Get up and running Zentral on Google Cloud Platform — Chapter 2

Welcome back to a tutorial series to run and explore Zentral in more detail. In this chapter we launch our “Zentral-all-in-one” instance. We setup our Let’s encrypt TLS certificate, create a admin user to login to Zentral web-interface, and prepare Kibana to show events from the zentral-events index.

The previous chapters and an overview on Zentral can be found for a review here:

Now let’s start!

Stage 3 — Startup the Zentral server

We use the GCP admin web interface to open up a terminal session in the browser window, of course in long term to access your instance it’s useful to add a ssh-key and access the server directly from Terminal.

We start a terminal session here to access via ssh — in our example we use a GCP feature to open up a terminal session right in the browser.

Note: Alternatively if you like to follow along on the command line, you can connect via SSH to the instance with gcloud compute ssh [INSTANCE_NAME] . Read up the GCP documentation and our wiki for the CLI based steps.

Once logged in we see there are updates available for Ubuntu and the pre-installed software. Please do so, goand update now! It’s good practice to apply updates whenavailable. We run the classic Debian based sudo apt-get update and sudo apt-get upgrade commands here.

When asked we should agree and continue to install new versions. Be aware these are likely to include latest updates for ElasticStack components. The update process will usually stop, and ask if you want to keep the “current version”. As default you’ll type “N” to keep the existing configuration file. Stick with the default, follow as we do here, be safe and not break things.

apt-get upgrades..
in progress…
apt install asks for specific update Kibana here

We do manually perform the general (linux)sysadmin tasks here. And yes we do agree, outside of a tutorial there’s valid reason to use a config management tool like Puppet, Chef, Salt or Ansible for extensive server administrations. However to introduce such here as well is just beyond our scope for obvious reasons (our posts are already extensive).

now an ElasticSearch update…

Keep attention as we likely have installed new versions from the elastic stack. It’s good practice to make sure these have restarted after an update applied. For this purpose we best go to run a sytemctl command (we‘ll cover some more that in upcoming chapter 3).

sudo systemctl restart elasticsearch 
sudo systemctl restart kibana

Now finally we’re almost ready to start the Zentral with the setup.py tool — the tool can be found in the/home/zentral/app/utils directory. This tool will help create your custom TLS setup for Nginx, it automatically acquires a certificate from Let’s Encrypt. Furthermore you’ll get a temporary link to set the (super) user password after at the end of successful run.

For a proper setup to work well, you must adjust the command below and match your FQDN (i.e. zentral.example.org) , pick your username and email.

sudo /home/zentral/app/utils/setup.py zentral.example.org henry henry@example.org

Note: Depending on your browser language setting, you might run into problems typing @ for the email address. The gearwheel allow to change your terminal settings or copy/paste @ symbol from elsewhere is your friend;-)

The process should finish in about 30–40 seconds. Follow the command progress as displayed in screenshots below.

Note: In case you’ll in need of a self-signed TLS option , go inspect the extra arguments in /home/zentral/app/utils/setup.py for --self-signed-cert .

Next copy/paste the Password reset link from terminal to your browser.

In the web interface set a password, then sign in (again see the screenshots for the steps).

Congratulations Zentral is up and running! Go validate your TLS certificate…it will work well for use with OSQuery, Google Santa.

Yay, we have a trusted certificate already. Thanks again to Let’s Encrypt for making this service available for free!

Stage 4— Setup Kibana read from “zentral-events” ElasticSearch index

We want to see and discover all the events Zentral stores into a ElasticSearch index. Right now this step has to be performed manually — as time of this writing we don’t know ElasticSearch/Kibana APIs to allow to run automated.

We navigate to “Extra links” section in the Zentral UI and click “Kibana” entry.

In Kibana we now have to create the index pattern used for visualisation. The index name is: zentral-events , for the setup steps see the screenshots below.

Kibana index pattern setup
Kibana time filtered field setup
Create index pattern

Now in Kibana we see events are already in the index, we see should see some heartbeat events to be updated.

Stage 5— Enable second factor for login

In case you like to limit the access to Zentral with two factor authentication‎ we provide some options. Out of the box you can use a second factor for authentication:

Setup Time-based One-Time Password

In the user setting go to “verification devices”. Note you can setup multiple methods here for a single user account.

For TOTP to work you must use a mobile app like Google Authenticator, or Duo Labs Duo Mobile , alternatively 1Password (running on iOS, Android or macOS) can help to setup the the TOTP feature in less than a minute.

  1. Select the Verification device type.

2. Set a name for the device

3. Scan the QR code with the app

4. Enter the verification code and save.

From now on you can login only with a second factor.

YubiKey setup

Alternatively you can use a YubiKey as U2F device. But this will only work well in supported browsers (so no Safari supported).
Right now supported browsers are Chrome 63.x or later & Firefox 57.x or later

Setup again is a very simple 1,2,3... like procedure.

With your YubiKey attached to the computer, logged into Zentral with a compatible browser:

  1. Set a device name
  2. Touch the YubiKey
  3. Now you should see already your entry. Zentral 2FA now works with your YubiKey :-)
YubiKey setup

Wrap up

This is the end of our second chapter. We have managed to get Zentral up and running on GCP (or AWS). We’ve setup Kibana index and see how simple 2FA can work with Zentral. As next move we can dive into Chapter 3 to learn more about process inspection, Prometheus 2.0 and the base.yml configuration in Zentral.