philhagen / sof-elk

Configuration files for the SOF-ELK VM
GNU General Public License v3.0
1.51k stars 279 forks source link

SOF-ELK® Configuration Files

SOF-ELK Logo

This repository contains the configuration and support files for the SOF-ELK® VM Appliance.

SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source Elastic stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, and Elastic Beats log shipper (specifically filebeat). With a significant amount of customization and ongoing development, SOF-ELK® users can avoid the typically long and involved setup process the Elastic stack requires. Instead, they can simply download the pre-built and ready-to-use SOF-ELK® virtual appliance that consumes various source data types (numerous log types as well as NetFlow), parsing out the most critical data and visualizing it on several stock dashboards. Advanced users can build visualizations the suit their own investigative or operational requirements, optionally contributing those back to the primary code repository.

The SOF-ELK® platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and is now used in several other SANS courses, with additional course integrations being considered. Most importantly, the platform is also distributed as a free and open source resource for the community at large, without a specific course requirement or tie-in required to use it.

More details about the pre-packaged VM are available here: https://for572.com/sof-elk-readme.

Branches

Using

These files are only recommended to be used in the SOF-ELK VM distribution at this time. A great deal of system-level configuration and tie-in is required for them to be used. No support can be provided for the use of these files outside the SOF-ELK VM as distributed via the readme.

Contents by directory

Questions/Bug Reports/etc

All bugs and feature requests should be logged via the github issue tracker: https://github.com/philhagen/sof-elk/issues/.

Please see the pull request submission guidelines before starting any development work - this is in the file.

Administrative Notifications/Disclaimers/Legal/Boring Stuff