Pentesting Tools

RedELK Server – DeploymentEssential Configuration Variables Overview

We delve into the process of setting up a RedELK server, focusing on the critical configuration variables required for successful deployment.

As the traditional method becomes obsolete, we transition towards the use of an Ansible role specifically designed for this purpose.

Discover how to customize your RedELK environment to meet specific security and monitoring needs.

Variables

The following variables can be modified:

KeyTypeDefaultDescription
certs_dir_nginxstring"/etc/nginx/certs"Path to folder containing certificates in Nginx container
certs_dir_nginx_castring"/etc/nginx/ca_certs"Path to folder containing the CA certificate in Nginx container
certs_dir_nginx_ca_localstring"./mounts/certs/ca"Local path to folder containing the CA certificate
certs_dir_nginx_localstring"./mounts/certbot/conf/live/localhost"Local path to folder containing certificates. Replace localhost with the same value as external_domain
customer_ipslist[]List of customer’s IP addresses
docker_dirstring"/var/lib/docker"Docker directory
domainslist[]List of domain names used for the exercise
es_elastic_passwordstring"elastic"ElasticSearch users
es_kibana_encryptionKeystring"sLOVUK5MLv0VDhKsMlQcjgAaSMLXLLVy"Kibana encryption key (32 char alphanumeric)
es_kibana_passwordstring"kibana"ElasticSearch kibana user’s password
es_logstash_system_passwordstring"logstash_system"ElasticSearch logstash_system user’s password
es_redelk_ingest_passwordstring"redelk"ElasticSearch redelk-ingest user’s password (used by logstash)
es_redelk_passwordstring"redelk"ElasticSearch RedELK user’s password
es_redelk_userstring"redelk"ElasticSearch RedELK username
es_versionstring"7.16.3"Elastic version
external_domainstring"localhost"External domain name to expose RedELK interface on. Will also be used to request Let’s Encypt certificate
le_emailstring""Let’s Encrypt email address
le_enablebooltrue
le_stagingint0Set to 1 to use Let’s Encrypt staging endpoint.
monitor_hostsboolfalseSet to true to support monitoring hosts (metricbeat, packetbeat, …)
neo4j_passwordstring"BloodHound"Neo4J password (user: neo4j)
optsec_dirstring"/opt"Base directory for components install (where customer data will be stored) – allows to store on an encrypted partition/disk
redelk_alarm_intervalstring"3600"
redelk_alarm_tempDirstring"/tmp"
redelk_alarmsobjectcf. belowAlarm configuration options
redelk_alarms.alarm_dummy.enabledboolfalseWether to enable the alarm
redelk_alarms.alarm_dummy.intervalint300Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_filehash.enabledbooltrueWether to enable the alarm
redelk_alarms.alarm_filehash.ha_api_keystring"<<INSERT_API_KEY>>"Hybrid Analysis API key
redelk_alarms.alarm_filehash.ibm_basic_authstring"Basic <<REPLACE>>"IBM X-Force Exchange basic authentication
redelk_alarms.alarm_filehash.intervalint360Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_filehash.vt_api_keystring"<<INSERT_API_KEY>>"VirusTotal API key
redelk_alarms.alarm_httptraffic.enabledbooltrueWether to enable the alarm
redelk_alarms.alarm_httptraffic.intervalint310Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_httptraffic.notify_intervalint86400Only notify on the same IP hit at every notify_interval (in seconds)
redelk_alarms.alarm_useragent.enabledbooltrueWether to enable the alarm
redelk_alarms.alarm_useragent.intervalint320Interval at which the alarm will run (in seconds)
redelk_cert_pathstring"certificates/redelk"Local path to store RedELK certificates
redelk_client_connection_modestring"reverse"Sets how RedELK clients connects to filebeat direct (client connects to RedELK server IP directly) or reverse (reverse SSH tunnel is made from RedELK server to clients)
redelk_enrichobjectcf. belowSettings for data enrichment. You can keep these enabled even if you don’t use a specific item.
redelk_enrich.enrich_csbeaconobjectcf. belowEnriches rtops data from Cobalt Strike implants.
redelk_enrich.enrich_csbeacon.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_csbeacon.intervalint300Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_greynoiseobjectcf. belowEnriches redirtraffic data with info from Greynoise. If an IP address is listed in Greynoise, this data is added.
