Secure Elastic Stack Setup with Elasticsearch, Kibana, and Filebeat Using Vagrant

Overview

The article explains how to build an Elastic Stack (Elasticsearch, Kibana, Filebeat) secured with username/password authentication and TLS, then use Filebeat's basic modules for distributed log collection.

Prerequisites and Test Environment

macOS Catalina 10.15.3

Vagrant 2.2.4

VirtualBox 6.0

CentOS‑8 Vagrant box (bento/centos-8)

Elastic Stack RPM packages: Elasticsearch 7.6.1, Kibana 7.6.1, Filebeat 7.6.1

Shared folder /vagrant/rpm for the RPM files

Start the VM with:

vagrant up
vagrant status

Install Elasticsearch

SSH into the VM: vagrant ssh Install the RPM and enable the service:

cd /vagrant/rpm
sudo rpm -ivh ./elasticsearch-7.6.1-x86_64.rpm
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl status elasticsearch.service

Verify the node with curl localhost:9200 and inspect the default /etc/elasticsearch/elasticsearch.yml. Replace it with a custom configuration that enables security:

sudo cp /vagrant/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml
sudo systemctl restart elasticsearch.service
sudo systemctl status elasticsearch.service

Generate a TLS certificate:

cd /usr/share/elasticsearch
sudo bin/elasticsearch-certutil cert -out /etc/elasticsearch/elastic-certificates.p12 -pass ""
sudo chmod 660 /etc/elasticsearch/elastic-certificates.p12

Add the following to elasticsearch.yml:

# ------------------------------- TLS and Cert ---------------------------------
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Restart Elasticsearch and confirm it starts without errors.

Set built‑in user passwords automatically:

sudo cd /usr/share/elasticsearch
sudo bin/elasticsearch-setup-passwords auto

Save the generated passwords (e.g., for elastic, kibana, etc.) for later use.

Install Kibana

Install the Kibana RPM:

cd /vagrant/rpm/
sudo rpm -ivh kibana-7.6.1-x86_64.rpm

Copy a custom kibana.yml that includes the elastic user password, then start the service:

sudo cp /vagrant/kibana/kibna.yml /etc/kibana/kibana.yml
sudo systemctl start kibana.service
sudo systemctl status kibana.service

Verify Kibana is reachable at http://192.168.50.10:5601 using the elastic credentials.

Install and Configure Filebeat

Install the Filebeat RPM:

cd /vagrant/rpm
sudo rpm -ivh ./filebeat-7.6.1-x86_64.rpm

Replace the default configuration with a prepared one that contains the elastic password:

sudo cp /vagrant/filebeat/filebeat.yml /etc/filebeat/filebeat.yml

Enable the system and auditd modules: sudo filebeat modules enable system auditd Inspect the module configuration files under /etc/filebeat/modules.d/. Create the required indices and dashboards: sudo filebeat setup Test the Filebeat configuration and start the service:

sudo filebeat test config
sudo systemctl start filebeat
sudo systemctl status filebeat

Suggested Tests in Kibana

Open the Discover view, select the filebeat-* index, view a log entry, and try full‑text search with KQL.

Open the Dashboard view, search for system and audit dashboards, generate some audit events (e.g., ssh localhost) and verify they appear.

Use the Logs view, enable Live Stream, and experiment with tag‑based searches.

Explore the SIEM section for additional insights.

Next Steps

Extend the setup to monitor Apache, MySQL, or other services with Filebeat modules.

Reference repository for the complete code and configuration files: https://github.com/martinliu/elastic-labs

Additional documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/setting-system-settings.html