← Back to DevBytes

ELK Security: Setup, Configuration, and Best Practices

What is ELK Security?

The term "ELK Security" encompasses two major concepts: using the ELK stack (Elasticsearch, Logstash, Kibana) as a security monitoring and analytics platform, and securing the ELK stack itself against unauthorized access and data breaches. In the context of cybersecurity, the ELK stack serves as a powerful open-source SIEM (Security Information and Event Management) solution capable of aggregating, processing, and visualizing security-related events from across an entire IT infrastructure.

Elasticsearch is a distributed search and analytics engine that stores and indexes large volumes of data. Logstash is a server‑side data processing pipeline that ingests logs, transforms them, and forwards them to Elasticsearch. Kibana provides a web interface for querying, visualizing, and managing the data stored in Elasticsearch. Together they form a robust platform for real‑time threat detection, incident response, and compliance reporting.

Core Components in a Security Context

Why ELK Security Matters

🚀 Deploy your AI agent in 10 minutes

Managed Hermes hosting. Zero DevOps. 100M tokens/mo included.

Try it free →

Modern IT environments generate massive streams of logs from servers, network devices, applications, and security tools. Without a centralized platform, correlating events to detect advanced threats becomes nearly impossible. ELK Security provides:

Setting Up ELK for Security Monitoring

This section walks through a basic setup of Elasticsearch, Logstash, and Kibana on a Linux server using Docker containers. The same principles apply to direct package installations or Kubernetes deployments.

Prerequisites

Docker Compose Configuration

Create a file named docker-compose.yml:

version: '3.7'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.12.0
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=true
      - ELASTIC_PASSWORD=MySecurePass123!
    ports:
      - "9200:9200"
    volumes:
      - esdata:/usr/share/elasticsearch/data

  logstash:
    image: docker.elastic.co/logstash/logstash:8.12.0
    container_name: logstash
    ports:
      - "5044:5044"
    volumes:
      - ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
    depends_on:
      - elasticsearch

  kibana:
    image: docker.elastic.co/kibana/kibana:8.12.0
    container_name: kibana
    environment:
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
      - ELASTICSEARCH_USERNAME=kibana_system
      - ELASTICSEARCH_PASSWORD=MyKibanaPass456!
    ports:
      - "5601:5601"
    depends_on:
      - elasticsearch

volumes:
  esdata:

This configuration enables basic security (X‑Pack) with a password for Elasticsearch. For production, you should enable TLS and use proper secrets management.

Starting the Stack

docker-compose up -d

Wait for all services to become healthy. Then access Kibana at http://localhost:5601 and log in with the kibana_system credentials.

Configuring Logstash for Security Logs

Logstash is the heart of log enrichment. A well‑tuned pipeline transforms unstructured text into actionable fields that can be searched and alerted upon.

Example Logstash Configuration

Below is a sample logstash.conf that ingests syslog messages, parses auth logs, and enriches with GeoIP data. Save this file alongside your Docker Compose.

input {
  beats {
    port => 5044
  }
}

filter {
  if [message] =~ /^<[0-9]+>/ {  # syslog priority
    grok {
      match => { "message" => "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{INT:pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
    if [syslog_message] =~ /Failed password/ {
      grok {
        match => { "syslog_message" => "Failed password for %{USER:auth_user} from %{IP:source_ip} port %{INT:source_port} %{WORD:protocol}" }
      }
      geoip {
        source => "source_ip"
        target => "geoip"
      }
    }
  }
}

output {
  elasticsearch {
    hosts => ["https://elasticsearch:9200"]
    user => "elastic"
    password => "${ELASTIC_PASSWORD}"
    ssl => true
    ssl_certificate_verification => false
    index => "security-%{+YYYY.MM.dd}"
  }
}

This pipeline:

Setting Up Filebeat to Ship Logs

On your monitored servers, install Filebeat and configure it to forward auth logs to Logstash.

# filebeat.yml (on Linux endpoint)
filebeat.inputs:
  - type: filestream
    paths:
      - /var/log/auth.log
      - /var/log/syslog
    fields:
      log_type: system

output.logstash:
  hosts: ["logstash-host:5044"]

Start Filebeat and verify that events appear in Kibana under the security-* index pattern.

Securing the ELK Stack

A security monitoring platform must itself be hardened. Below are essential steps to protect Elasticsearch, Logstash, and Kibana from unauthorized access and data exfiltration.

