Contents
Prerequisites
This time, we will install Suricata IDS and ElasticStack on the following server.
・First Server Suricata IDS & Filebeat : Ubuntu Server24.04 IP(192.168.11.83)
・Second server ElasticStack & kibana : Debian12.x IP(192.168.11.85)
First Server: Suricata Installation
SURICATA IDS/IPS is an open-source intrusion detection system that monitors network traffic and detects suspicious activity. Its core mechanism is signature-based, enabling it to detect predefined patterns of malicious communication. A key feature of Suricata is its ability to not only detect threats but also actively defend against them.
1.Suricata
Installing Suricata
|
1 |
# apt -y install suricata |
Version Check
|
1 2 |
# suricata -V This is Suricata version 7.0.3 RELEASE |
Enable suricata.service to run at system restart.
|
1 2 3 4 |
# systemctl enable suricata.service Synchronizing state of suricata.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable suricata |
The Suricata service must be configured first, so stop the service.
|
1 |
# systemctl stop suricata.service |
2.Configuring Suricata
①Suricata determines the interface and IP address for inspecting network packets.
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens33 UP 192.168.11.83/24 fe80::20c:29ff:fef0:64/64 |
Edit the /etc/suricata/suricata.yaml file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/suricata/suricata.yaml # Line 18 : Change (own network) HOME_NET: "[192.168.11.0/24]" # Line 137 : Change community-id: false → community-id: true # Line 616 : Change af-packet: - interface: eth0 ↓ af-packet: - interface: ens33 ←Change to each interface name |
SURICATA supports live rule reloading, allowing you to add, remove, or edit rules without restarting the running SURICATA process. To enable the live reload option, scroll to the bottom of the configuration file and add the following line:
detect-engine:
- rule-reload: true
This setting allows you to send the SIGUSR2 system signal to the running process, causing SURICATA to reload the modified rules into memory. Commands like the following notify the SURICATA process to reload the rule set without restarting the process:
|
1 |
# kill -usr2 $(pidof suricata) |
➁Add Rule Set
Suricata includes a tool called suricata-update that can retrieve rule sets from external providers. Running the following command downloads the latest rule set for the SURICATA server:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# suricata-update -o /etc/suricata/rules ------------------------------------ 4/3/2026 -- 08:56:10 - <Info> -- Loaded 64661 rules. 4/3/2026 -- 08:56:10 - <Info> -- Disabled 14 rules. 4/3/2026 -- 08:56:10 - <Info> -- Enabled 0 rules. 4/3/2026 -- 08:56:10 - <Info> -- Modified 0 rules. 4/3/2026 -- 08:56:10 - <Info> -- Dropped 0 rules. 4/3/2026 -- 08:56:11 - <Info> -- Enabled 136 rules for flowbit dependencies. 4/3/2026 -- 08:56:11 - <Info> -- Backing up current rules. 4/3/2026 -- 08:56:11 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 64661; enabled: 48809; added: 64661; removed 0; modified: 0 4/3/2026 -- 08:56:11 - <Info> -- Writing /etc/suricata/rules/classification.config 4/3/2026 -- 08:56:11 - <Info> -- Testing with suricata -T. 4/3/2026 -- 08:56:41 - <Info> -- Done. |
suricata-update has acquired the free Emerging Threats ET Open Rules and saved them to Suricata's /etc/suricata/rules/suricata.rules file. It also indicates the number of processed rules; in this example, 64,661 were added, of which 48,809 were enabled.
