Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection
Рет қаралды 42,472
Күн бұрын
@beyblade3331 2 жыл бұрын
Thanks @ippsec my open-source detection is up using ELK and other network and system monitoring tools .
@kaushiksivashankar9621 2 жыл бұрын
I adore how he goes through the process in the exact same tone and flow as he would an easy box.
@hasanidriss1519 Жыл бұрын
hey man nice job please can u make a video to integrate logstash and kafka to this setup u made, also i have a question, if i have a offsite office that i need to get their logs to my datacenter is kafka best option to ingest the data of the users and servers and then send it to elasticsearch database through logstash on the edge of my network
@extrabyte-qx6li Жыл бұрын
Hello, did you figure this out?
@michaelkasede1489 2 жыл бұрын
33:44 - Hi Ippec, thanks a lot for doing this video. I have been trying to get this setup to work and all along data was not being shipped to Elasticsearch because of the configuration ssl.verification_mode: "none". Thanks I will be doing a tutorial on this using Docker.
@p0p09apk5 10 ай бұрын
Unbelievable..node to node explanation and clear understanding of ELK fleet etc. thank you so much for your help.😊 God bless
@WatsonInfosec Жыл бұрын
Thank you for the tutorial!
@nischalsharma5357 2 жыл бұрын
How about setting up things like opencti and pushing those IOC to elastic for better detection and correlation? Might that be something we can do?
@ibnudafa8772 4 ай бұрын
endpoint and cloud security has been replaced with "elastic defend" ?
@architvats2633 19 күн бұрын
Update: Endpoint and cloud integration is now called Elastic Defend
@tomassod1 2 ай бұрын
Hey great video, i would like to see my asus system logs in ELK
@cyberforstudents Жыл бұрын
great video, thank you
@Friendsooo22 Ай бұрын
Where did you install this parrot or Ubuntu
@BorisJohnsonMayor Жыл бұрын
Would be great to see a topology regarding the isolation you mentioned with the Fleet server. I want to set this up to monitor my web apps that are exposed to the internet. My plan was to set up the ELK stack on an isolated VLAN on my DMZ interface, then all my web apps with the Elastic agent sit on a different VLAN on the same DMZ. Where would you put the fleet server from a network topology view?
@jonoc9943 2 жыл бұрын
Literal lifesaver - I'm struggling to set it up in a Docker container and you walked through all the steps I got stuck on, cheers!
@Adrestia930 2 жыл бұрын
Wow i was literally about to do this for windows logs, i was just going to use docs and my BF who love elastic and got certfied in it for work, but this great thanks!
@michaelfisher2821 2 жыл бұрын
Thanks for adding this. Very helpful. Wish you did this a year ago when I was first doing it. Lol much better than your Helk video.
@ippsec 2 жыл бұрын
I do not believe Fleet and such existed when I did that HELK Video. Maybe it did, but Elastic has come a long way since I last looked at it.
@michaelfisher2821 2 жыл бұрын
@@ippsec yeah, it really has. The Security model is money, although there's no great way to export and parse when looking at the Alerts page, or even when you shift over to the host view.. I'm sure you can do an API query or use Burp, but that's a little messy when you just want to export the current view.
@GANESHviswanathan1609 6 ай бұрын
Please show us installing in windows
@abdullas5709 2 жыл бұрын
How can you push the agents to multiple Windows boxes and servers easily?
@ippsec 2 жыл бұрын
You just need to download & execute that binary. WinRM, PSExec, InTune, any RMM Tool.
@kimzerah4051 2 жыл бұрын
You are awesom! Thank you :)
@MikeMcPhee101 Жыл бұрын
This video is awesome, Thank you! For some reason I am getting authentication errors from Kibana right after the Nginx steps "We hit an authentication error. Please check your credentials and try again. If you still can't log in, contact your system administrator." The curl command with the same credentials for the elastic super user work just fine - any ideas?
@Defender_IQ 8 ай бұрын
Thank you from the heart ❤❤❤. You can't imagine how much this video helped me and explained to me what I should do. It is very clear, simple and understandable, and at the same time one comprehensive video for everything and there is nothing like it on KZbin.
@Restricted-Content 2 жыл бұрын
Great video we use Elastic daily and the power it has is not fully realized yet and the automation with little initial investment is a huge benefit
@pepaw 7 ай бұрын
Good video man. I appreciate the method of instruction/explanation; as if your explaining to a colleague vs a kindergartner
@fortunez1911 Жыл бұрын
i want to build elastic edr, but i have problem when add fleet server. there always error in self signed, after that when my vm have been rebooting, i cant log in with my credential data before. anyone can help me
@ctnguyenvn2178 Жыл бұрын
Great video. Any new video for config log from elastic agent -> logstash -> elasticsearch?
@patrickdee7365 Жыл бұрын
I love you so much for the insecure flag at 16:28. Took me way too long until I landed here.
