I'm working on setting up a small Elastic Cluster as a proof of concept for a SIEM.
Consisting of 3 elastic nodes, one kibana node and one logstash node.
I managed to get a working cluster without the security configurations for the elastic and kibana nodes. So my next step was to secure the setup and get the full functionality of the SIEM working.
After reading the documentation, I'm wondering what settings I need for a minimum setup, as a lot of these settings seem optional?
The blog post on a small business/home setup gave some great insight on how to setup roll based access for Kibana, but since it uses the cloud instance it doesn't explain the settings needed to secure the elastic cluster on an on-prem setup.
Is there any guide or blog post that covers the minimum settings needed to get a working on-prem SIEM?
You will see that in some of the subsections, it has additional requirements for on-prem deployments like yours.
FYI, here is a blog that contains a 7-minute video about enabling security on your Elastic Stack deployment. I found this really helpful in understanding what needs to be done and how to do it.
Looking forward to your feedback once you get the SIEM up and running!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.