➂Add Rule Set Provider
Display the default provider list
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
For example, when including the tgreen/hunting rule set
|
1 2 3 4 5 6 7 8 9 10 |
# suricata-update enable-source tgreen/hunting -D /etc/suricata/rules 4/3/2026 -- 09:01:23 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 4/3/2026 -- 09:01:23 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 4/3/2026 -- 09:01:23 - <Info> -- Found Suricata version 7.0.3 at /usr/bin/suricata. 4/3/2026 -- 09:01:23 - <Warning> -- Source index does not exist, will use bundled one. 4/3/2026 -- 09:01:23 - <Warning> -- Please run suricata-update update-sources. 4/3/2026 -- 09:01:23 - <Info> -- Creating directory /etc/suricata/rules/update/sources 4/3/2026 -- 09:01:23 - <Info> -- Enabling default source et/open 4/3/2026 -- 09:01:23 - <Info> -- Source tgreen/hunting enabled |
Perform the update
|
1 |
# suricata-update update-sources |
3.Testing Suricata Configuration
①Changing the Default Rule Path
|
1 2 3 4 |
# vi /etc/suricata/suricata.yaml Line 2151: Change default-rule-path: /etc/suricata/rules |
➁Run the verification tool
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.3 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 1 rule files processed. 48809 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 48814 signatures processed. 1259 are IP-only rules, 4477 are inspecting packet payload, 42846 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
Restart the Suricata service
|
1 |
# systemctl start suricata |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Wed 2026-03-04 09:06:54 JST; 17min ago Docs: man:suricata(8) man:suricatasc(8) https://suricata.io/documentation/ Process: 10560 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile> Main PID: 10561 (Suricata-Main) Tasks: 8 (limit: 4545) Memory: 47.6M (peak: 48.0M) CPU: 8.002s CGroup: /system.slice/suricata.service mq10561 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/su> Mar 04 09:06:54 Lepard systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon... Mar 04 09:06:54 Lepard suricata[10560]: i: suricata: This is Suricata version 7.0.3 RELEASE running in> Mar 04 09:06:54 Lepard systemd[1]: Started suricata.service - Suricata IDS/IDP daemon. |
Check the log file
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/suricata/suricata.log [11172 - Suricata-Main] 2026-03-04 09:23:19 Info: suricata: Running suricata under test mode [11172 - Suricata-Main] 2026-03-04 09:23:19 Info: suricata: Setting engine mode to IDS mode by default [11172 - Suricata-Main] 2026-03-04 09:23:19 Info: exception-policy: master exception-policy set to: auto [11172 - Suricata-Main] 2026-03-04 09:23:19 Info: logopenfile: fast output device (regular) initialized: fast.log [11172 - Suricata-Main] 2026-03-04 09:23:19 Info: logopenfile: eve-log output device (regular) initialized: eve.json [11172 - Suricata-Main] 2026-03-04 09:23:19 Info: logopenfile: stats output device (regular) initialized: stats.log [11172 - Suricata-Main] 2026-03-04 09:23:35 Info: detect: 1 rule files processed. 48809 rules successfully loaded, 0 rules failed, 0 [11172 - Suricata-Main] 2026-03-04 09:23:35 Info: threshold-config: Threshold config parsed: 0 rule(s) found [11172 - Suricata-Main] 2026-03-04 09:23:35 Info: detect: 48814 signatures processed. 1259 are IP-only rules, 4477 are inspecting packet payload, 42846 inspect application layer, 108 are decoder event only [11172 - Suricata-Main] 2026-03-04 09:23:47 Notice: suricata: Configuration provided was successfully loaded. Exiting. |
4.Testing Suricata Rules
①Test ET Open rule number 2100498 using the following command:
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the log file using the specified rule number.
|
1 2 3 |
# grep 2100498 /var/log/suricata/fast.log 03/04/2026-09:31:17.697233 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 13.249.165.82:80 -> 192.168.11.83:53428 |
③Checking events in /var/log/suricata/eve.log
Install jq
|
1 |
# apt -y install jq |
Search for signature 2100498 and filter EVE log events
Display alert objects with a signature_id key matching the value 2100498
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json { "timestamp": "2026-03-04T09:31:17.697233+0900", "flow_id": 1514392765408435, "in_iface": "ens33", "event_type": "alert", "src_ip": "13.249.165.82", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 53428, "proto": "TCP", "pkt_src": "wire/pcap", "community_id": "1:psI+nA2jd3kmg3zHO3j08st7cgs=", "alert": { "action": "allowed", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], "created_at": [ "2010_09_23" ], "signature_severity": [ "Informational" ], "updated_at": [ "2019_07_26" ] } }, "http": { "hostname": "testmynids.org", "url": "/uid/index.html", "http_user_agent": "curl/8.5.0", "http_content_type": "text/html", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 39 }, "files": [ { "filename": "/uid/index.html", "gaps": false, "state": "CLOSED", "stored": false, "size": 39, "tx_id": 0 } ], "app_proto": "http", "direction": "to_client", "flow": { "pkts_toserver": 5, "pkts_toclient": 4, "bytes_toserver": 429, "bytes_toclient": 809, "start": "2026-03-04T09:31:17.680277+0900", "src_ip": "192.168.11.83", "dest_ip": "13.249.165.82", "src_port": 53428, "dest_port": 80 } } |
④Creating and Applying Custom Rules
Create the following custom signature to scan SSH traffic to non-SSH ports, and include it in the file /etc/suricata/rules/local.rules (in this case, only for IPv4 where the SSH port is 22):
|
1 2 |
# vi /etc/suricata/rules/local.rules alert ssh any any -> 192.168.11.83 !22 (msg:"SSH TRAFFIC on non-SSH port"; flow:to_client, not_established; classtype: misc-attack; target: dest_ip; sid:1000000;) |
Editing suricata.yaml
|
1 2 3 4 5 6 |
# vi /etc/suricata/suricata.yaml Add local.rules on line 2155 rule-files: - suricata.rules - local.rules |
Verify SURICATA Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.3 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 48810 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 48815 signatures processed. 1259 are IP-only rules, 4477 are inspecting packet payload, 42847 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
Edit the custom signature from earlier and convert it to use a drop action.