@petarsimovic5628 Жыл бұрын
Is this Endpoint and Cloud security agent free in Elastic?
@miss.Mariella 2 ай бұрын
Great job 🤗
@mayphonruang6646 Жыл бұрын
I'm new to linux and elasticsearch and the issue at the end you were having helped me fix my issue. I was trying to figure it out for over a month. THANK YOU!
@kalidsherefuddin 2 жыл бұрын
The great course
@arunkrishna1854 2 жыл бұрын
Why not use osquery for logging/visibility . It would be cross platform and then use a fleet to manage it?
@ippsec 2 жыл бұрын
Like i said in this video, I just started on the newest version Elastic the day I recorded. I had used it years ago but a lot has changed. I'm not exactly sure what you mean about OSQuery for Logging. To my knowledge it would help with finding things like current processes and such on the system and not for like querying sysmon logs to get historical like I showed in the video. As to why OSQuery isn't in this video? Because I plan to do OSQuery in a separate video, I was hoping to make an elastic series showing off various features. For example, I didn't even go into configuring the rules for Endpoint Security here.
@arunkrishna1854 2 жыл бұрын
@@ippsec well, i meant it to be used as an agent. Tho it doesn't work great on windows ,it does have plugins to bridge the gap . You can schedule the queries from a fleet and diff them . (Create queries based on mitre) . You'll have a single cross platform agent . This is what i meant by logging.
@ippsec 2 жыл бұрын
Honestly, I'm too new to know what you mean here. Hopefully, I will get it right when I do the OSQuery video, still have a bit more reading and experimenting before that video.
@extrabyte-qx6li Жыл бұрын
@@arunkrishna1854 Maybe you should make a video to show us how its done.
@genghis_khan_ Жыл бұрын
im getting this error, can someone help Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:y {"log.level":"info","@timestamp":"2023-06-30T12:35:40.769Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":410},"message":"Generating self-signed certificate for Fleet Server","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2023-06-30T12:35:43.410Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":787},"message":"Fleet Server - Running on policy with Fleet Server integration: 3e5321e0-1742-11ee-9e24-6de69790d371; missing config fleet.agent.id (expected during bootstrap process)","ecs.version":"1.6.0"} {"log.level":"warn","@timestamp":"2023-06-30T12:35:43.410Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":104},"message":"SSL/TLS verifications disabled.","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2023-06-30T12:35:44.401Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":478},"message":"Starting enrollment to URL: fleet:8220/","ecs.version":"1.6.0"} {"log.level":"warn","@timestamp":"2023-06-30T12:35:44.624Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":104},"message":"SSL/TLS verifications disabled.","ecs.version":"1.6.0"} Error: fail to enroll: fail to execute request to fleet-server: dial tcp 155.14.140.133:8220: connect: connection refused For help, please see our troubleshooting guide at www.elastic.co/guide/en/fleet/8.8/fleet-troubleshooting.html Error: enroll command failed with exit code: 1 For help, please see our troubleshooting guide at www.elastic.co/guide/en/fleet/8.8/fleet-troubleshooting.html
@ippsec Жыл бұрын
This is the key line: > Error: fail to enroll: fail to execute request to fleet-server: dial tcp 155.14.140.133:8220: connect: connection refused I'd make sure your box can talk to that IP on that port. Chances are a firewall is blocking you.
@pipomambo2 Жыл бұрын
Do you need to install sysmon manually on the hosts? I get the powershell logs but not the sysmon ones
@laboratoryathena511 2 жыл бұрын
can we do similar to thease integrations in wazuh ? , for example i had to manually install sysmon and log it ..
@ippsec 2 жыл бұрын
I don't use Wazuh, so am not positive. I like Elastic's EDR much better than what wazuh provides.
@ZeddyZed Жыл бұрын
10:41 what if we don't know how to install a SSL certificate 😅
@alsjourney Жыл бұрын
Hey man, love the video One question: does this Block malware automatically and log it?
@ippsec Жыл бұрын
Yes, but that part is not free, it is the Endgame/EDR Component. There is a free trial for it thoe.
@alsjourney Жыл бұрын
@@ippsecthanks for the quick reply. Cant wait to try this out at my current workplace as a junior cyber sec engineer
@Pernat1y Жыл бұрын
Really helpful. Thanks!
@White1Coat Жыл бұрын
Thanks a lot. Good job!
@anonymousvevo8697 10 ай бұрын
you are a life saver
@swordfishinc6556 Жыл бұрын
great video thanks!
@sylvainbeaucheminspersonal372 Жыл бұрын
Awesome! 👌
@cyberlancer718 Жыл бұрын
can i get your social contact?
Motasem Hamdan | Cyber Security & Tech
Рет қаралды 4,3 М.
Official Elastic Community
Рет қаралды 568 М.