On Day 4 of the MyDFIR 30-Day SOC Challenge, I focused on setting up and configuring Kibana on the virtual machine (VM) I created on Day 3. Below is a detailed account of the process I followed, including the key steps and configurations.
Step 1: Downloading and Installing Kibana
To begin, I downloaded Kibana from the official Elastic website. This involved using the SSH terminal on my VM to download the correct version of Kibana (v8.15 at the time of recording) by typing:
wget [download link from elastic.co]
After the download was complete, I used the following command to install the package:
dpkg -i kibana-[version].deb
This ensured Kibana was installed and ready for further configuration.
Step 2: Configuring Kibana
Once Kibana was installed, I had to make some configuration changes. The Kibana configuration file is located at /etc/kibana/kibana.yml. I used nano to edit this file and made two key changes:
- Server Port: I ensured that Kibana was running on port 5601, which is the default.
- Server Host: I updated the server host to my VM’s public IP address so that Kibana could be accessed externally.
nano /etc/kibana/kibana.yml
After editing the file, I saved the changes and restarted the Kibana service using:
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
I verified that Kibana was running by checking its status with:
systemctl status kibana
Step 3: Generating the Enrollment Token
Kibana requires an enrollment token to connect to Elasticsearch. I generated the token by navigating to the appropriate directory and using the following command:
cd /usr/share/elasticsearch/bin
./elasticsearch-create-enrollment-token --scope kibana
This generated the enrollment token that I needed to set up Kibana. I copied and saved the token for later use.
Step 4: Firewall Configuration
Initially, I encountered a “connection timed out” error while trying to access Kibana through the browser. After troubleshooting, I realized that my firewall rules were blocking the port. To resolve this, I configured the firewall rules in both my Vultr instance and my VM itself.
- Vultr Firewall Configuration: I updated the firewall rules to allow access on port 5601.
- Ubuntu Firewall Configuration: I used
ufwto allow incoming connections to port 5601 on the VM:
ufw allow 5601
Once these firewall rules were updated, I successfully accessed Kibana via my VM’s public IP address and port 5601.
Step 5: Finalizing Kibana Setup
When I accessed Kibana for the first time, it prompted me to enter the enrollment token generated earlier. After pasting the token, I needed to verify it with a verification code, which I obtained by running the following command on the VM:
cd /usr/share/kibana/bin
./kibana-verification-code
I entered the verification code and logged in using the default elastic user and password that I had saved during the Elasticsearch setup.
Step 6: Setting Persistent Encryption Keys
One of the final configurations involved setting persistent encryption keys for Kibana. Without this, Kibana generates new keys each time it restarts, which can lead to errors when modifying saved objects or rules. I generated three encryption keys (for saved objects, reporting, and security) and added them to Kibana’s key store:
To generate the necessary encryption keys, I used a built-in command in the Kibana binary directory. First, I navigated to the Kibana binaries directory using the command:
cd /usr/share/kibana/bin
Once inside the directory, I executed the following command to generate the three encryption keys:
./kibana-encryption-keys generate
This command output three unique encryption keys, each used for securing different components of Kibana. These encryption keys were as follows:
- xpack.encryptedSavedObjects.encryptionKey
- xpack.reporting.encryptionKey
- xpack.security.encryptionKey
The output in the terminal looked something like this:
xpack.encryptedSavedObjects.encryptionKey: c3VwZXJfc2VjdXJlX2tleQ==
xpack.reporting.encryptionKey: c29tZV9yYW5kb21fZW5jcnlwdGlvbg==
xpack.security.encryptionKey: Z3JhbmRfdGVzdF9rZXk=
I copied these keys and stored them in a notepad for use in the next steps.
Next, I needed to add these keys into the Kibana keystore to ensure they persist through system restarts. For each key, I used the following command:
./kibana-keystore add [encryption key name]
Kibana then prompted me to enter the corresponding key value for each encryption key. I repeated this process three times, once for each key, ensuring all the key-value pairs were securely stored in the keystore.
Finally, to apply the changes, I restarted the Kibana service using the following command:
sudo systemctl restart kibana
After this, Kibana no longer displayed the API integration key error, and everything was functioning smoothly with the persistent encryption in place.
Conclusion
By the end of Day 4, I successfully installed and configured Kibana on my virtual machine, integrating it with Elasticsearch. From resolving configuration issues to setting up encryption keys, this process taught me essential skills in managing and securing Kibana. I encountered and overcame challenges, like firewall rules and persistent encryption keys, ensuring that Kibana remains functional after restarts. With Kibana now fully operational, I’m ready to move forward and begin setting up my Windows target machine for log ingestion in the next phase of the project.