|
1 2 3 |
# vi /etc/suricata/rules/local.rules drop ssh any any -> 192.168.11.83 !22 (msg:"SSH TRAFFIC on non-SSH port"; flow:to_client, not_established; classtype: misc-attack; target: dest_ip; sid:1000000;) |
|
1 |
# kill -usr2 $(pidof suricata) |
⑤Reconfigure SURICATA and restart it in IPS mode.
SURICATA operates in IDS mode by default and does not actively block network traffic. To switch to IPS mode, you must modify SURICATA's default settings.
Use the systemctl edit command to create a new systemd override file.:
|
1 |
# systemctl edit suricata.service |
Add the following text in red at the beginning
###Editing /etc/systemd/system/suricata.service.d/override.conf
###Anything between here and the comment below will become the new contents of the file
[Service]
ExecStart=
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv
Type=simple
###Edits below this comment will be discarded
Reload the configuration and restart Suricata.
|
1 2 |
# systemctl daemon-reload # systemctl restart suricata.service |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# systemctl status suricata.service ● suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled) Drop-In: /etc/systemd/system/suricata.service.d mqoverride.conf Active: active (running) since Wed 2026-03-04 09:40:36 JST; 24s ago Docs: man:suricata(8) man:suricatasc(8) https://suricata.io/documentation/ Main PID: 11984 (Suricata-Main) Tasks: 1 (limit: 4545) Memory: 451.0M (peak: 451.0M) CPU: 24.657s CGroup: /system.slice/suricata.service mq11984 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toclient file_data (http2)> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toclient file_data (http2)> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toserver file_data (http2)> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toserver file_data (http2)> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toserver file_data (http2)> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toserver file_data (smtp)"> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toserver file_data (smtp)"> Mar 04 09:40:53 Lepard suricata[11984]: [11984] Perf: detect: AppLayer MPM "toserver file_data (smtp) |
With this change, you are now ready to send traffic to Suricata using the UFW firewall.
⑥Configuring UFW to send traffic to Suricata
To add the rules required for Suricata to UFW, you must directly edit the firewall files /etc/ufw/before.rules and /etc/ufw/before6.rules. (Assuming the SSH port is 22)
|
1 |
# vi /etc/ufw/before.rules |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines #Add the following 7 lines: ## Start Suricata NFQUEUE rules -I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass -I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass -I FORWARD -j NFQUEUE -I INPUT 2 -j NFQUEUE -I OUTPUT 2 -j NFQUEUE ## End Suricata NFQUEUE rules # allow all on loopback |
If using IPv6, similarly modify /etc/ufw/before6.rules.
Restart UFW
|
1 |
# systemctl restart ufw.service |
Verify that SURICATA is correctly dropping traffic.
Change the default action for signatures from alert or log to active dropping traffic.
Open the /etc/suricata/rules/suricata.rules file and comment out any entries matching sid:2100498.
