RedELK
RedELK is Outflank’s open-source SIEM platform purpose-built for red teams, providing centralized logging, correlation, and visualization across Cobalt Strike, Covenant, Sliver, redirectors, and phishing infrastructure in real-time.
Installation
Seção intitulada “Installation”Prerequisites
Seção intitulada “Prerequisites”- Docker and Docker Compose
- 8GB+ RAM (16GB recommended for large deployments)
- Linux or macOS (Windows with WSL2)
- Git
Clone RedELK Repository
Seção intitulada “Clone RedELK Repository”git clone https://github.com/outflanknl/RedELK.git
cd RedELKDocker Compose Setup
Seção intitulada “Docker Compose Setup”# Navigate to docker directory
cd docker
# Copy and customize environment file
cp .env.example .env
# Start all services (Elasticsearch, Kibana, Logstash, Filebeat)
docker-compose up -d
# Verify services are running
docker-compose ps
# Check Elasticsearch health
curl -u elastic:password http://localhost:9200/_cluster/healthManual Installation (Advanced)
Seção intitulada “Manual Installation (Advanced)”# Install Elasticsearch
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.10.0-linux-x86_64.tar.gz
tar -xzf elasticsearch-8.10.0-linux-x86_64.tar.gz
cd elasticsearch-8.10.0/
./bin/elasticsearch
# Install Kibana (separate terminal)
wget https://artifacts.elastic.co/downloads/kibana/kibana-8.10.0-linux-x86_64.tar.gz
tar -xzf kibana-8.10.0-linux-x86_64.tar.gz
cd kibana-8.10.0/
./bin/kibana
# Install Logstash
wget https://artifacts.elastic.co/downloads/logstash/logstash-8.10.0-linux-x86_64.tar.gz
tar -xzf logstash-8.10.0-linux-x86_64.tar.gzArchitecture
Seção intitulada “Architecture”RedELK consists of four primary components:
| Component | Purpose | Port |
|---|---|---|
| Elasticsearch | Search and analytics engine, stores logs | 9200, 9300 |
| Kibana | Web UI for visualization and dashboarding | 5601 |
| Logstash | Log parsing, enrichment, and filtering | 5000 |
| Filebeat | Lightweight log shipper from C2/redirectors | 5044 |
Data flow: C2/Redirector → Filebeat → Logstash → Elasticsearch ← Kibana
Quick Start
Seção intitulada “Quick Start”Access Kibana Dashboard
Seção intitulada “Access Kibana Dashboard”# After docker-compose up -d
# Navigate to http://localhost:5601
# Default credentials: elastic / password (from .env)Verify Elasticsearch Cluster
Seção intitulada “Verify Elasticsearch Cluster”# Check cluster status
curl -u elastic:password http://localhost:9200/_cluster/health
# List indices
curl -u elastic:password http://localhost:9200/_cat/indices
# Check document count
curl -u elastic:password http://localhost:9200/_cat/count?vInitial Configuration
Seção intitulada “Initial Configuration”# Create RedELK index pattern in Kibana
# Stack Management > Index Patterns > Create index pattern
# Pattern: redelk-*
# Timestamp field: @timestamp
# Apply predefined dashboards
docker exec redelk-kibana /usr/share/kibana/bin/kibana --install-pluginsC2 Log Integration
Seção intitulada “C2 Log Integration”Cobalt Strike Teamserver Logs
Seção intitulada “Cobalt Strike Teamserver Logs”# filebeat.yml configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /path/to/cobaltstrike/logs/*.log
fields:
log_source: cobalt_strike
team_server: ts01.red.local
multiline.pattern: '^\['
multiline.negate: true
multiline.match: afterForward to Logstash
Seção intitulada “Forward to Logstash”# filebeat.yml output
output.logstash:
hosts: ["localhost:5000"]
ssl.enabled: true
ssl.certificate_authorities: ["/path/to/ca.crt"]
ssl.certificate: "/path/to/cert.crt"
ssl.key: "/path/to/key.key"Covenant Integration
Seção intitulada “Covenant Integration”# Enable Covenant logging output
# In Covenant server config, set up Syslog output to Logstash
# Configure Logstash filter to parse Covenant JSON logs
# Logstash filter example
filter {
if [log_source] == "covenant" {
json {
source => "message"
}
mutate {
add_field => { "c2_framework" => "covenant" }
}
}
}Sliver Log Forwarding
Seção intitulada “Sliver Log Forwarding”# Enable Sliver implant callbacks logging
implants
# Configure Sliver server to ship logs to Logstash
# In Sliver config:
sliver > logs --stream logstash://logstash-host:5000Custom C2 Log Parsing
Seção intitulada “Custom C2 Log Parsing”# For custom C2 frameworks, send logs to Logstash via syslog or HTTP
# Logstash input filter
input {
syslog {
port => 5514
type => "custom_c2"
}
}
filter {
if [type] == "custom_c2" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:beacon_id}\] %{GREEDYDATA:action}" }
}
}
}Redirector Logging
Seção intitulada “Redirector Logging”Apache Redirector Logs
Seção intitulada “Apache Redirector Logs”# Configure Apache to log redirector traffic
# In Apache vhost config
CustomLog /var/log/apache2/redelk-access.log combined
ErrorLog /var/log/apache2/redelk-error.log
# filebeat.yml for Apache logs
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/apache2/redelk-access.log
fields:
log_source: apache_redirector
redirector_id: redir01
multiline.pattern: '^\d{1,3}\.\d{1,3}\.'
