Listen to this Post

In this article, we’ll explore how to set up a Security Information and Event Management (SIEM) system using Elastic Stack (Elasticsearch, Logstash, Kibana) and a Kali Linux VM for log generation and analysis.
Step-by-Step SIEM Setup
- Install Elastic Stack (ELK) on a Linux Server
Update system sudo apt update && sudo apt upgrade -y Install Java (required for Elasticsearch) sudo apt install openjdk-11-jdk -y Add Elastic Stack repository wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list Install Elasticsearch, Logstash, and Kibana sudo apt update && sudo apt install elasticsearch logstash kibana -y Start and enable services sudo systemctl enable --now elasticsearch sudo systemctl enable --now kibana
2. Configure Elastic Agent on Kali Linux
Download and install Elastic Agent curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.16.2-linux-x86_64.tar.gz tar xzvf elastic-agent-7.16.2-linux-x86_64.tar.gz cd elastic-agent-7.16.2-linux-x86_64 Enroll the agent with Elastic SIEM sudo ./elastic-agent install --url=http://<ELK_SERVER_IP>:8220 --enrollment-token=<YOUR_ENROLLMENT_TOKEN>
3. Generate Logs Using NMAP Scans
Run an NMAP scan to generate network logs sudo nmap -sV -A -T4 <TARGET_IP> -oX scan_results.xml Send logs to Elastic SIEM via Filebeat sudo filebeat setup --pipelines --modules nmap sudo filebeat -e
4. Configure Real-Time Alerts in Kibana
- Navigate to Kibana Dashboard (
http://<ELK_SERVER_IP>:5601) - Go to Stack Management > Alerts and Actions
- Create a new Rule to trigger email alerts on suspicious activity.
You Should Know:
- Elasticsearch stores and indexes logs.
- Logstash processes and enriches logs before storage.
- Kibana visualizes data and manages alerts.
- Kali Linux acts as a log-generating endpoint for testing.
What Undercode Say
Implementing a SIEM with Elastic Stack provides real-time threat detection and automated alerting, essential for SOC analysts. Combining NMAP scans with Elastic Agent ensures comprehensive log collection. Future improvements could include integrating Splunk for comparative analysis.
Prediction
As cyber threats evolve, AI-driven SIEM solutions will dominate, automating threat detection and response.
Expected Output:
- A fully functional Elastic SIEM with live logs.
- Real-time email alerts for detected threats.
- A custom Kibana dashboard for security monitoring.
Relevant URLs:
References:
Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


