What is Elastic Search | Log Stash | Kibana or “ELK”
What is Elasticsearch, Logstash, Kibana or “ELK” and how can I use it as a security professional?
ELK is at it’s most basic a data processing, data storage and data visualization software trio. Logstash provides automated ingestion of of text data allowing for a limited amount of data normalization and standardization. Elasticsearch is the data storage solution called a noSQL software which can process large amounts of data using a REST API. Kibana is the data normalization software that allows for a user to manipulate the data into “widgets” and set up different views to analyze the data.
When I first started to explore the ELK structure and it’s potential I was unable to find a good set of explanations and use cases describing how I could use it. That being said, I have learned a great deal about the use of ELK in the security space and I’m sharing it here:
Example use cases scenarios for Security:
- Review Weblogs feeds to analyze data real time
- Setup up metric to visualize IT Security operational data (including SOC operations)
- Use timeline data (Volatility timeliner and Log2timeline) to view forensic data from multiple systems into one view
Logstash is versatile in that it can work on Windows, Linux or mac OS. So, you can pick your favorite flavor of OS and install. The technical level required to us ELK can be minimal. Using the software out of box is advantageous as it has the capability with logstash to ingest those files and spit them into elasticsearch. Then Kibana seamlessly integrates into elasticsearch without any major configuration efforts.
If this has peaked your interest you can download the following files to get started here: http://www.elasticsearch.org/overview/elkdownloads/
Leave comments on how you use ELK as a security professional.