The Council of Europe, based in Strasbourg (France), now covers virtually the entire European continent, with its 46 member countries.
Founded on 5 May 1949 by 10 countries, the Council of Europe seeks to develop throughout Europe common and democratic principles based on the European Convention on Human Rights and other reference texts on the protection of individuals.
In order to improve its detection capabilities, threat analysis, corrective measures, and other forensic investigations, the Council of Europe [CoE] wants to upgrade its Security Information and Evens system. The current tool in place is the ELK (Elastic Search, Kibana, Logstash) in version 6.5.4 and will have to be upgraded to a stable 8.X.X version.
We are looking for Senior System Administrator – ELK Stack to join the team on-site in Strasbourg in France, to help with the transition.
Upcoming challenges include:
- Integration of the solution in our environment
- Ingestion of the different log channels in the SIEM
- The capability of executing fast and efficient forensic searches
- Maintaining the current retention policy in the SIEM
- Stable, able to evolve easily, and monitored configuration
- Alert notifications.
The current ELK version is 6.5.4 which is running on 11 physical servers using docker technology.
As of today, a daily 850G of a log is ingested in ELK. This volume will increase over time.
The current logs ingested are:
- Firewall logs based on cisco technology
- Distant firewall logs based on Fortinet technology
- For Linux systems, Mysql, SSH, and Sudo via Syslog-NG
- Proxies and reverse proxies based on NGINX and SQUID technology
- Mail journaling based on Postfix
- Windows system logs based on event forwarding (all servers and PC are logged)
- Azure logs (O365)
Candidates must cover the following elements:
- ELK migration from version 6 to version 8 passing by version 7 as recommended by the editor
- Identification and authentication management
- Role-based access for accessing the indices
- Retention policy based on the Hot Warm Cold Frozen model
- Re-ingestion process management
- Process of integrating a new data source
- Gap analysis study on the existing ingested logs and associated indices
- Migrating the existing configuration in terms of retention, search configuration alerts …
- Migration of the existing indices in version 8 of ELK
- Adding new indices like Cloudflare or Cybereason EDR solution
- Guaranty service continuity during the migration process
- Reconfiguring the existing alerts
- Provide help in correlating SIEM data with external threat intelligence
- Optional machine learning module
- Adding new features like URL decrypting (for instance base 64 POST request)
- Offering an easy process for new integration or logs or indices
- Creating automation scripts for re-ingesting logs
- Offer a monitoring system of all the elements of the ELK stack with alerting (either a new solution or based on the existing CoE elements (Nagios for instance)
- Perform stress and performance tests on the new platform.
- The contractor can review the current architecture if he thinks it needs to be optimized
- Experience in administration of Linux and Windows operating systems
- Experience with administration and architecture of ELK (Elastic, LogStash, Kibana)
- Experience with Syslog, Redis, and Elastalert administration
- Experience with Docker setup
- Relocation to Strasbourg in France is a must
- 4-year contract (annual renewals)
- Deadline for applications: 27 July 2022
- Rate: to be discussed based on your experience
- Type: Annual freelance contract with €420 / day – all-inclusive daily rate
If interested, please share your CV at email@example.com.