|
1 2 |
# vi /etc/suricata/rules/suricata.rules # alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Informational, updated_at 2019_07_26;) |
Create a new entry as sid:2100498 in /etc/suricata/rules/local.rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Informational, updated_at 2019_07_26;) |
Suricata restart
|
1 |
# systemctl restart suricata |
Test this rule using curl
|
1 2 |
# curl --max-time 5 http://testmynids.org/uid/index.html curl: (28) Operation timed out after 5000 milliseconds with 0 out of 39 bytes received |
Using jq to check eve.log for "action": "blocked"
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json { "timestamp": "2026-03-04T09:57:56.499245+0900", "flow_id": 1253450748949653, "event_type": "alert", "src_ip": "13.249.165.79", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 54938, "proto": "TCP", "pkt_src": "wire/pcap", "community_id": "1:/jMjHwMjxVq82zMbt4azJ24GBWc=", "alert": { "action": "blocked", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], "created_at": [ "2010_09_23" ], "signature_severity": [ "Informational" ], "updated_at": [ "2019_07_26" ] } }, "http": { "hostname": "testmynids.org", "url": "/uid/index.html", "http_user_agent": "curl/8.5.0", "http_content_type": "text/html", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 39 }, "files": [ { "filename": "/uid/index.html", "gaps": false, "state": "CLOSED", "stored": false, "size": 39, "tx_id": 0 } ], "app_proto": "http", "direction": "to_client", "flow": { "pkts_toserver": 3, "pkts_toclient": 4, "bytes_toserver": 255, "bytes_toclient": 753, "start": "2026-03-04T09:57:56.488449+0900", "src_ip": "192.168.11.83", "dest_ip": "13.249.165.79", "src_port": 54938, "dest_port": 80 } } |
Elastic Stack 9.x Installation
Install and configure the Elastic Stack to visualize and search SURICATA logs
This section is primarily performed on a second Debian 12.x server.
①Install the Elastic Stack 9.x repository signing key
|
1 |
# apt update |
|
1 |
# apt install gnupg2 -y |
|
1 |
# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg |
➁Install the Elastic Stack 9.x repository
|
1 |
# echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-9.x.list |
update
|
1 |
# apt update |
➂Installing Elasticsearch 9.x on Debian 12.x
|
1 2 |
# apt install -y apt-transport-https # apt install elasticsearch -y |
During installation, security features are enabled by default;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
--------------------------- Security autoconfiguration information ------------------------------ Authentication and authorization are enabled. TLS for the transport and HTTP layers is enabled and configured. The generated password for the elastic built-in superuser is : 6FF20OADeZs4L70znBO4 If this node should join an existing cluster, you can reconfigure this with '/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>' after creating an enrollment token on your existing cluster. You can complete the following actions at any time: Reset the password of the elastic built-in superuser with '/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'. Generate an enrollment token for Kibana instances with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'. Generate an enrollment token for Elasticsearch nodes with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'. ------------------------------------------------------------------------------------------------- ### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable elasticsearch.service ### You can start elasticsearch service by executing sudo systemctl start elasticsearch.service |
Authentication and authorization are enabled.
TLS is enabled and configured for the transport layer and HTTP layer.
An Elastic superuser account (elastic) and its password are created.
④Configuring Elasticsearch 9.x on Ubuntu
Since this is a basic single-node cluster, we will use the default settings.
Checking the Elasticsearch configuration file /etc/elasticsearch/elasticsearch.yml reveals that security settings are enabled.
|
1 |
# cat /etc/elasticsearch/elasticsearch.yml |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
#----------------------- BEGIN SECURITY AUTO CONFIGURATION ----------------------- # # The following settings, TLS certificates, and keys have been automatically # generated to configure Elasticsearch security features on 04-03-2026 05:12:29 # # -------------------------------------------------------------------------------- # Enable security features xpack.security.enabled: true xpack.security.enrollment.enabled: true # Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents xpack.security.http.ssl: enabled: true keystore.path: certs/http.p12 # Enable encryption and mutual authentication between cluster nodes xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: certs/transport.p12 truststore.path: certs/transport.p12 # Create a new cluster with the current node only # Additional nodes can still join the cluster later cluster.initial_master_nodes: ["Lion"] # Allow HTTP API connections from anywhere # Connections are encrypted and require user authentication http.host: 0.0.0.0 # Allow other nodes to join the cluster from anywhere # Connections are encrypted and mutually authenticated #transport.host: 0.0.0.0 #----------------------- END SECURITY AUTO CONFIGURATION ------------------------- |
⑤Elasticsearch startup
Start Elasticsearch and configure it to run at system startup.
