security talk & philosophizing



Tag: elk

  • ElastAlert2 To Process ELK Notifications

    ElastAlert2 To Process ELK Notifications

    Yelp created a repository to aid in the processing of notifications via ELK logs. This repo went dormant, but another fork of it ElastAlert2 has replaced it. For me, this is personally an amazing application. I can get notifications, without having to buy into a commercial license. Setup Source: https://elastalert2.readthedocs.io/en/latest/running_elastalert.html#as-a-python-package It requires Python 3.11+ If…

    Read more...

  • ELK: Creating a HTTP Status Code Graph

    ELK: Creating a HTTP Status Code Graph

    Having a graph showing HTTP Status codes over time is incredibly useful. A stacked bar graph can show an increase or decrease in one status code (such as 500 level), providing extreme usefulness at a glance. Consider the graph depicted at top of this article. We’re going to make that, but we’ll need access to…

    Read more...

  • Elastic’s Pricing Problem

    Elastic’s Pricing Problem

    I really love Elastic and their product lineup. They have some amazing options and the fact you can get started for FREE is a very strong plus. As a SIEM, the ELK stack (Elastic, Logstash, Kibana) is snappy, responsive, and consistent. Once I setup the index rotation I never have a problem with stability. But…

    Read more...

  • ELK ILM

    ELK ILM

    ELK uses a watermark, when disk space reaches X% (90% I believe), it stops performing, and shuts down services. For this reason it’s important to have a good sense of data maintenance. How long do you need your data? 5 days? 7 days? 30 days? How much disk space do you have available to you?…

    Read more...

  • ELK Migration Woes: PUT values without Kibana

    I’ve been upgrading my home ELK stack from from 7.17.* to 8.7.*. In the process I got to a state where elasticsearch was running, filebeat was running, but Kibana was failing. Doing a systemctl status kibana reported something about : cluster.routing.allocation.enable needing to be set to 'All' Looking this up, got me to this ElasticSearch…

    Read more...

  • QA Lab Monitoring with ELK

    QA Lab Monitoring with ELK

    ELK I got into the ELK (Elasticsearch, Logstash, Kibana) stack when I started working with an IDS called Suricata. I needed a front end to discern the data events happening on the network and ELK was a natural fit for Suricata.  ELK provides a way of shipping and analyzing data from various sources. Data events…

    Read more...

  • Monitor Third Party Front-End Libraries

    Monitor Third Party Front-End Libraries

    It’s always useful to keep track of what JS or CSS libraries are being pulled into the Front-End by hosted 3rd parties. Examples could be CDN’s. While there are services that charge for this monitoring, this can be accomplished with an Open Source stack. The Goal A web server’s access logs will make mention of…

    Read more...

  • Filebeat Custom Field Processing for ELK

    Filebeat Custom Field Processing for ELK

    I had a recent project at work, where I needed to parse a load balancer log. The interesting part of the project was to capture data that was being added to the log. This short post will cover what I did to capture the data and render it in Kibana / ELK. If you have…

    Read more...

  • Creating a High Severity Suricata Dashboard in ELK

    Creating a High Severity Suricata Dashboard in ELK

    Once you have your ElasticSearch server running with Kibana, and it’s being fed data from Suricata installs via Filebeat, you can view the data coming in through some default dashboards. Filebeat has two suricata default dashboards, one for alerts and one for events. I like the default Filebeat Suricata dashboards, except that the Alert one…

    Read more...