-
Notifications
You must be signed in to change notification settings - Fork 372
RedELK server installation
Marc Smeets edited this page May 28, 2023
·
15 revisions
- extract
elkserver.tgz
on your RedELK server - run
install-elkserver.sh
- Define C2 servers in
mounts/redelk-config/etc/crond.d/redelk
- Use credentials from
redelk_passwords.cfg
to login to RedELK HTTP interface. - Post install Configuration, e.g. alarms and notification methods.
- Copy and extract
elkserver.tgz
on your RedELK server as part of your red team infra deployment procedures. - Run the installer
install-elkserver.sh
without parameters for full RedELK (including Neo4j and Jupyter workbook). Optionally, the installer recognises the following parameters:
-
dryrun
: only do pre install checks and write config to .env file. Its good practice to run this parameter the first time. -
fixedmemory
: skips the auto memory adjustment and sets memory for elasticsearch and neo4j to 1GB each -
limited
: do not install Neo4j and Jupyter notebooks -
dev
: only used for development (rebuilds all docker containers and inserts some test logs)
- Define C2 servers in
mounts/redelk-config/etc/crond.d/redelk
. Make sure to use the correct$hostname
for the c2 servers. Each should match the $FileBeatID parameter used during installation of the c2 server. - Use the credentials from
redelk_passwords.cfg
to login to the RedELK HTTP interface. This file is a read-only file. If you want to change the password, check the.env
file and rebuild containers. - Do post instal Configuration. See the detailed section below
Having issues? Check the following:
- The installer output in
redelk-install.log
. - The output of the docker container logs. All can have valuable info. But in our experience you want to check the following first:
-
docker logs redelk-logstash
: check for connection established and errors in your logstash parsing config -
docker logs redelk-elasticsearch
: check for ElasticSearch issues. For example when you are running low on disk space you will get warnings and hints here.
-
- RedELK internal script logs stored in
mount/redelk-logs/*
. All can have valuable info. But check the following first:-
mount/redelk-logs/daemon.log
background daemon stuff. You will spot errors in your config here. -
mount/redelk-logs/getremotelogs.log
for spotting issues with getting remote files from your C2 servers.
-
- Have you been messing with settings and are not sure what is what? Check the
.env
as that contains the relevant settings for docker.
Once installed it is time to do configuration. This is done at 2 locations:
- Main config file
mounts/redelk-config/etc/redelk/config.json
- IP list and other config files in
mounts/redelk-config/etc/redelk/*
Modify mounts/redelk-config/etc/redelk/config.json
to your liking. Explanation of the fields:
Field | Description |
---|---|
loglevel |
defines the logging level for the background daemons. Normally no need to change. Possible values: CRITICAL , ERROR , WARNING , INFO , DEBUG - Default: WARNING . |
interval |
interval in seconds for RedELK to do its operations. Normally no need to change. |
tempDir |
Directory where RedELK stores some temporary files. Normally no need to change. |
redelkserver_letsencrypt.redelkserver_letsencrypt |
If you want to use certbot certificates for your Kibana interface. |
redelkserver_letsencrypt.external_domain |
the domain name of the RedELK server for Lets Encrypt. |
redelkserver_letsencrypt.le_email |
the email used for Lets Encrypt registration. |
redelkserver_letsencrypt.staging |
staging related to Lets Encrypt. |
project_name |
Main identifier for this installation. This is to differentiate between multiple RedELK install when you get alarms. |
es_connection |
The ES connection string. Likely no need to change this. |
notifications settings for notification delivery. You will need to enable the module you want to use. By default none is enabled. |
|
notifications.email |
Get alarms via email: Set to enable and configure all subfields. The names are self-explanatory |
notifications.msteams |
Get alarms via MS Teams: Set to enable and enter the Teams Webhook URL. More info on configuring Teams webhooks here. |
notifications.slack |
Get alarms via Slack: Set to enable and enter the Slack Webhook URL. More info on configuring Slack webhooks here
|
alarms.alarm_dummy |
only used for testing purposes, probably no need to enable. |
alarms.alarm_filehash |
alarms SHA/MD5 hashes of your uploaded files that are also found on VirusTotal, IBM X-Force and/or Hybrid Analyses. Requires API key per provider. If you leave the API key empty the check is not performed. |
alarms.alarm_httptraffic |
alarms IP's that aren't listed in any iplist* but access redirector backends named c2* . |
alarms.alarm_useragent |
alarms User-Agents that are listed in config file blacklist_useragents.conf but access redirector backends named c2* . |
alarms.alarm_backendalarm |
alarms any traffic hitting a redirector backend named *alarm* . |
alarm_manual |
alarms if a C2 message contains the text REDELK_ALARM . This is useful for testing if your alarm setup works. Type REDELK_ALARM something something in your C2 either in the event log or in the implant to test. |
enrich settings for enrichment modules. By default most are enabled. You likely do not need to change anything here. |
|
enrich.enrich_csbeacon |
enriches rtops data from Cobalt Strike implants. |
enrich.enrich_stage1 |
enriches rtops data from Outflank's custom C2 framework. |
enrich.enrich_greynoise |
enriches redirtraffic data with info from Greynoise. If an IP address is listed in Greynoise, this data is added. You can enter your own API key to prevent you from hitting rate limits from a public API key. |
enrich.enrich_tor |
enriches redirtraffic with Tor. If an IP address is a known Tor exit node, this info is added. |
enrich.enrich_iplists |
background RedELK process. Better keep ik enabled. |
enrich.enrich_synciplists |
background RedELK process. Better keep ik enabled. |
enrich.enrich_syncdomainslists |
background RedELK process. Better keep ik enabled. |
enrich.enrich_domainscategorization |
enriches domain names with info from domain classifiers. Requires API key from IBM or Virus Total |
Files in mount/redelk-config/etc/redelk/
. All files take 1 IP per line.
File | Description |
---|---|
domainslist_redteam.conf |
define domain names part of your red team infrastructure. Once on this list they will be periodically checked against appearance on lists of known bad domains. |
iplist_alarmed.conf |
tracking of IPs already alarmed about. Add files here to not be alarmed about |
iplist_blueteams.conf |
IPs you absolutelly want to be alarmed about, regardless of whatever redir frontend it is accessing |
iplist_customer.conf |
IPs of your target. This will mute alarms of sessions from these IP addresses. |
iplist_redteam.conf |
IP addresses of your own team. This will mute alarms of sessions from these IP addresses |
iplist_unknown.conf |
IP addresses of systems you havent identified yet, but dont want to be alarmed about. |
known_testsystems.conf |
host characteristics of known test systems. You probably want to add info regarding your own test systems. One per line. |
rogue_useragents.conf |
User agents that are known bad when they access your C2 backend. We have included a basic list of UAs like curl, python-urllib and some other tools blue teamers like to use. The list also contains a list of UAs of instant messaging tools such as WhatsApp, Skype and Slack. Very useful for when your C2 us shared amongst analysts using IM. Feel free to add UAs to this list. |
Other config files not recommended to edit:
-
roguedomains.conf
: auto-updated list of known bad domains, from multiple sources. -
torexitnodes.conf
: auto-updated list of known TOR exit node IP addresses.