|
1 |
# systemctl daemon-reload |
|
1 2 |
# systemctl enable --now elasticsearch # systemctl start elasticsearch |
Check the status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status elasticsearch ● elasticsearch.service - Elasticsearch Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; preset: enabled) Active: active (running) since Wed 2026-03-04 14:16:41 JST; 16s ago Docs: https://www.elastic.co Main PID: 18230 (java) Tasks: 98 (limit: 2255) Memory: 1.3G CPU: 45.041s CGroup: /system.slice/elasticsearch.service tq18230 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.script=/usr/> tq18290 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.> mq18310 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller Mar 04 14:16:12 Lion systemd[1]: Starting elasticsearch.service - Elasticsearch... Mar 04 14:16:15 Lion systemd-entrypoint[18230]: WARNING: Unknown module: jdk.internal.vm.ci specified to --add-exports Mar 04 14:16:15 Lion systemd-entrypoint[18230]: WARNING: Unknown module: org.elasticsearch.entitlement.instrumentationjava.logg> Mar 04 14:16:41 Lion systemd[1]: Started elasticsearch.service - Elasticsearch. |
You can also use the curl command to check the status of Elasticsearch. Replace the IP address as appropriate.
|
1 |
# curl https://192.168.11.85:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic |
When prompted, enter the elastic built-in superuser password generated during Elasticsearch installation. The output will appear as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
Enter host password for user 'elastic': { "name" : "Lion", "cluster_name" : "elasticsearch", "cluster_uuid" : "fKfqmZSpQ8aojyujSrnYLg", "version" : { "number" : "9.3.1", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "0dd66e52ba3aa076cf498264e46339dbb71f0269", "build_date" : "2026-02-23T23:37:38.684779921Z", "build_snapshot" : false, "lucene_version" : "10.3.2", "minimum_wire_compatibility_version" : "8.19.0", "minimum_index_compatibility_version" : "8.0.0" }, "tagline" : "You Know, for Search" } |
Also, ensure that both the HTTP port and the transport port are open;
|
1 2 3 4 |
# ss -altnp | grep -E "9200|9300" LISTEN 0 4096 *:9200 *:* users:(("java",pid=18290,fd=585)) LISTEN 0 4096 [::1]:9300 [::]:* users:(("java",pid=18290,fd=582)) LISTEN 0 4096 [::ffff:127.0.0.1]:9300 *:* users:(("java",pid=18290,fd=583)) |
⑥Resetting Elasticsearch Passwords
The automatically generated Elastic user password is too complex, so reset it using the /usr/share/elasticsearch/bin/elasticsearch-reset-password command.
To reset the password, execute the command.
|
1 |
# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i |
|
1 2 3 4 5 6 7 8 |
This tool will reset the password of the [elastic] user. You will be prompted to enter the password. Please confirm that you would like to continue [y/N]y Enter password for [elastic]: Re-enter password for [elastic]: Password for the [elastic] user successfully reset. |
⑦Elasticsearch logs
Elasticsearch writes logs to the /var/log/elasticsearch path. The log file you need to check when there is an issue with the Elasticsearch instance is /var/log/elasticsearch/CLUSTER_NAME.log.
CLUSTER_NAME is the value of the cluster.name option in the elasticsearch.yaml file. If this value is not changed, the default is elasticsearch, and the log file will be located at /var/log/elasticsearch/elasticsearch.log.
|
1 |
# tail -f /var/log/elasticsearch/elasticsearch.log |
Log
|
1 2 3 4 5 6 7 8 9 10 |
[2026-03-04T14:16:46,449][INFO ][o.e.x.i.IndexLifecycleTransition] [Lion] moving index [.ds-.logs-elasticsearch.deprecation-default-2026.03.04-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.deprecation-indexing-ilm-policy] [2026-03-04T14:16:46,500][INFO ][o.e.c.m.MetadataMappingService] [Lion] [.ds-.logs-elasticsearch.deprecation-default-2026.03.04-000001/d73NvJlvSZmJ7Sut1_i1jw] update_mapping [_doc] [2026-03-04T14:16:51,405][INFO ][o.e.c.m.MetadataCreateIndexService] [Lion] creating index [.ds-ilm-history-7-2026.03.04-000001] in project [default], cause [initialize_data_stream], templates [provided in request], shards [1]/[1] [2026-03-04T14:16:51,406][INFO ][o.e.c.m.MetadataCreateDataStreamService] [Lion] adding data stream [ilm-history-7] with write index [.ds-ilm-history-7-2026.03.04-000001], backing indices [], and aliases [] [2026-03-04T14:16:51,406][INFO ][o.e.c.r.a.AllocationService] [Lion] in project [default] updating number_of_replicas to [0] for indices [.ds-ilm-history-7-2026.03.04-000001] [2026-03-04T14:16:51,490][INFO ][o.e.c.r.a.AllocationService] [Lion] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.ds-ilm-history-7-2026.03.04-000001][0]]])." previous.health="YELLOW" reason="shards started [[.ds-ilm-history-7-2026.03.04-000001][0]]" [2026-03-04T14:22:54,021][INFO ][o.e.x.s.a.f.FileUserPasswdStore] [Lion] users file [/etc/elasticsearch/users] changed. updating users... [2026-03-04T14:22:54,026][INFO ][o.e.x.s.a.f.FileUserRolesStore] [Lion] users roles file [/etc/elasticsearch/users_roles] changed. updating users roles... [2026-03-04T14:23:14,041][INFO ][o.e.x.s.a.f.FileUserPasswdStore] [Lion] users file [/etc/elasticsearch/users] changed. updating users... [2026-03-04T14:23:14,042][INFO ][o.e.x.s.a.f.FileUserRolesStore] [Lion] users roles file [/etc/elasticsearch/users_roles] changed. updating users roles... |
Kibana 9.x Installation
This section is primarily performed on a second Debian 12.x server.