1. Enable TLS Encryption

All inter‑node communication and client connections should be encrypted. Elasticsearch supports TLS certificates out of the box. Generate certificates using the elasticsearch-certutil tool or Let’s Encrypt, then configure:

# elasticsearch.yml
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12

2. Enable Authentication and Role‑Based Access Control (RBAC)

X‑Pack security provides built‑in realms (native, file, LDAP, Active Directory). Create roles and users to enforce least privilege. For example, create a user with read‑only access to security indices:

# In Kibana Dev Tools or via API
POST /_security/role/security_reader
{
  "cluster": [],
  "indices": [
    {
      "names": [ "security-*" ],
      "privileges": [ "read", "view_index_metadata" ]
    }
  ]
}

POST /_security/user/analyst
{
  "password" : "SecureAnalystPass789",
  "roles" : [ "security_reader" ]
}

Assign the analyst user to security team members so they can investigate logs without modifying index configurations.

3. Kibana Spaces and Dashboard Permissions

Kibana Spaces isolate dashboards, visualizations, and saved searches. Create a space for security operations and assign roles with access only to that space:

POST /_security/role/secops_kibana
{
  "cluster": [],
  "indices": [
    {
      "names": [ "security-*" ],
      "privileges": [ "read" ]
    }
  ],
  "applications": [
    {
      "application": "kibana",
      "privileges": [ "feature_dashboard.read", "feature_discover.read" ],
      "resources": [ "space:secops" ]
    }
  ]
}

4. Network Segmentation and Firewall Rules

Expose only Kibana and Logstash (if needed) to the internal network. Elasticsearch should never be directly accessible from untrusted networks. Use firewall rules (iptables, AWS security groups) to restrict traffic:

# Example: Allow only Logstash and Kibana to reach Elasticsearch
iptables -A INPUT -p tcp --dport 9200 -s logstash_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -s kibana_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -j DROP

Best Practices for ELK Security

Beyond basic setup and hardening, adhering to operational best practices ensures your security monitoring remains effective and resilient.

Data Lifecycle Management and Index Retention

Security logs can grow exponentially. Implement Index Lifecycle Management (ILM) to automatically roll over, shrink, and delete indices based on age or size. A typical ILM policy for security indices:

PUT _ilm/policy/security_logs_policy
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size": "50GB",
            "max_age": "1d"
          }
        }
      },
      "warm": {
        "min_age": "7d",
        "actions": {
          "shrink": { "number_of_shards": 1 },
          "forcemerge": { "max_num_segments": 1 }
        }
      },
      "delete": {
        "min_age": "90d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}

Attach the policy to an index template so all new security-* indices follow it automatically.

Alerting and Automation

Proactive detection requires alerts. Use Elasticsearch Watcher (included in X‑Pack) or the open‑source tool ElastAlert to trigger notifications when suspicious patterns emerge. Example Watcher alert for repeated failed logins:

PUT _watcher/watch/failed_logins_watch
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [ "security-*" ],
        "body": {
          "query": {
            "bool": {
              "must": [
                { "match": { "syslog_message": "Failed password" } }
              ],
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-5m"
                  }
                }
              }
            }
          },
          "aggregations": {
            "by_user": {
              "terms": { "field": "auth_user", "size": 100 }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.aggregations.by_user.buckets.0.doc_count": { "gte": 10 }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "to": "soc@example.com",
        "subject": "Possible brute force attack detected",
        "body": "User {{ctx.payload.aggregations.by_user.buckets.0.key}} has {{ctx.payload.aggregations.by_user.buckets.0.doc_count}} failed logins in 5 minutes."
      }
    }
  }
}

Regularly Update and Patch

Elasticsearch and its plugins receive security updates frequently. Subscribe to the Elastic advisory mailing list and apply patches promptly. Use official Docker images or package repositories to simplify upgrades.

Backup and Disaster Recovery

Security logs are critical evidence. Regularly snapshot your Elasticsearch data using the snapshot lifecycle management (SLM) feature to a remote repository (S3, GCS, or NFS).

PUT _slm/policy/nightly_backup
{
  "name": "",
  "schedule": "0 30 2 * * ?",
  "repository": "my_backup_repo",
  "config": {
    "indices": [ "security-*", ".kibana*" ]
  },
  "retention": {
    "expire_age": "30d",
    "max_count": 10
  }
}

Monitor the ELK Stack Itself

Use Metricbeat and monitoring features to track Elasticsearch cluster health, CPU, memory, and disk usage. Set up dedicated Kibana monitoring dashboards to detect performance degradation before it impacts log ingestion.

Apply the Principle of Least Privilege

Never use the superuser account for day‑to‑day operations. Create distinct roles for log shippers (Filebeat, Logstash) with minimal write permissions, and separate roles for analysts, dashboard editors, and administrators. Regularly

🚀 Need a reliable AI agent for your project?

Deploy Hermes Agent in 10 minutes. Managed hosting, zero DevOps.

Get Started — $23.99/mo
← Back to all articles