# ELK

## Deploy using Docker

### Elasticsearch

The vm.max\_map\_count kernel setting needs to be set to at least 262144 for production use

```bash
sysctl -w vm.max_map_count=262144
```

Deploy elasticsearch:

```
docker run \
  -tid \
  --name elasticsearch \
  -p 9200:9200 \
  -p 9300:9300 \
  docker.elastic.co/elasticsearch/elasticsearch:6.7.0
```

### Kibana

```
docker run \
  -tid \
  --name kibana \
  --net=host \
  -p 5601:5601 \
  docker.elastic.co/kibana/kibana:6.7.0
```

{% hint style="info" %}
If you want to mount the config file, use:

\--volume="/your-path/kibana.yml:/usr/share/kibana/config/kibana.yml:ro" \\
{% endhint %}

## Deploy using docker-compose

Run:

```bash
git clone https://github.com/deviantony/docker-elk.git
cd docker-elk
docker-compose up
```

## Deploy Filebeat

Create the config file:

```bash
sudo nano filebeat.docker.yml
```

Paste

```
filebeat:
  config:
    modules:
      path: ${path.config}/modules.d/*.yml
      reload.enabled: false
    
  autodiscover:
    providers:
      - type: docker
        hints.enabled: true

  prospectors:  
  - input_type: log
    paths:
      - /var/log/*.log

output.logstash:
  hosts: ["localhost:5044"]
  
#output.elasticsearch:
#  hosts: ["http://<HOST>:<IP>"]

logging:
  files:
    rotateeverybytes: 10485760 # = 10MB
```

Run the container:

```bash
docker run -tid \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  docker.elastic.co/beats/filebeat:6.7.0 filebeat
```

Access Kibana: <http://localhost:5601>

Go to Management -> Index Patterns and create your index.