# ELK Stack
 > Elasticsearch, Logstash, & Kibana
 
 This is just a little write-up on my research in deploying the ELK stack.
 
 ## Prerequisites
 ```shell
 sudo apt-get install -y gpg apt-transport-https`
 wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
 sudo apt-get update && sudo apt-get install elasticsearch kibana logstash
 sudo certbot certonly --standalone --preferred-challenges http -d elastic.domain.org
 ```
 
 ## Setup Elasticsearch
 * Copy your certificates to `/etc/elasticsearch/certs`:
 ```shell
 mkdir -p /etc/elasticsearch/certs/
 sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/elasticsearch/certs/fullchain.pem
 sudo cp /etc/letsencrypt/live/elastic.domain.org/privkey.pem   /etc/elasticsearch/certs/privkey.pem
 sudo chmod -R 777 /etc/elasticsearch/certs/
 ```
 
 * Edit your `/etc/elasticsearch/elasticsearch.yml` and change the follow options:
 ```yaml
 cluster.name: BeeHive
 node.name: gibson
 network.host: 0.0.0.0    
 bootstrap.memory_lock: true
 xpack.security.audit.enabled: true
 xpack.security.http.ssl:
   enabled: true
   key: /etc/elasticsearch/ssl/privkey.pem
   certificate: /etc/elasticsearch/ssl/fullchain.pem
 ```
 
 * System changes:
 ```shell
 sudo su  
 	ulimit -n 65535
 	ulimit -u 4096
 
 echo "elasticsearch  -  nofile  65535" > /etc/security/limits.conf
 mkdir -p /etc/systemd/system/elasticsearch.service.d/
 echo "[Service]\nLimitMEMLOCK=infinity" > /etc/systemd/system/elasticsearch.service.d/override.conf
 sudo swapoff -a
 sudo sysctl -w vm.swappiness=1         # Add these
 sudo sysctl -w vm.max_map_count=262144 # to /etc/systctl.conf
 sudo sysctl -w net.ipv4.tcp_retries2=5 # 
 ```
 
 * Set the password for Kibana:
 `./usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system`
 `./usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana # Save this for when we access Kibana the first time`
 `./usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node # enrollment token for a new node`
 
 ## Setup Kibana
 * Copy your certificates to `/etc/kibana/certs`:
 ```shell
 mkdir -p /etc/kibana/certs/
 sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/kibana/certs/fullchain.pem
 sudo cp /etc/letsencrypt/live/elastic.domain.org/privkey.pem   /etc/kibana/certs/privkey.pem
 ```
 
 * Edit your `/etc/kibana/kibana.yml` and change the follow options:
 ```yaml
 server.host: "0.0.0.0"
 server.publicBaseUrl: "https://elastic.domain.org"
 server.ssl.enabled: true 
 server.ssl.certificate: /etc/kibana/certs/fullchain.pem
 server.ssl.key: /etc/kibana/certs/privkey.pem
 elasticsearch.hosts: ["https://elastic.domain.org:9200"]
 elasticsearch.username: "kibana_system"
 elasticsearch.password: "changeme" # Use the password from the reset command we did earlier
 ```
 
 ## Setup Logstash
 * Copy your certificates to `/etc/logstash/certs`:
 ```shell
 mkdir -p /etc/logstash/certs/
 sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/logstash/certs/cacert.pem
 ```
 
 * Edit your `/etc/logstash/logstash.yml` and change the follow options:
 ```yaml
 input {
   beats {
     port => 5044
   }
 }
 output {
   elasticsearch {
     hosts => ["https://elastic.domain.org:9200"]
     index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
     user => "elastic"
     password => "changeme"
     cacert => "/etc/logstash/cacert.pem"
   }
 }
 ```
 
 * `logstash-plugin install logstash-input-irc`
 
 ## Start the ELK stack:
 ```shell
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service && sudo systemctl start elasticsearch.service
 sudo systemctl enable kibana.service        && sudo systemctl start kibana.service
 sudo systemctl enable logstash.service      && sudo systemctl start logstash.service
 ```

© 2023 acidvegas, inc • generated with stagit