pfELK on UNRAID - Working proof of concept.

[noodlemctwoodle]

So there have been some requests to get pfELK onto UnRAID and that time has come for any of you interested.

I have a working proof of concept and I have documented a guide on my GitHub, I'll post it on @a3ilson Wiki once I have ironed out the bugs and some people have tested it.

This project is a Frankenstein of open source projects, the config of pfELK and the container of sebp/elk with a few modifications to pull in the pfELK configuration files. I've not built a container before so please bare with me. I am open to suggestions for fixing any bugs. 👍

Please raise any issues you find on my GitHub

Pre-Requisite Steps

1. Make sure you configure the MaxMind GeoIPUpdate container as UnRAID-pfELK depends on this container downloading the database files, if the files are unavailable UnRAID-pfELK will fail to launch. Guide Here

2. Please ensure that you follow the guide, setup the container storage location and wget the pfELK files into that location before you attempt to build the UnRAID-pfELK container. Guide Here

3. I plan to try and release this as an UnRAID Community Plugin if I can fix the bugs, this means we can have one click installs. However, for now I have made it fairly easy with a one line deployment script from UnRAID Terminal to deploy the container.

Known issues:

• For some reason png images are not showing in the guide or in my git, I'm not sure why I've added images a million times to Git but today they aren't working.
• The Container is showing not available in UnRAID for update, I've added it to my bugs, I'm not sure how to fix it or what is causing it, I'll do some Googling. Any suggestins welcome 🥇

[noodlemctwoodle]

@a3ilson do you know how to solve this?

[a3ilson]

@noodlemctwoodle - Are those from one of the dashboards?

Typically, one would need to download the dashboard(s) which contain all the elements. Additionally, you'll need to pay particular attention to step 6a.

[noodlemctwoodle]

These are my settings

When I import the Firwall dashboard I get this error

[a3ilson]

Which conf files are you using? pfelk/docker or pfelk?

[noodlemctwoodle]

I'm using pfelk dashboards and the config files from the same repo

[a3ilson]

@noodlemctwoodle - can you confirm that logs are being enriched? Dockers often inhibit the enrichment due to the ip filtering within 02-types.conf.

To check, navigate to the index pattern (Kibana) and check the number of fields and/or pull of the logs within Discover and check to see if they are being parsed.

[noodlemctwoodle]

Here are some snips from discover, they look like they are being enriched.

[a3ilson]

Go to the index pattern within Kibana and refresh the fields.

When the index pattern is initially built, it only builds based on what has currently been seen. If new logs are parsed with previously seen fields, it will result in the error specified. Please note the number of fields. Then refresh the index pattern.

Not related reference but provide to illustrate the above:

[noodlemctwoodle]

I have 508 fields, is there a specific requirement?

[a3ilson]

nope...that looks good. Higher than what i receive but every instance will be different.

[a3ilson]

Which dashboards did you attempt to import? Should be 5.5.1...the 5.5's will not work.

[noodlemctwoodle]

I've tried

• v5.5.1 Firewall Dashboard (082820).ndjson
• v5.5.1 Suricata Dashboard (082820).ndjson
• v5.5.1 Snort Dashboard (091420).ndjson

[a3ilson]

All three are yielding the same errors?

[noodlemctwoodle]

They are all yealding the same results. sorry for the zoom on these :|

snort:

Firewall:

Suricata:

[a3ilson]

Give this a try:

Navigate to your index pattern.

• Delete the index pattern
• Recreate the index pattern with the prescribed settings

[a3ilson]

Looks like you'll need to increase the field limit before running Logstash...you can try via the template revision or before running logstash run the following:

From withing Kibana>>Dev Tab insert and apply the following:

PUT test_index/_settings
{
  "index.mapping.total_fields.limit": 2000
}

or from the CLI, enter the following:

curl -X PUT localhost:9200/pfelk-geoip/_settings -H 'Content-Type: application/json' -d'{   "index.mapping.total_fields.limit": 1001 }
'

[a3ilson]

how's this endeavor coming along?

[klausagnoletti]

Yes, I am interested in this too. I bascially want to run this as docker containers on my Linux box - but I recently migrated from UNRaid so I would think that it wouldn't be that hard to do. The alternative is to figure everything out for myself. I have already tried that with not too much success :)

[a3ilson]

@klausagnoletti - @noodlemctwoodle has already accomplished what you're looking for. Please take a look at his GitHub repository on the UNRaid instance of pfELK here

[klausagnoletti]

Yes, I tried it and used it to get the same thing working with https://github.com/sherifabdlnaby/elastdocker instead which I like better than the very monolithic way @noodlemctwoodle did it. I have plans to fork stuff and put it on github at some point. When I do that I will write it in this or in another issue (or whatever you think makes most sense)

Thanks for the great work, everybody

/klaus

[a3ilson]

We can reference it from pfelk and/or create a pfelk/unraid repository and add you? Let me know which works best for you.

[klausagnoletti]

What I have made is not very well suited for unraid since the elastdocker is based on docker-compose which, as far as I know, is unsupported in unraid. So we can either reference it from your repo or you can create another docker repo (which I guess would only make sense if you want to go with my way of doing it going forward. That depends on you :-)

Some of the reasons why I settled on elastdocker is that it supports TLS in the entire stack and the modular setup based on docker-compose (three individual containers that can easily be used with other purposes as well).

/k

[a3ilson]

Thanks!

So the ideal (only supported method) unraid pfelk variant would comprise of a docker that is not based upon docker-compose?

[noodlemctwoodle]

I've hidden my container from public view as it was causing extremely high CPU usage that would result in UnRAID becoming unstable. I've just simply not had time to troubleshoot the issue and rather than cause this issue on other people's hardware I chose to hide the container until I have some time to look at it. Currently I just send my raw pfSense logs to Azure Sentinel :)

[a3ilson]

@noodlemctwoodle - Let me know when you have more time to build this out. Reading over Elastic documentation, it appears this may be easier than previously presumed.

• Kibana will run in a docker
  • Reference: https://www.elastic.co/guide/en/kibana/current/docker.html
• Elasticsearch will run in a docker
  • Reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html
• Logstash will run in a docker and pointing to the required config files and patterns appears to be somewhat simple
  • Reference: https://www.elastic.co/guide/en/logstash/current/docker-config.html

[noodlemctwoodle]

My PC is down currently as I'm putting my RTX 3090 into the water loop. Just waiting on some new fittings to arrive in the post. 🤬

Should be up and running again by next weekend with any luck.

I'll read the links you posted, certainly be happy to push on the development for UnRAID, as my Azure cost is around £200 a month at the moment 🤫

[a3ilson]

Yikes! Well I'm down a motherboard (home server) which should arrive later this week and I'll build out the docker images for Elasticsearch, Logstash, and Kibana...that should allow you to build the UnRAID piece and close this issue while saving a few pounds. Nice score on the GPU...I'm holding out for inventory (whenever that might be...).

[noodlemctwoodle]

Been on the waiting list for 4 months on the GPU. I've been testing it on air for around 3 weeks but now it's stripped down and ready to go in the water loop 🙂

[crunchingcode]

Any update on this? I'm very interesting in getting this up and running on unraid. Last uupdate from noodlemctwoodle in regards to the unraid was that he hid it because it was causing high levels of cpu.

[crunchingcode]

Also the no update known issues might be related to unraid/webgui@438e5f8

[noodlemctwoodle]

@crunchingcode I'm no later longer looking at getting it running on UnRAID as I am now using Azure Sentinel instead. I have forked @a3ilsons repo and modified it to work in Azure.

Also I am also considering moving my firewall to the UDM Pro SE once it becomes more readily available so I'm not entirely sure whether I'll continue pf-Az-Sentinel as I have practically no time these days 😕.