Jail: ELK
one time
This is a multi-application jail.

Analytics Pipelines
- Kibana : ElasticSearch(Lucene) : LogStash : Beats


zfs create ship/elk
create jail
export JAIL=elk
export JAILHOSTNAME=elk
export JAILDOMAIN=diyit.org
export JAILIP=68
export JAILUSER=X
export JAILUSERID=1000
export JAILUSERVNC=false

/root/FreeBSD/jails/create.sh $JAIL $JAILHOSTNAME $JAILDOMAIN $JAILIP $JAILUSER $JAILUSERID $JAILUSERVNC

# required for java to get filesystem info for mounted datasets
# and for logstash to mount /proc from /etc/fstab
iocage set allow_mount_procfs=1 allow_mount=1 enforce_statfs=1 $JAIL
iocage exec $JAIL cp /mnt/config/fstab /etc/fstab
iocage restart -s $JAIL

iocage exec $JAIL "mkdir /data"
iocage fstab -a $JAIL /mnt/ship/$JAIL /data nullfs rw 0 0
iocage fstab -l $JAIL

iocage exec $JAIL "pkg install elasticsearch7 kibana7 logstash7 beats7"
iocage exec $JAIL "mkdir -p /data/elasticsearch"
iocage exec $JAIL "chown -R elasticsearch:elasticsearch /data/elasticsearch"
iocage exec $JAIL "cp /mnt/config/elasticsearch.yml /usr/local/etc/elasticsearch"
iocage exec $JAIL "cp /mnt/config/jvm.options /usr/local/etc/elasticsearch"
# this cert copy is required because Java does not read from mounted datasets
# REMEBER to update these certs when they expire otherwise kibana connections will fail
iocage exec $JAIL "mkdir /usr/local/etc/elasticsearch/certs"
iocage exec $JAIL "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs"
iocage exec $JAIL "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs"
iocage exec $JAIL "sysrc elasticsearch_enable=YES"

iocage exec $JAIL "cp /mnt/config/kibana.yml /usr/local/etc/kibana"
iocage exec $JAIL "sysrc kibana_enable=YES"

iocage exec $JAIL "cp /mnt/config/logstash.yml /usr/local/etc/logstash"
iocage exec $JAIL "cp /mnt/config/logstash.conf /usr/local/etc/logstash"
iocage exec $JAIL "cp /mnt/config/logstash.keystore /usr/local/etc/logstash"
iocage exec $JAIL "chown -R logstash:logstash /usr/local/logstash"
iocage exec $JAIL "sysrc logstash_enable=YES"

iocage exec $JAIL "cp /mnt/config/heartbeat.yml /usr/local/etc/beats"
iocage exec $JAIL "sysrc heartbeat_enable=YES"

iocage exec $JAIL "service elasticsearch start"
iocage exec $JAIL "service kibana start"
iocage exec $JAIL "service logstash start"
iocage exec $JAIL "service heartbeat start"

monitor ~ # cat start_logstash.sh
# if proc is not mounted logstash aborts
mount proc
service logstash start
#/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
monitor ~ #
Enable EVE from Service – Suricata – Edit each interface mapping
EVE Output Settings
    EVE JSON Log [x]
    EVE Output Type: File

curl -o beats7-7.7.1.txz https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/beats7-7.7.1.txz
pkg add beats7-7.7.1.txz

#### OLD - required on 6.x only
https://www.elastic.co/downloads/past-releases/filebeat-7-7-1
curl -o filebeat-7.7.1-linux-x86_64.tar.gz https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.7.1-linux-x86_64.tar.gz
tar -xvzf filebeat-7.7.1-linux-x86_64.tar.gz
mv filebeat-7.7.1-linux-x86_64/modules.d /var/db/beats/filebeat/
mv filebeat-7.7.1-linux-x86_64/module /var/db/beats/filebeat/
rm -rf filebeat-7.7.1-linux-x86_64/
#### OLD