multiline.negate: true
multiline.match: afterNginx Redirector Logs
Seção intitulada “Nginx Redirector Logs”# Nginx configuration
access_log /var/log/nginx/redelk-access.log combined;
error_log /var/log/nginx/redelk-error.log warn;
# filebeat.yml for Nginx
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/redelk-access.log
fields:
log_source: nginx_redirectorHAProxy Traffic Analysis
Seção intitulada “HAProxy Traffic Analysis”# HAProxy configuration for logging
global
log stdout local0
frontend redelk_frontend
bind *:80
mode http
log global
option httplog
default_backend redelk_backend
backend redelk_backend
balance roundrobin
server c2_server 10.0.0.10:8080
# filebeat.yml for HAProxy
filebeat.inputs:
- type: log
paths:
- /var/log/haproxy.log
fields:
log_source: haproxyPhishing Campaign Tracking
Seção intitulada “Phishing Campaign Tracking”GoPhish Integration
Seção intitulada “GoPhish Integration”# GoPhish sends logs via HTTP to Logstash
# Logstash HTTP input filter
input {
http {
port => 8080
type => "gophish"
}
}
filter {
if [type] == "gophish" {
json {
source => "message"
}
mutate {
add_field => { "campaign" => "%{[campaign_name]}" }
add_field => { "email_sent" => "%{[email_sent]}" }
}
}
}Email Delivery Tracking
Seção intitulada “Email Delivery Tracking”# Create custom Logstash pipeline for email events
input {
file {
path => "/opt/gophish/logs/gophish.log"
start_position => "beginning"
type => "email_tracking"
}
}
filter {
if [type] == "email_tracking" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:recipient}\] %{DATA:status} %{GREEDYDATA:details}" }
}
mutate {
add_field => { "event_type" => "email_delivery" }
}
}
}Click Tracking
Seção intitulada “Click Tracking”# Track phishing clicks via GoPhish webhook
# Logstash webhook input
input {
http {
port => 9000
type => "phishing_click"
}
}
filter {
if [type] == "phishing_click" {
json { source => "message" }
mutate {
add_field => { "event_type" => "click" }
add_field => { "ip_address" => "%{[headers][x-forwarded-for]}" }
add_field => { "user_agent" => "%{[headers][user-agent]}" }
}
geoip {
source => "ip_address"
}
}
}Filebeat Configuration
Seção intitulada “Filebeat Configuration”Main filebeat.yml Structure
Seção intitulada “Main filebeat.yml Structure”filebeat.config.modules:
enabled: false
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/redelk/*.log
fields:
environment: production
team: red_team
output.logstash:
hosts: ["logstash.internal:5000"]
loadbalance: true
worker: 4
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644Custom Fields Addition
Seção intitulada “Custom Fields Addition”filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/cobaltstrike/logs/*.log
fields:
log_source: cobalt_strike
team_server: ts01.red.local
operator: operator1
campaign: operation_alpha
customer: acme_corp
field_under_root: falseMultiline Log Patterns
Seção intitulada “Multiline Log Patterns”# Stack traces or multi-line logs
filebeat.inputs:
- type: log
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
multiline.max_lines: 100
multiline.timeout: 5s
# JSON logs
filebeat.inputs:
- type: log
multiline.pattern: '^\{'
multiline.negate: true
multiline.match: afterLogstash Pipelines
Seção intitulada “Logstash Pipelines”C2 Traffic Parsing Pipeline
Seção intitulada “C2 Traffic Parsing Pipeline”# File: /etc/logstash/conf.d/c2-parsing.conf
input {
beats {
port => 5044
}
}
filter {
if [log_source] == "cobalt_strike" {
grok {
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] %{DATA:beacon_id} %{DATA:action} %{GREEDYDATA:command}" }
}
}
if [log_source] == "covenant" {
json { source => "message" }
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "redelk-%{+YYYY.MM.dd}"
}
}GeoIP Enrichment
