Generating Keys And Packages – A Guide To Securing RedELK Server Communications

This step generates TLS key pairs. This is used for encrypting the filebeat traffic between redirectors/C2servers and the RedELK server.

It can be run on any unix based system. But it makes sense completely sense to run this from your dedicated RedELK system.

In Short

1. modify ./certs/config.cnf
2. run initial-setup.sh ./certs/config.cnf
3. copy c2servers.tgz, redirs.tgz and elkserver.tgz to relevant systems

In Detail

Adjust ./certs/config.cnf to include the right details for 2 items: 1) the TLS certificates, and 2) the DNS/IP of your RedELK server.

1. For the TLS certificate you need to modify the [req_distinguished_name] part. Change it to something that openssl accepts as correct TLS certificate information.
2. For the DNS/IP info you need to modify the [alt_names] part. Its really important to have the right IP (IP.1) or DNS (DNS.1) name listed in that file! These need to point to either the IP or the DNS of your RedELK server. Otherwise your TLS setup will not function and Logstash will fail and crash miserably with cryptic errors in its log.

Once done, run: initial-setup.sh ./certs/config.cnf This will create a CA, generate necessary certificates for secure communication between redirs, C2-server and elkserver and generates a SSH keypair for secure rsync authentication of the elkserver to the C2server.

It also generates c2servers.tgz, redirs.tgz and elkserver.tgz that contain the installation packages for each component.

You need to copy these tgz files to the relevant systems (C2-servers, redirs en the system you will be using as the central RedELK node).

Rerunning this initial setup is only required if you want new TLS keys to be used. If such is the case, delete the ./certs/redelkCA.* and ./certs/elkserver.* files and rerun initial-setup.sh ./certs/config.cnf.