nano /usr/local/etc/beats/filebeat.yml

[2.4.5-RELEASE][admin@fw.ahlawat.com]/usr/local/etc/beats: diff filebeat.yml filebeat.yml.sample
24c24
<   enabled: true
---
>   enabled: false
28c28
<     - "/var/log/suricata/*/eve.json*"
---
>     - /var/log/*.log
49,52d48
<   fields_under_root: true
<   fields:
<     tags: ["suricata","json"]
<
152c148
< #output.elasticsearch:
---
> output.elasticsearch:
165c161
< output.logstash:
---
> #output.logstash:
167c163
<   hosts: ["elk.diyit.org:5044"]
---
>   #hosts: ["localhost:5044"]
200,206d195
< logging.to_syslog: false
< logging.to_files: true
< logging.files:
<   path: /var/log/filebeat
<   name: filebeat.log
<   keepfiles: 7
<
[2.4.5-RELEASE][admin@fw.ahlawat.com]/usr/local/etc/beats:

mkdir /var/log/filebeat
mkdir /usr/local/sbin/module

/usr/local/sbin/filebeat -c /usr/local/etc/beats/filebeat.yml test config

ln -s /usr/local/etc/rc.d/filebeat /usr/local/etc/rc.d/filebeat.sh
echo "filebeat_enable=yes" >> /etc/rc.conf.local
echo "filebeat_conf=/usr/local/etc/beats/filebeat.yml" >> /etc/rc.conf.local
service filebeat start

tail -f /var/log/filebeat/filebeat.log
Notes:
#First Time: elasticsearch
/usr/local/lib/elasticsearch/bin/elasticsearch-setup-passwords auto
...
#update kibana.yml with kibana password and then login with elastic (superuser) credentials and change password


# First Time - https://www.elastic.co/guide/en/logstash/current/keystore.html
# use lowercase variable and don't use "-"
$ /usr/local/logstash/bin/logstash-keystore create
WARNING: The keystore password is not set. Please set the environment variable `LOGSTASH_KEYSTORE_PASS`. Failure to do so will result in reduced security. Continue without password protection on the keystore? [y/N] y
Created Logstash keystore at /usr/local/logstash/config/logstash.keystore
monitor bin #

$ /usr/local/logstash/bin/logstash-keystore add es_pwd
Enter value for es_pwd:
Added 'es_pwd' to the Logstash keystore.
monitor bin #

$ /usr/local/logstash/bin/logstash-keystore list
es_pwd
monitor bin #


#Tests

# these will work before enabling security
curl -XGET 'localhost:9200/_cluster/health?pretty'
curl -XGET 'localhost:9200/_cluster/stats?pretty'

curl -XGET -u kibana_system:kibanapasswd 'https://elk.diyit.org:9200/_cluster/health?pretty'
curl -XGET -u kibana_system:kibanapasswd 'https://elk.diyit.org:9200/_cluster/stats?pretty'

service logstash configtest

/usr/local/sbin/heartbeat test config --path.config /usr/local/etc/beats heartbeat.yml
/usr/local/sbin/heartbeat test output --path.config /usr/local/etc/beats heartbeat.yml



# All Services:
elk ~ # service elasticsearch start
elk ~ # service logstash start
elk ~ # service heartbeat start
elk ~ # service kibana start
splunk
wget -O splunk-8.0.4.1-ab7a85abaa98-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.4.1&product=splunk&filename=splunk-8.0.4.1-ab7a85abaa98-linux-2.6-amd64.deb&wget=true'

root@ubuntu:/opt# chown -R splunk:splunk splunk
root@ubuntu:/opt# su splunk

splunk@ubuntu:/opt$ /opt/splunk/bin/splunk start --accept-license
...
The Splunk web interface is at http://ubuntu:8000

splunk@ubuntu:/opt$
Showcased here is a capital and operational cost effective approach, using minimal server and networking hardware with multiple virtualized applications for Home and Business. This solution template can be easily scaled out and adapted for larger Enterprise deployments.
drop by the diyIT Matrix public room at #diyit:matrix.ahlawat.com
if you have any IT questions/feedback or to request pro bono consulting for a nonprofit

message me privately at @sharad:matrix.ahlawat.com
or email me at - sharad@ahlawat.com - pgpkey: 68DD6B89
Networking and Security Technologist.
Engineer and an avid Programmer.

https://sharad.ahlawat.com
strive to learn and pass on the knowledge to the next generation
one day humanity will understand the meaning of life and hopefully it will be more than ASCII 42 = "*" regex for whatever you want it to be,
and destiny is more than just a roll of a pair of dice with 42 dots (Lets nail down Quantum Entanglement)

May you Live Long (Intelligently) and Prosper and work on technology that matters.
© 2025 Sharad Ahlawat

No personal identifying data is collected or any form of analytics/metrics reported to a third-party by this website.