https://www.youtube.com/watch?v=Ts-ofIVRMo4
https://notes.netbytesec.com/2023/06/install-elastic-kibana.html
https://www.elastic.co/guide/en/kibana/current/deb.html
All commands are from the video, and the two documents above.
It's suggested to watch the video first, then follow along with the following commands.
Prepare VMs for the task. Refer to "Environments" section.
-
Follow the commands in this gist to install Kibana.
-
When enrolling fleet server, ippsec suggests adding
--fleet-server-es-ca=/usr../http_ca.crt --insecure, but it will cause trouble (at least in my case). So, when enrolling fleet server, and later the agents, only append--insecureto the installation command if things go south. -
And, the step to modify the
defaultsetting in fleet server in order to gather data from Agent is not neccesary. Then, feel free to follow all other steps in the video.
Ubuntu Linux. Used to SSH to Elastic Server and Fleet Server to do the installation.
Ubuntu Linux (server edition, minimal install). Logs will consume space all the time, so, I guess 30 gigs would be better.
Ubuntu Linux (server edition, minimal install). Default 20 gigs will suffice.
Any windows version is OK (better using Windows 10+/Server 2016+)
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch |sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg
echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update
sudo apt install elasticsearch
# Save the output when installation ends to a file for later reference, it contains the default password for elastic user
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
# check if elastic works
curl -X GET -k https://elastic:<PASSWORD>@localhost:9200 (password is auto-generated when elasticsearch is installed)sudo apt install nginx
sudo vi /etc/nginx/sites-enabled/default (then add following stuff according to the video)
location / {
# First attempt to serve request as file, then
proxy_pass http://127.0.0.1:5601;
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
}
# restart and enable nginx
sudo systemctl restart nginx
sudo systemctl enable nginxwget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install kibana
sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
sudo /usr/share/kibana/bin/kibana-setup (then paste the token generated above)
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service
sudo systemctl start kibana.service
sudo systemctl status kibana.service
sudo /usr/share/kibana/bin/kibana-encryption-keys generate
vi /etc/kibana/kibana.yml (paste the generated keys at the bottom of the file)You can find Elastic Agent service in Services app.
Usually it's not required to manually start or stop the daemon, just in case.
Start-Service Elastic Agent
Stop-Service Elastic Agent