redelk_enrich.enrich_greynoise.cacheint86400How long the data will be cached (in seconds). If an IP was already seen within this period, a new call to GeryNoise API will not be made.
redelk_enrich.enrich_greynoise.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_greynoise.intervalint310Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_iplistsobjectcf. belowBackground RedELK process that enriches redirtraffic data with IP lists configured in RedELK (via ES app or in configuration files). Better keep it enabled.
redelk_enrich.enrich_iplists.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_iplists.intervalint330Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_stage1objectcf. belowEnriches rtops data from Outflank’s custom C2 framework.
redelk_enrich.enrich_stage1.enabledboolfalseWether to enable the enrichment module
redelk_enrich.enrich_stage1.intervalint300Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_synciplistsobjectcf. belowBackground RedELK process that syncs IP lists from configuration files with ES. Better keep it enabled.
redelk_enrich.enrich_synciplists.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_synciplists.intervalint360Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_torobjectcf. belowEnriches redirtraffic with Tor. If an IP address is a known Tor exit node, this info is added.
redelk_enrich.enrich_tor.cacheint360How often the TOR endpoint list should be retrieved (in seconds).
redelk_enrich.enrich_tor.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_tor.intervalint360Interval (in seconds) at which the enrichment script will run
redelk_install_typestring"full"(full or limited) If full, Jupyter notebooks and BloodHound/Neo4J will be installed as well
redelk_loglevelstring"WARNING"Log level of the RedELK daemon.
redelk_notificationsobjectcf. belowAlarm notifications options
redelk_notifications.email.enabledboolfalseWether to enable alarm notifications via e-mail
redelk_notifications.email.fromstring"redelk@example.com"Source e-mail address to send RedELK notifications from
redelk_notifications.email.smtp.hoststring"example.com"SMTP server hostname or IP address
redelk_notifications.email.smtp.loginstring"redelk@example.com"SMTP username to authenticate
redelk_notifications.email.smtp.passstring"redelk"SMTP password to authenticate
redelk_notifications.email.smtp.portstring"587"SMTP server port
redelk_notifications.email.tolist["redelk@example.com"]List of e-mail addresses to send RedELK notifications to
redelk_notifications.msteams.enabledboolfalseWether to enable alarm notifications via Microsoft Teams WebHook
redelk_notifications.msteams.webhook_urlstring""Microsoft Teams WebHook URL
redelk_notifications.slack.enabledboolfalseWether to enable alarm notifications via Slack WebHook
redelk_notifications.slack.webhook_urlstring""Slack WebHook URL
redelk_repostring"outflanknl"RedELK docker image repository
redelk_repo_pathstring"RedELK"Local path to the RedELK git repository. will be cloned if doesn’t exist
redelk_userstring"redelk"RedELK SSH username (used to sync data between RedELK monitoring server and the clients)
redelk_versionstring"master"RedELK version to install (ignored if the git repository defined in redelk_repo_path is already cloned)
redteam_ipslist[]List of Red Team’s IP addresses
ssh_keys_pathstring"ssh_keys"Local path to store ssh keys
tls_nginx_ca_pathstring"/etc/nginx/ca_certs/ca.crt"Path to the CA file in Nginx container
tls_nginx_crt_pathstring"/etc/letsencrypt/live/{{ external_domain }}/fullchain.pem"Path to the certificate file in Nginx container
tls_nginx_key_pathstring"/etc/letsencrypt/live/{{ external_domain }}/privkey.pem"Path to the private key file in Nginx container
unknown_ipslist[]List of Unknown IP addresses
Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

5 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

6 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

2 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

3 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago