``` sudo apt-get install kibana ``` Edit config ``` sudo nano /etc/kibana/kibana.yml ``` Change the lines below ``` server.port: 5601 server.host: '' elasticsearch.hosts: ["http://:9200"] ``` Start Kibana ``` sudo service kibana start ``` Test Kibana

### Add an Index Pattern to display to Logstash Index Go to Stack Management → Kibana -> Index Patterns - select “Create Index Pattern”

#### Use Kibana to query data

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://paul-gleason.gitbook.io/sec-300-elk-stack-for-security-operations/labs/lab-1-setting-up-elastic-in-aws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.