The quickest and most reliable way to test Dsiem is to use the supplied Docker Compose files. They include Dsiem, all the required ELK stack, and an example log source (Suricata) pre-configured.
Then after you get a feel on how everything fits together, you can start integrating Dsiem into your existing or custom ELK deployment.
-
Install Docker, and Docker Compose.
-
Copy this repository from here, unzip it, then open the result in terminal.
$ unzip dsiem-master.zip && cd dsiem-master
-
Suricata needs to know which network interface to monitor traffic on. Tell it to use the network interface that has a working Internet connection on your system like this (for
bashshell):$ export PROMISC_INTERFACE=eth0Replace
eth0above with the actual interface name given byifconfigor similar commands. For testing purpose, it's not necessary to configure the interface to really operate in promiscuous mode. -
Set the owner of filebeat config files to root (here's why):
$ cd deployments/docker && \ sudo chown root $(find conf/filebeat/ conf/filebeat-es/ -name "*.yml")
-
Run ELK, Suricata, and Dsiem in standalone mode:
$ docker-compose pull $ docker-compose up
Tip
There are 2 extra docker-compose example configurations in deployments/docker for slightly more complex environment than the default standalone mode above. You can use the -f parameter to specify which configuration file to load.
-
Everything should be up and ready for testing in a few minutes. Here's things to note about the environment created by
docker-compose:- Dsiem web UI should be accessible from http://localhost:8080/ui, Elasticsearch from http://localhost:9200, and Kibana from http://localhost:5601.
- Suricata comes with Emerging Threats ICMP Info Ruleset enabled and
EXTERNAL_NET: "any", so you can easily trigger a test alarm just by continuously pinging a host in the same subnet. Dsiem comes with an example directive configuration that will intercept this "attack". - Recorded events will be stored in Elasticsearch index pattern
siem_events-*, and alarms will be insiem_alarms. You can view their content from Kibana or Dsiem web UI.
-
Once Kibana is up at http://localhost:5601, you can import Dsiem dashboard and its dependencies using the following command:
$ ./scripts/kbndashboard-import.sh localhost ./deployments/kibana/dashboard-siem.json
Do notice that like any Kibana dashboard, Dsiem dashboard also expect the underlying indices (in this case
siem_alarmsandsiem_events-*) to have been created before it can be accessed without error. This means you will need to trigger the test alarm described above before attempting to use the dashboard.
-
First make sure you're already familiar with how Dsiem architecture works by testing it using the Docker Compose method above. Also note that these steps are only tested against ELK version 6.4.2 and 6.8.0, though it should work with any 6.x version (or likely 7.x as well) with minor adjustment.
-
Download Dsiem latest binary release and unzip it to a dedicated directory. For instance, to install the Linux version into
/var/dsiem:# [ "$EUID" -ne 0 ] && echo must be run as root! || (\ export DSIEM_DIR=/var/dsiem && \ mkdir -p $DSIEM_DIR && \ wget https://github.com/defenxor/dsiem/releases/latest/download/dsiem-server_linux_amd64.zip -O /tmp/dsiem.zip && \ unzip /tmp/dsiem.zip -d $DSIEM_DIR && rm -rf /tmp/dsiem.zip && \ cd $DSIEM_DIR
-
Let the web UI knows how to reach Elasticsearch and Kibana by entering their URLs into
/var/dsiem/web/dist/assets/config/esconfig.json:$ cat esconfig.json { "elasticsearch": "http://elasticsearch:9200", "kibana": "http://kibana:5601" }If Elasticsearch requires authentication, you can supply basic authentication credential in the following format:
$ cat esconfig.json { "elasticsearch": "http://username:password@elasticsearch:9200", "kibana": "http://kibana:5601" } -
Install the following plugin to your Logstash instance:
-
Adjust and deploy the example configuration files for Logstash from here. Consult Logstash documentation if you have problem on this.
-
Install Filebeat on the same machine as dsiem, and configure it to use the provided example config file from here.
-
Note that you should change
/var/log/dsiemin that example to thelogsdirectory inside dsiem install location (/var/dsiem/logsif using the above example). -
Also make sure you adjust the logstash address variable inside
filebeat.ymlfile to point to your Logstash endpoint address.
-
-
Set Dsiem to auto-start by using something like this (for systemd-based Linux):
# [ "$EUID" -ne 0 ] && echo must be run as root! || ( \ cat <<EOF > /etc/systemd/system/dsiem.service [Unit] Description=Dsiem After=network.target [Service] Type=simple WorkingDirectory=/var/dsiem ExecStart=/var/dsiem/dsiem serve Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload && \ systemctl enable dsiem.service && \ systemctl start dsiem.service && \ systemctl status dsiem.service)
-
Dsiem web UI should be accessible from http://HostIPAddress:8080/ui
-
Import Kibana dashboard from
deployments/kibana/dashboard-siem.json. This step will also install all Kibana index-patterns (siem_alarmsandsiem_events) that will be linked to from Dsiem web UI.$ ./scripts/kbndashboard-import.sh ${your-kibana-IP-or-hostname} ./deployments/kibana/dashboard-siem.jsonIf Kibana requires authentication, you can supply the credentials in
ES_USERNAMEandES_PASSWORDenvironment variables, like so:$ export ES_USERNAME=elastic $ export ES_PASSWORD=weak $ ./scripts/kbndashboard-import.sh ${your-kibana-IP-or-hostname} ./deployments/kibana/dashboard-siem.json
For docker-compose installation, just run the following:
$ cd dsiem/deployments/docker && \
docker-compose down -vor
$ cd dsiem/deployments/docker && \
docker-compose -f docker-compose-cluster.yml down -vFor non docker-compose procedure, you will have to undo all the changes made manually, for example:
- Remove the extra logstash plugins and configuration files.
- Uninstall Filebeat.
- Uninstall Dsiem by deleting its directory and systemd unit file, if any.