Seção intitulada “GeoIP Enrichment”# Enrich logs with geographic data
filter {
geoip {
source => "client_ip"
target => "geoip"
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "redelk-geo-%{+YYYY.MM.dd}"
}
}Custom Detection Filters
Seção intitulada “Custom Detection Filters”# Detect blue team activity
filter {
if [user_agent] =~ /Nmap|Masscan|nessus/i {
mutate {
add_tag => ["potential_scanner"]
add_field => { "alert_level" => "high" }
}
}
# Detect sandbox/analysis environment
if [user_agent] =~ /Cuckoo|Hybrid|VirusTotal/ {
mutate {
add_tag => ["sandbox_detection"]
}
}
}Kibana Dashboards
Seção intitulada “Kibana Dashboards”Accessing Pre-built Dashboards
Seção intitulada “Accessing Pre-built Dashboards”# Navigate in Kibana UI
# Analytics > Dashboards > Search for "redelk"
# Available dashboards:
# - RedELK Overview
# - Beacon Activity
# - IOC Tracking
# - Redirector Traffic
# - Phishing Campaign
# - Geographic Distribution
# - Detection AlertsBeacon Activity Dashboard
Seção intitulada “Beacon Activity Dashboard”# Create custom visualization
# Kibana > Visualize > Create > Area Chart
# X-axis: timestamp
# Y-axis: count of beacons
# Bucket: Split series by beacon_id
# Saved search filter
log_source: cobalt_strike AND action: beacon_callbackIOC Overview Dashboard
Seção intitulada “IOC Overview Dashboard”# Create IOC dashboard
# Kibana > Visualize > Create > Data Table
# Columns: ip_address, domain, username, hostname
# Filter by log_source and event_type
# Markdown widget for IOC export
Indicators of Compromise detected in last 24 hoursCampaign Timeline Visualization
Seção intitulada “Campaign Timeline Visualization”# Timeline chart in Kibana
# Visualize > Line Chart
# X-axis: @timestamp
# Y-axis: count
# Split by: campaign
# Create search query
campaign: operation_* AND event_type: (beacon OR phishing)Geographic Visualization
Seção intitulada “Geographic Visualization”# Map visualization
# Kibana > Visualize > Maps
# Location field: geoip.location
# Data: client_ip
# Filter: redirector logs
# Heatmap of traffic by countryAlarm Rules
Seção intitulada “Alarm Rules”Automated Alerting Setup
Seção intitulada “Automated Alerting Setup”# Enable Alerting in Kibana
# Stack Management > Rules and Connectors > Create Rule
# Webhook connector for alerting
# Webhook URL: https://hooks.slack.com/services/YOUR/WEBHOOKBlue Team Detection Rule
Seção intitulada “Blue Team Detection Rule”# Rule: Detect blue team scanning activity
# Condition: user_agent contains (nmap OR masscan OR nessus)
# Timeframe: last 5 minutes
# Action: Alert with Slack notificationSandbox Detection Rule
Seção intitulada “Sandbox Detection Rule”# Rule: Detect sandbox/analysis environment
# Condition: user_agent matches (cuckoo OR hybrid OR virustotal)
# Action: Create alert, tag logs with sandbox_detectionKnown-Bad IP Alerting
Seção intitulada “Known-Bad IP Alerting”# Enrichment: Import threat intel feeds
# Rule: client_ip in [bad_ip_list]
# Action: Create high-priority alert, block in redirectorBeacon Check-in Rule
Seção intitulada “Beacon Check-in Rule”# Rule: Track beacon check-ins
# Condition: action == "beacon_callback"
# Visualization: Count of unique beacons over time
# Alert threshold: No check-ins for 10+ minutesIOC Management
Seção intitulada “IOC Management”Tracking Indicators
Seção intitulada “Tracking Indicators”# Create IOC index
PUT /ioc-tracking
{
"mappings": {
"properties": {
"indicator": { "type": "keyword" },
"indicator_type": { "type": "keyword" },
"source": { "type": "keyword" },
"campaign": { "type": "keyword" },
"timestamp": { "type": "date" }
}
}
}
# Add IOCs from logs
POST /ioc-tracking/_doc
{
"indicator": "192.168.1.100",
"indicator_type": "ip",
"source": "cobalt_strike",
"campaign": "operation_alpha",
"timestamp": "2026-04-17T10:00:00Z"
