Building a Suricata NAT Instance-Based IPS/IDS Lab (Part 5): Suricata IPS Practice – ELK Stack Integration Installation Guide on the Suricata NAT Instance

1. Assumptions and Goal of This Part

Assumptions

• Suricata is already running on the NAT Instance.
• Install the entire ELK stack on the same NAT Instance.
• Architecture :

Goal

Finish everything in this part.

On the NAT Instance:

• Install and start Elasticsearch
• Install Kibana and verify access
• Install Logstash

Do not integrate logs yet.
→ Part 6 covers Logstash filters and full processing of Suricata eve.json.

---

2. NAT Instance Sizing and Notes

Minimum Specs (Lab)

• Instance type: minimum t3.medium / recommended: t3.xlarge
• t3.small or lower → Elasticsearch may bottleneck.
• RAM: 4 GB or more
• Disk: 20 GB or more

Running Suricata IPS and ELK on a single instance is for lab purposes only.
Do not do this in production environments.

---

3. Kernel Parameter (Required)

Elasticsearch will warn or fail to start without this.

root@nat:/home/ubuntu# sysctl vm.max_map_count

Set it:

# echo "vm.max_map_count=262144" > /etc/sysctl.d/99-elasticsearch.conf
# sysctl --system
# sysctl vm.max_map_count

---

4. Register the Elastic APT Repository

# apt update
# apt install -y curl gnupg apt-transport-https ca-certificates

# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch \
| gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg

# echo \
"deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] \
https://artifacts.elastic.co/packages/8.x/apt stable main" \
> /etc/apt/sources.list.d/elastic-8.x.list

# apt update

---

5. Elasticsearch Installation and Configuration

5.1 Install

# apt install -y elasticsearch

5.2 Elasticsearch Configuration (Single Node)

# vi /etc/elasticsearch/elasticsearch.yml

Set only the following values:

Uncomment:

cluster.name: suricata-lab
node.name: nat-elk-1
network.host: 0.0.0.0
http.port: 9200

Add:

discovery.type: single-node

Because this is a NAT Instance, 0.0.0.0 binding is used.
Instead, do not expose port 9200 publicly in the security group.

---

5.3 JVM Heap Configuration (Important)

💡 Why not edit the main file (jvm.options)?

There is a main configuration file at /etc/elasticsearch/jvm.options.
But if you edit it directly, updates can overwrite it or cause conflicts later.

That is why jvm.options.d exists: add your own file there and Elasticsearch will load it automatically.

Create the file:

# vi /etc/elasticsearch/jvm.options.d/heap.options

For 4 GB RAM:

-Xms1g
-Xmx1g

---

5.4 Start Elasticsearch

# systemctl daemon-reload
# systemctl enable --now elasticsearch

Check status:

# systemctl status elasticsearch

---

[Troubleshooting] Elasticsearch 8.x Startup Failure and Configuration Conflict

1. Symptom

Elasticsearch service fails to start (systemctl start elasticsearch → Job for elasticsearch.service failed).

journalctl shows a failure with exit code 1.

2. Log Analysis

Check the tail of the main log file to identify the root cause.

Command:

# tail -n 50 /var/log/elasticsearch/<cluster_name>.log

Example:

# tail -n 50 /var/log/elasticsearch/suricata-lab.log

Key error:

java.lang.IllegalArgumentException: setting [cluster.initial_master_nodes] is not allowed when [discovery.type] is set to [single-node]

3. Root Cause

Configuration conflict: single-node mode and initial_master_nodes cannot exist together.

Auto-configuration behavior: even if you set only single-node, Elasticsearch 8.x may append cluster.initial_master_nodes to elasticsearch.yml during first boot as part of security auto-configuration by detecting the current hostname (for example, suricata).

This creates an unintended configuration conflict and blocks startup.

4. Fix

Disable the auto-added cluster.initial_master_nodes line.

1) Edit the config file:

# vi /etc/elasticsearch/elasticsearch.yml

2) Comment out the conflicting line (usually added near the bottom):

Before (error):

cluster.initial_master_nodes: ["suricata"]
discovery.type: single-node

After (fixed):

# cluster.initial_master_nodes: ["suricata"]
discovery.type: single-node

3) Restart and verify:

# systemctl enable --now elasticsearch

---

5.5 Set the elastic User Password

Elastic 8.x has security enabled by default.

# /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Save the generated password.

---

5.6 Verify Elasticsearch

# curl -k https://localhost:9200

# curl -k -u elastic https://localhost:9200

---

6. Kibana Installation and Setup

6.1 Install Kibana

# apt install -y kibana

6.2 Kibana Configuration

# vi /etc/kibana/kibana.yml

Set:

server.host: "0.0.0.0"
server.port: 5601

6.3 Generate a Kibana Enrollment Token

# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

6.4 Start Kibana

# systemctl enable --now kibana
# systemctl status kibana

6.5 Access Kibana

Open the following URL in a browser and paste the token generated above.

http://<NAT_PUBLIC_IP>:5601

Order:

• Enter the enrollment token
• Enter the verification code: run the command below and paste the output code.

# /usr/share/kibana/bin/kibana-verification-code

Login:

• user: elastic
• password: the elastic password created earlier

---

7. Logstash Installation

In this part, only install and start the service.

# apt install -y logstash

# systemctl enable --now logstash
# systemctl status logstash

---

8. Final Checklist

# systemctl is-active elasticsearch
# systemctl is-active kibana
# systemctl is-active logstash

# ss -lntp | egrep '9200|5601'

Verify Kibana access:

• Management screen loads normally

---

Part 6 Preview

• Suricata eve.json → Logstash input
• Filters:
  • Distinguish alert vs drop
  • Extract and normalize rule.sid / msg / src_ip / dest_ip
• Elasticsearch index design
• Kibana dashboards:
  • Alert vs Drop
  • Top attacker IPs
  • Rule hit ranking, etc.

🛠 마지막 수정일: 2025.12.26