Skip to content

Under the hood

Jump to bottom
Marc Smeets edited this page Feb 11, 2020 · 4 revisions

A lot is going on under the hood.

RedELK uses many different components:

  • Filebeat for shipping of logs
  • Logstash for filtering the incoming logs
  • Elasticsearch for storage
  • Kibana for viewing the data
  • Rsync is used for a second syncing of teamserver data: logs, keystrokes, screenshots, etc.
  • Nginx is used for authentication to Kibana, as well as serving the screenshots, beaconlogs, keystrokes in an easy way in the operator's browser.
  • Custom made scripts are used for heavy enriching of the log data, and for blue team detection. More info on these scripts can be found here

For troubleshooting you can find:

  • info in RedELK's own logs, found in /var/log/redelk in the RedELK server, more info here
  • info on the fields used in Elasticsearch can be found here
Clone this wiki locally