Elastic Stack Build Guide

This guide goes through the line-by-line installation process of a basic Elastic 8.4.3 stack.

Elastic Installation

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install elasticsearch
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
# elasticsearch.yml changes:
# network.host: [Elasticsearch server IP]
/usr/share/elasticsearch/bin/elasticsearch-users useradd kibanauser 
/usr/share/elasticsearch/bin/elasticsearch-users roles kibanauser -a superuser 
/usr/share/elasticsearch/bin/elasticsearch-users roles kibanauser -a kibana_system

Kibana Installation

sudo apt-get update && sudo apt-get install kibana
sudo systemctl daemon-reload
sudo systemctl enable kibana
sudo systemctl start kibana
# kibana.yml changes:
# server.host: “local_machine_ip” uncommented
# elasticsearch.hosts: [“https://elasticsearch_server_ip:9200”]
# uncomment elasticsearch.ssl.verificationMode: none
# elasticsearch.user: kibanauser and elasticsearch.password: [password]

Winlogbeat Installation

  1. Download winlogbeat zip from Elastic

  2. Extract contents into Program Files

  3. Rename folder "Winlogbeat"

  4. .\install-service-winlogbeat.ps1

  5. (may require PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1)

  6. winlogbeat.yml changes

    1. Kibana

      1. host: [ip address of Kibana server]

      2. ssl.verification_mode: none

    2. Elasticsearch Output

      1. hosts: ["https://ip_address:9200"]

      2. username:

      3. password:

      4. ssl.verification_mode: none

  7. Elastic user notes

    1. must make a custom role with the cluster perms monitor and manage_ilm and the index perms manage on the winlogbeat-* indices

    2. must add that role, the kibana_admin role, and the ingest_admin role to the user

  8. .\winlogbeat.exe setup -e

    1. reminder to check the logs that get outputted! will tell you any issues that pop up

  9. Start-Service Winlogbeat

Elastic Security Setup

Common Issues

  • navigating to kibana IP and port in web browser and get the "Kibana is not ready yet" message

    • authentication issue between Kibana and ES

    • check that ES is running

    • check that Kibana creds are correct and it has the right perms

  • Elasticsearch failing with "no file path" errors

    • IP address is wrong in ES config file- must change

NextInvestigation Guide

Last updated