On Day 13 of the MyDFIR SOC Challenge, I focused on ingesting logs from my Ubuntu server into Elasticsearch for further analysis. Below is the step-by-step process of how I achieved this:
1. Creating a New Policy in Elasticsearch
I began by logging into my Elastic Dashboard. From there, I navigated to the Fleet menu and created a new agent policy named “MyDFIR-Linux-Policy”. This policy would be used to monitor and ingest logs from my Ubuntu server.
2. Verifying Log Collection Integration
Once the policy was created, I went inside it and selected the “system-3” integration to verify which logs were being collected by default. This integration was configured to collect authentication logs from /var/log/auth.log, which was ideal for my goal of analyzing failed authentication attempts.
3. Adding Ubuntu Server to the Fleet
Next, I added my Ubuntu server as a new agent in the Fleet by selecting the newly created “MyDFIR-Linux-Policy” as the agent type.
I copied the installation command from the Elastic dashboard and connected to my Ubuntu server using SSH. After pasting the installation command, I encountered an x509 certificate error.
4. Resolving x509 Error
Since I was using a self-signed certificate, I resolved the x509 issue by appending the --insecure flag to the installation command. This bypassed the certificate error and allowed the installation to complete successfully. After the installation, the agent was successfully enrolled on the Elastic dashboard.
5. Verifying Data Ingestion
I then navigated to the Discover tab in the Elasticsearch dashboard to verify the log ingestion. I filtered the logs using the Available Fields menu and confirmed that logs from my Ubuntu server were being ingested and displayed on the dashboard.
6. Filtering Failed Authentication Attempts
Back in my Ubuntu SSH session, I used the following command to filter failed authentication attempts from the logs:
grep -i failed auth.log | grep -i root | cut -d ' ' -f 9
I then copied one of the failed login attempt IPs and searched for it on the Elastic dashboard. As expected, the IP appeared, confirming successful log ingestion.
7. Advanced Search for Authentication Failures
To go further, I modified the search to include both the IP address and authentication failure keywords, which returned over 800 results related to failed login attempts from that specific IP.
