Elasticsearch & Kibana With Elastic Agent (Part 1)

Listen to this Post

2025-02-14

During the third week of the WE INNOVATE Track SOC, I learned how to install and configure Elasticsearch & Kibana and set up Elastic Agent on a Windows machine to collect logs. This setup is essential for log management, monitoring, and security analytics, forming the foundation of a SIEM (Security Information and Event Management) solution.

To document everything, I’ve created a step-by-step guide on Notion covering:

✅ Installing & configuring Elasticsearch & Kibana

✅ Setting up Elastic Agent on Windows

✅ Sending logs to Elasticsearch for analysis

Check out the full guide here:

Notion Link: Elasticsearch & Kibana Guide

Practice-Verified Codes and Commands

1. Installing Elasticsearch on Windows


<h1>Download Elasticsearch from the official website</h1>

https://www.elastic.co/downloads/elasticsearch

<h1>Extract the downloaded zip file</h1>

Expand-Archive -Path .\elasticsearch-8.10.0-windows-x86_64.zip -DestinationPath C:\Elasticsearch

<h1>Navigate to the Elasticsearch directory</h1>

cd C:\Elasticsearch\elasticsearch-8.10.0\bin

<h1>Start Elasticsearch</h1>

.\elasticsearch.bat

2. Installing Kibana on Windows


<h1>Download Kibana from the official website</h1>

https://www.elastic.co/downloads/kibana

<h1>Extract the downloaded zip file</h1>

Expand-Archive -Path .\kibana-8.10.0-windows-x86_64.zip -DestinationPath C:\Kibana

<h1>Navigate to the Kibana directory</h1>

cd C:\Kibana\kibana-8.10.0\bin

<h1>Start Kibana</h1>

.\kibana.bat

3. Setting Up Elastic Agent on Windows


<h1>Download Elastic Agent from the official website</h1>

https://www.elastic.co/downloads/elastic-agent

<h1>Install Elastic Agent</h1>

.\elastic-agent install --url=https://<ELASTICSEARCH_HOST>:<PORT> --enrollment-token=<TOKEN>

<h1>Verify Elastic Agent status</h1>

.\elastic-agent status

4. Sending Logs to Elasticsearch


<h1>Configure log collection in the Elastic Agent configuration file</h1>

<h1>Example: Collect Windows Event Logs</h1>

output.elasticsearch:
hosts: ["https://<ELASTICSEARCH_HOST>:<PORT>"]
username: "elastic"
password: "<PASSWORD>"

<h1>Restart Elastic Agent to apply changes</h1>

.\elastic-agent restart

What Undercode Say

Elasticsearch and Kibana are powerful tools for log management and security analytics, especially in a SOC environment. By setting up Elastic Agent on a Windows machine, you can efficiently collect and analyze logs, which is crucial for threat detection and incident response.

Here are some additional Linux and Windows commands to enhance your SOC operations:

Linux Commands:

  • Check Log Files:
    tail -f /var/log/syslog
    
  • Search for Specific Log Entries:
    grep "error" /var/log/syslog
    
  • Monitor Network Traffic:
    sudo tcpdump -i eth0
    

Windows Commands:

  • View Event Logs:
    Get-WinEvent -LogName Security
    
  • Check Running Processes:
    Get-Process
    
  • Monitor Network Connections:
    netstat -an
    

For further reading, check out these resources:

By mastering these tools and commands, you can significantly improve your SOC capabilities and stay ahead in the cybersecurity landscape.

References:

Hackers Feeds, Undercode AIFeatured Image