# R001 Investigating with ELK 101

## Introduction

ELK Stack is a combination of tools bind together to provide log analytics solution. It is an open source project. There are 4 main components in ELK. They are:

### Components

1. Beats - an agent to transport the data from endpoint to ELK stack
2. Logstash - Component used to take input, filter and send the output to other components of ELK stack. Each input, filter and output processing's has separate plugins based on data.
3. Elastic search - Component used to index and store the processed data
4. Kibana - Component used to analyze and visualize the data

<figure><img src="/files/kmkwxFWCb7zy6tXyf05Y" alt=""><figcaption><p>Components of ELK Stack</p></figcaption></figure>

In this room, we focus mainly on Kibana, which is a visualization component of ELK. It is a tool used to Discover patterns or investigate an incident and create dashboards for trends, anomalies, and visualizations.

When you are analyzing the data within Kibana, the GUI appears to be as below enabling us to perform various actions like drill down, selecting a particular field, filtering out etc.

<figure><img src="/files/IjWR4LnvmAyinOyFrDNm" alt=""><figcaption><p>Kibana Discover screen</p></figcaption></figure>

Kibana uses KQL (Kibana Query Language) which is a simple text-based query language. It does not perform aggregation, transforming or sorting data. KQL uses filters, boolean operators, wildcards to fetch the data.

We can also use Lucene Query language to analyze the data.&#x20;

## THM Questions

Q1. Select the index **vpn\_connections** and filter from 31st December 2021 to 2nd Feb 2022. How many hits are returned?

2861

Q2. Which IP address has the max number of connections?

238.163.231.224

Q3. Which user is responsible for max traffic?

James

Q4. Create a table with the fields IP, UserName, Source\_Country and save.

<figure><img src="/files/1L9EvVA7bU3uXoWa36AF" alt=""><figcaption><p>Save the search in Kibana</p></figcaption></figure>

Q5. Apply Filter on UserName Emanda; which SourceIP has max hits?

107.14.1.247

Q6. On 11th Jan, which IP caused the spike observed in the time chart?

172.201.60.191

Q7. How many connections were observed from IP **238.163.231.224**, excluding the **New York** state?

48

Q8. Create a search query to filter out the logs from Source\_Country as the **United States** and show logs from User James or Albert. How many records were returned?

161 (Source\_Country : "United States" and UserName : "Albert" or "James")

Q9. As User **Johny Brown** was terminated on 1st January 2022, create a search query to determine how many times a VPN connection was observed after his termination.

1

Q10. Which user was observed with the greatest number of failed attempts?

Simon

Q11. How many wrong VPN connection attempts were observed in January?

274


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://chronicles.sivachandu.com/r001-investigating-with-elk-101.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.