}Exporting IOC Lists
Seção intitulada “Exporting IOC Lists”# Export IOCs via Kibana
# Discover > Filter by indicator_type
# Export to CSV/JSON
# Create saved search for quick export
# Name: "Active IOCs"
# Query: campaign: operation_* AND timestamp: > now-24hIOC Aggregation Dashboard
Seção intitulada “IOC Aggregation Dashboard”# Kibana visualization
# Data Table showing:
# - IP addresses with beacon count
# - Domains with traffic volume
# - Hostnames with first seen date
# - Usernames with activity countTroubleshooting
Seção intitulada “Troubleshooting”Elasticsearch Connection Issues
Seção intitulada “Elasticsearch Connection Issues”# Check Elasticsearch connectivity
curl -u elastic:password http://localhost:9200/
# Verify Logstash can reach Elasticsearch
docker logs redelk-logstash | grep -i error
# Check firewall rules
netstat -tlnp | grep 9200Missing Logs in Kibana
Seção intitulada “Missing Logs in Kibana”# Verify Filebeat is running
systemctl status filebeat
# Check Filebeat logs
tail -f /var/log/filebeat/filebeat
# Verify data is reaching Logstash
tcpdump -i lo port 5044
# Check Elasticsearch indices
curl -u elastic:password http://localhost:9200/_cat/indices?vHigh Memory Usage
Seção intitulada “High Memory Usage”# Increase JVM heap (Elasticsearch/Logstash)
# export ES_JAVA_OPTS="-Xms2g -Xmx2g"
# In docker-compose.yml
environment:
- "ES_JAVA_OPTS=-Xms4g -Xmx4g"
# Restart services
docker-compose restartLogstash Filter Debugging
Seção intitulada “Logstash Filter Debugging”# Add debug output to Logstash config
output {
stdout { codec => rubydebug }
elasticsearch { ... }
}
# Check Logstash logs
docker logs redelk-logstash --tail 100Best Practices
Seção intitulada “Best Practices”| Practice | Benefit |
|---|---|
| Separate indices by log source | Easier querying and retention policies |
| Add custom fields at Filebeat | Enriches logs before indexing |
| Use field_under_root: false | Keeps Filebeat metadata organized |
| Implement log rotation | Prevents disk space exhaustion |
| Regular backups of Elasticsearch | Recovery from data loss |
| Monitor cluster health | Catches issues early |
| Use index lifecycle policies | Auto-archive old logs |
| Enable TLS/SSL | Protects data in transit |
| Restrict Kibana access | Limits exposure of sensitive logs |
| Document custom parsers | Aids team handoff and debugging |
Security Hardening
Seção intitulada “Security Hardening”# Enable X-Pack security in elasticsearch.yml
xpack.security.enabled: true
xpack.security.authc:
realms:
native:
type: native
order: 0
# Create API keys for Filebeat instead of passwords
POST /_security/api_key
{
"name": "filebeat-key",
"role_descriptors": {
"filebeat_role": {
"cluster": ["monitor"],
"index": [{"names": ["redelk-*"], "privileges": ["write", "index", "manage"]}]
}
}
}Retention Policies
Seção intitulada “Retention Policies”# Create Index Lifecycle Policy
PUT _ilm/policy/redelk-policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0d",
"actions": {}
},
"warm": {
"min_age": "30d",
"actions": {
"set_priority": { "priority": 50 }
}
},
"cold": {
"min_age": "90d",
"actions": {
"set_priority": { "priority": 0 }
}
},
"delete": {
"min_age": "180d",
"actions": {
"delete": {}
}
}
}
}
}Related Tools
Seção intitulada “Related Tools”| Tool | Purpose | Integration |
|---|---|---|
| Mythic C2 | Alternative C2 framework | Logstash filter for Mythic logs |
| Sliver | Command & control framework | Native Logstash output |
| ELK Stack | Open-source SIEM foundation | RedELK built on ELK |
| VECTR | Detection framework correlation | Export RedELK IOCs to VECTR |
| Splunk | Enterprise SIEM alternative | Similar parsing/visualization |
| Wazuh | Host-based monitoring | Complement with endpoint data |