①Install
|
1 |
# apt install kibana |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: kibana 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 377 MB of archives. After this operation, 1,166 MB of additional disk space will be used. Get:1 https://artifacts.elastic.co/packages/9.x/apt stable/main amd64 kibana amd64 9.3.1 [377 MB] Fetched 377 MB in 1min 27s (4,342 kB/s) Selecting previously unselected package kibana. (Reading database ... 40334 files and directories currently installed.) Preparing to unpack .../kibana_9.3.1_amd64.deb ... Unpacking kibana (9.3.1) ... Setting up kibana (9.3.1) ... Creating kibana group... OK Creating kibana user... OK Created Kibana keystore in /etc/kibana/kibana.keystore |
➁Configuring Kibana 9
Kibana is configured by default to run on localhost:5601. To allow external access, edit the configuration file and replace the value of server.host with the interface IP.
|
1 |
# vi /etc/kibana/kibana.yml |
Rewrite as follows:
|
1 2 3 4 5 6 7 8 |
Line 6 : Unlock comments # Kibana is served by a back end server. This setting specifies the port to use. server.port: 5601 Line 12 : Add # To allow connections from remote users, set this parameter to a non-loopback address. #server.host: "localhost" server.host: "192.168.11.85" |
➂Generating a Kibana-Elasticsearch Enrollment Token
To configure a Kibana instance to communicate with an existing Elasticsearch cluster with security enabled, an enrollment token is required. An enrollment token for Kibana can be generated using the following command:
|
1 2 3 |
# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTkyLjE2OC4xMS44NTo5MjAwIl0sImZnciI6IjYzMDI4YmJlNmU5N2Q1MTJhMmI1OGE2YjEwNzQ4ZTNmYjA1ZTRlNGE5YzI2MDkxMTg5NDExMDYwMzMxODBmMTYiLCJrZXkiOiI0WFJTdDV3Ql9tVXJmTFUzVHJUMDptSC0xLVA3RC1heGpXUEYzZ3ZIOVdRIn0= |
④Generating Kibana Encryption Keys
Kibana uses encryption keys in several areas, from encrypting data in Kibana-related indices to storing session information. The required keys are as follows:
xpack.encryptedSavedObjects.encryptionKey:Used to encrypt saved objects such as dashboards and visualizations.xpack.reporting.encryptionKey: Used for encrypting saved reportsxpack.security.encryptionKey: Used for encrypting session information
These are generated using the following command:
|
1 |
# /usr/share/kibana/bin/kibana-encryption-keys generate |
The output will be as follows:
|
1 2 3 4 |
Settings: xpack.encryptedSavedObjects.encryptionKey: 97ffa1ed7c680404eeb967f23b33fd7e xpack.reporting.encryptionKey: b9d5328f58ec09a76d1c075a6bd4a8d2 xpack.security.encryptionKey: 8a4b8d7b9234a50862ac2c22eede93c5 |
Insert the above into Kibana's configuration file kibana.yml.
|
1 2 3 |
# echo -e "xpack.encryptedSavedObjects.encryptionKey: 97ffa1ed7c680404eeb967f23b33fd7e xpack.reporting.encryptionKey: b9d5328f58ec09a76d1c075a6bd4a8d2 xpack.security.encryptionKey: 8a4b8d7b9234a50862ac2c22eede93c5" >> /etc/kibana/kibana.yml |
⑤Running Kibana
Start Kibana and configure it to run at system startup.
|
1 2 |
# systemctl enable --now kibana # systemctl start kibana |
status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# systemctl status kibana ● kibana.service - Kibana Loaded: loaded (/lib/systemd/system/kibana.service; enabled; preset: enabled) Active: active (running) since Wed 2026-03-04 14:31:51 JST; 51s ago Docs: https://www.elastic.co Main PID: 18584 (node) Tasks: 11 (limit: 2255) Memory: 410.0M CPU: 18.442s CGroup: /system.slice/kibana.service mq18584 /usr/share/kibana/bin/../node/glibc-217/bin/node /usr/share/kibana/bin/../src/cli/kibana/dist Mar 04 14:31:54 Lion kibana[18584]: Native global console methods have been overridden in production environment. Mar 04 14:31:56 Lion kibana[18584]: [2026-03-04T14:31:56.963+09:00][INFO ][root] Kibana is starting Mar 04 14:31:57 Lion kibana[18584]: [2026-03-04T14:31:57.031+09:00][INFO ][node] Kibana process configured with roles: [backgro> Mar 04 14:32:12 Lion kibana[18584]: [2026-03-04T14:32:12.113+09:00][INFO ][plugins-service] The following plugins are disabled:> Mar 04 14:32:12 Lion kibana[18584]: [2026-03-04T14:32:12.232+09:00][INFO ][http.server.Preboot] http server running at http://1> Mar 04 14:32:12 Lion kibana[18584]: [2026-03-04T14:32:12.401+09:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [int> Mar 04 14:32:12 Lion kibana[18584]: [2026-03-04T14:32:12.431+09:00][INFO ][preboot] "interactiveSetup" plugin is holding setup:> Mar 04 14:32:12 Lion kibana[18584]: [2026-03-04T14:32:12.470+09:00][INFO ][root] Holding setup until preboot stage is completed. Mar 04 14:32:19 Lion kibana[18584]: i Kibana has not been configured. Mar 04 14:32:19 Lion kibana[18584]: Go to http://192.168.11.85:5601/?code=657887 to get started. |
The following appears toward the end of the output:
i Kibana has not been configured.
Go to http://192.168.11.85:5601/?code=657887 to get started.
Copy the provided Kibana URL (including the code) and use it in your browser to access Kibana and complete the setup.
Similarly, Kibana logs are available in /var/log/kibana/kibana.log and /var/log/syslog.
⑥Accessing the Kibana 9 Dashboard
Access http://192.168.11.85:5601/?code=657887 (copy the appropriate address for each user)
If UFW is running, open the Kibana port.
|
1 2 3 4 |
# ufw allow 5601/tcp Rule added # ufw reload Firewall reloaded |
When you access Kibana 9, the welcome page prompts you to configure Elastic.
First, enter the generated enrollment token.
Copy the Kibana token generated using the command /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana and paste it into the box.When you access Kibana 9, the welcome page prompts you to configure Elastic.
First, enter the generated enrollment token.
Copy the Kibana token generated using the command `/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana` and paste it into the box.
Accessing http://192.168.11.85:5601/?code=657887
Paste the token, and Kibana will automatically connect to Elasticsearch.
Click Configure Elastic. The settings will be saved, and Elasticsearch will be configured and restarted.
Proceed to the login page. Log in using the generated Elastic user credentials.
On the welcome page, click "Explore on my own" to proceed to the Kibana 9.x dashboard.
Installing Filebeat 9
To collect and monitor logs from Ubuntu 24.04 using the ELK Stack, you must install Filebeat.
This task will be performed on the first server: Ubuntu 24.04 with IP address (192.168.11.83).
①Install the Elastic Stack 9.x repository signing key
|
1 |
# apt update |
|
1 |
# apt install gnupg2 -y |
|
1 |
# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg |
➁Install the Elastic Stack 9.x repository
|
1 |
# echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-9.x.list |
update
|
1 |
# apt update |
➂Installing filebeat 9.x on Ubuntu 24.04
|
1 2 |
# apt install -y apt-transport-https # apt install filebeat -y |
④Filebeat Logging Configuration
The default Filebeat configuration file is /etc/filebeat/filebeat.yml
To have Filebeat write logs to its own log file, enter the following configuration in the configuration file:
|
1 2 3 4 5 6 7 8 9 |
# cat >> /etc/filebeat/filebeat.yml << 'EOL' logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0640 EOL |
⑤Connect Filebeat to the data processing system
Configure Filebeat to connect to the data processing system. In this case, it is Elasticsearch.
