Building a SIEM Solution with Elastic Stack and Kali Linux

Listen to this Post

Featured Image
In this article, we’ll explore how to set up a Security Information and Event Management (SIEM) system using Elastic Stack (Elasticsearch, Logstash, Kibana) and a Kali Linux VM for log generation and analysis.

Step-by-Step SIEM Setup

  1. Install Elastic Stack (ELK) on a Linux Server
    Update system 
    sudo apt update && sudo apt upgrade -y
    
    Install Java (required for Elasticsearch) 
    sudo apt install openjdk-11-jdk -y
    
    Add Elastic Stack repository 
    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg 
    echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
    
    Install Elasticsearch, Logstash, and Kibana 
    sudo apt update && sudo apt install elasticsearch logstash kibana -y
    
    Start and enable services 
    sudo systemctl enable --now elasticsearch 
    sudo systemctl enable --now kibana 
    

2. Configure Elastic Agent on Kali Linux

 Download and install Elastic Agent 
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.16.2-linux-x86_64.tar.gz 
tar xzvf elastic-agent-7.16.2-linux-x86_64.tar.gz 
cd elastic-agent-7.16.2-linux-x86_64

Enroll the agent with Elastic SIEM 
sudo ./elastic-agent install --url=http://<ELK_SERVER_IP>:8220 --enrollment-token=<YOUR_ENROLLMENT_TOKEN> 

3. Generate Logs Using NMAP Scans

 Run an NMAP scan to generate network logs 
sudo nmap -sV -A -T4 <TARGET_IP> -oX scan_results.xml

Send logs to Elastic SIEM via Filebeat 
sudo filebeat setup --pipelines --modules nmap 
sudo filebeat -e 

4. Configure Real-Time Alerts in Kibana

  • Navigate to Kibana Dashboard (http://<ELK_SERVER_IP>:5601)
  • Go to Stack Management > Alerts and Actions
  • Create a new Rule to trigger email alerts on suspicious activity.

You Should Know:

  • Elasticsearch stores and indexes logs.
  • Logstash processes and enriches logs before storage.
  • Kibana visualizes data and manages alerts.
  • Kali Linux acts as a log-generating endpoint for testing.

What Undercode Say

Implementing a SIEM with Elastic Stack provides real-time threat detection and automated alerting, essential for SOC analysts. Combining NMAP scans with Elastic Agent ensures comprehensive log collection. Future improvements could include integrating Splunk for comparative analysis.

Prediction

As cyber threats evolve, AI-driven SIEM solutions will dominate, automating threat detection and response.

Expected Output:

  • A fully functional Elastic SIEM with live logs.
  • Real-time email alerts for detected threats.
  • A custom Kibana dashboard for security monitoring.

Relevant URLs:

References:

Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram