How To Create Your Open Source SIEM Home Lab?

Overview

Creating a Security Information and Event Management (SIEM) home lab is an excellent way to gain hands-on experience in cybersecurity and learn how to monitor and analyze network data. Open-source SIEM solutions are cost-effective and customizable, which makes them ideal for home or small business environments.

In this guide, we will create a step-by-step approach to setting up a home lab using open-source SIEM tools. We’ll focus on installing Elastic Stack (Elasticsearch, Logstash, and Kibana), combined with a few other open-source tools to manage, analyze, and visualize logs and security events.

Table of Contents:

1. Pre-requisites
2. Step 1: Install and Set Up Virtualization Software
3. Step 2: Set Up an Ubuntu Virtual Machine
4. Step 3: Install Java
5. Step 4: Install Elasticsearch
6. Step 5: Install Logstash
7. Step 6: Install Kibana
8. Step 7: Install Filebeat
9. Step 8: Generate Logs for Analysis
10. Step 9: Test Your SIEM Setup
11. Step 10: Add Security Rules and Alerts
12. Conclusion

Pre-requisites

Before starting, ensure you meet the following requirements:

• A computer (at least 4GB RAM, 100GB disk space)
• Virtualization software (e.g., VirtualBox, VMware)
• Linux distribution (Ubuntu or CentOS recommended)
• Basic understanding of networking, Linux, and cybersecurity
• Internet connection for downloading required software

Step 1: Install and Set Up Virtualization Software

Your home lab will run on virtual machines (VMs) to create isolated environments. You can use VirtualBox or VMware. Download and install either of these tools from their official websites:

• VirtualBox
• VMware Workstation Player

After installing the software, create VMs for each component in your SIEM stack. The primary VM will run Elasticsearch, Logstash, and Kibana (ELK Stack), while another VM can act as a log source generating traffic.

Step 2: Set Up an Ubuntu Virtual Machine

You’ll first need an Ubuntu server as the foundation for your ELK Stack. Download the Ubuntu Server ISO from the official Ubuntu website.

Steps to Install Ubuntu:

1. Create a new VM in your virtualization software.
2. Allocate at least 2 CPUs, 4GB of RAM, and 50GB of storage.
3. Mount the downloaded Ubuntu ISO as the boot disk and power on the VM.
4. Follow the installation wizard and install the default packages.
5. Once the system is installed, update your packages:
   sudo apt update && sudo apt upgrade -y

Step 3: Install Java

Elasticsearch, which is part of the ELK stack, requires Java. Install the OpenJDK package:

sudo apt install openjdk-11-jdk -y

Verify the installation:

java -version

Step 4: Install Elasticsearch

Elasticsearch is the search engine and data store for your SIEM lab.

1. Download and install the public signing key:
   wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –

2. Install the APT repository:
   sudo sh -c ‘echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” > /etc/apt/sources.list.d/elastic-7.x.list’

3. Update your package list:
   sudo apt update

4. Install Elasticsearch:
   sudo apt install elasticsearch -y

Configure Elasticsearch:

1. Open the configuration file:
   sudo nano /etc/elasticsearch/elasticsearch.yml

2. Set the following parameters:
   network.host: 127.0.0.1
   
3. Save and close the file.

4. Start and enable Elasticsearch to start on boot:
   sudo systemctl start elasticsearch
   sudo systemctl enable elasticsearch

Step 5: Install Logstash

Configure Logstash:

You will need to create a pipeline configuration to specify the input, filter, and output for the logs.

Create a configuration file:

sudo nano /etc/logstash/conf.d/01-logstash.conf

Add the following content to accept syslog messages:

input {
tcp {
port => 5000
}
udp {
port => 5000
}
}
filter {
grok {
match => { “message” => “%{SYSLOGLINE}” }
}
date {
match => [ “timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ]
}
}
output {
elasticsearch {
hosts => [“localhost:9200”]
}
stdout { codec => rubydebug }
}

Start and enable Logstash:

sudo systemctl start logstash

sudo systemctl enable logstash

Step 6: Install Kibana

Kibana is the visualization tool that allows you to explore the logs stored in Elasticsearch.

Install Kibana:

sudo apt install kibana -y

Configure Kibana:

1. Open the Kibana configuration file:
   
   sudo nano /etc/kibana/kibana.yml

2. Set the following configuration to bind Kibana to localhost:
   
   server.host: “localhost”

3. Save and close the file.
4. Start and enable Kibana:
   sudo systemctl start kibana
   sudo systemctl enable kibana

Access Kibana by navigating to http://<your_vm_ip>:5601 in your browser.

Step 7: Install Filebeat

Filebeat is an agent installed on endpoints to collect and forward log data to Logstash or Elasticsearch.

Install Filebeat:

sudo apt install filebeat -y

Configure Filebeat:

1. Open the configuration file:
   
   sudo nano /etc/filebeat/filebeat.yml

2. Add the following to send logs to Logstash:
   
   output.logstash:
   hosts: [“localhost:5000”]

3. Start and enable Filebeat:
   sudo systemctl start filebeat
   sudo systemctl enable filebeat

Step 8: Generate Logs for Analysis

To simulate log generation in your SIEM, you can use your secondary VM to generate traffic. Install syslog on the secondary VM:

sudo apt install rsyslog

Configure rsyslog to send logs to Logstash on the primary VM by adding the following lines to /etc/rsyslog.conf:

*.* @<your_elasticsearch_vm_ip>:5000

Step 9: Test Your SIEM Setup

To test the setup, log into Kibana and check if the logs are being received and indexed correctly by Elasticsearch.

1. Navigate to the Discover tab in Kibana.
2. Select your index patterns (which should be the logs from Logstash).
3. Explore the logs, filter based on specific patterns, and create visualizations.

Step 10: Add Security Rules and Alerts

To extend your SIEM lab’s capabilities, integrate Wazuh, an open-source security monitoring platform that includes alerting and threat detection capabilities.

Install Wazuh:

sudo apt install wazuh-manager wazuh-api

Configure Wazuh to send alerts to Logstash, and use Kibana to visualize these alerts.

Conclusion

By now, you should have a fully functioning open-source SIEM home lab using the ELK Stack and Filebeat for log collection. This setup provides the foundation for detecting, monitoring, and analyzing security events within your network. You can further extend the capabilities by integrating more log sources and using advanced rule-based alerting systems like Wazuh or Suricata.

For additional exploration, consider learning how to implement alerting in Kibana, configuring index lifecycles to manage the storage of logs, and experimenting with different log sources for more comprehensive monitoring.