To send logs directly to Elasticsearch, edit the Filebeat configuration file and update the output configuration section.
Connecting to Elasticsearch 9 requires SSL and authentication.
Verify that you can connect to Elasticsearch port 9200/tcp (Port 9200 is open on the second server, Debian 12.x).
|
1 2 3 4 5 |
# telnet 192.168.11.85 9200 Trying 192.168.11.85... Connected to 192.168.11.85. Escape character is '^]'. |
⑥Creating the Elasticsearch CA Certificate
Download the Elasticsearch CA certificate and save it to any directory (in this case, save it as /etc/filebeat/elastic-ca.crt).
|
1 2 3 |
# openssl s_client -connect 192.168.11.85:9200 \ -showcerts </dev/null 2>/dev/null | \ openssl x509 -outform PEM > /etc/filebeat/elastic-ca.crt |
Retrieve the credentials Filebeat uses for Elasticsearch authentication. In this case, use the credentials for the default superuser, the Elastic user.
|
1 |
# vi /etc/filebeat/filebeat.yml |
●Below the commented-out line #host: "localhost:5601" on line 137, add a line pointing to the private IP address and port of your Kibana instance.
host: "192.168.11.85:5601"
●Line 164 : comment out
#hosts: ["localhost:9200"]
●Line 165 : Enter the Elastic Stack IP address and Elasticsearch port number.
hosts: ["https://192.168.11.85:9200"]
●Line 171 : Unlock comments
protocol: "https"
●Line 172 : Elasticsearch CA Certificate Specification
ssl.certificate_authorities: ["/etc/filebeat/elastic-ca.crt"]
●Line175,176 : Uncomment the line, leave [username] as the default, and enter the password for the [elastic] user in [password].
username: "elastic"
password: “xxxxxxxxx"
⑤Configuration File Test
|
1 2 |
# filebeat test config Config OK |
⑦Enable the built-in Suricata module in Filebeats
|
1 |
# filebeat modules enable suricata |
The above command will change /etc/filebeat/modules.d/suricata.yml.disabled to /etc/filebeat/modules.d/suricata.yml, but the contents remain unchanged. Therefore, edit it as follows:
Modify modules.d/suricata.yml as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/filebeat/modules.d/suricata.yml # Module: suricata # Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-suricata.html - module: suricata # All logs eve: enabled: true var.paths: ["/var/log/suricata/eve.json"] # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: |
⑧Set up the initial environment
Load SIEM dashboards and pipelines into Elasticsearch
Execute the filebeat setup command
|
1 |
# filebeat setup -e |
|
1 2 3 4 5 6 7 8 |
------------------------------------------------------------------------------------ {"log.level":"info","@timestamp":"2026-03-04T14:50:45.500+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.3.1-suricata-eve-pipeline","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-04T14:50:45.601+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.3.1-suricata-eve-dns","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-04T14:50:45.638+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.3.1-suricata-eve-dns-answer-v1","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-04T14:50:45.678+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.3.1-suricata-eve-dns-answer-v2","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-04T14:50:45.741+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.3.1-suricata-eve-tls","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-04T14:50:45.803+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.3.1-suricata-eve-http","ecs.version":"1.6.0"} ------------------------------------------------------------------------------------ |
⑨Start the Filebeat service
|
1 |
# systemctl start filebeat.service |
⑩Verify in Kibana
Log back into Kibana. http://192.168.11.85:5601
Enter "Suricata Events Overview" in the top search field, then click [Filebeat Suricata]Events Overview.
All Suricata events from the past 15 minutes are displayed.
To display alerts for malicious traffic, click the "Alerts" text next to the Suricata logo.
Create a new user account so that you do not need to use the elastic superuser account.
Click the three horizontal lines icon in the upper left corner, then select [Stack Management] under [Management].
「security」「Users」Selection
Click the "Create user" button in the upper right corner.
Enter the new user information, assign the kibana_admin, kibana_system, monitoring_user, editor roles under Privileges, and finally click [Create user].
Log out of the current profile and verify that you can log in with the newly created user account.
