ELK

Elastichsearch, Logstash and Kibana

Deploy using Docker
Elasticsearch
The vm.max_map_count kernel setting needs to be set to at least 262144 for production use
sysctl -w vm.max_map_count=262144
Deploy elasticsearch:
docker run \
  -tid \
  --name elasticsearch \
  -p 9200:9200 \
  -p 9300:9300 \
  docker.elastic.co/elasticsearch/elasticsearch:6.7.0
Kibana
docker run \
  -tid \
  --name kibana \
  --net=host \
  -p 5601:5601 \
  docker.elastic.co/kibana/kibana:6.7.0
If you want to mount the config file, use:
--volume="/your-path/kibana.yml:/usr/share/kibana/config/kibana.yml:ro" \
Deploy using docker-compose
Run:
git clone https://github.com/deviantony/docker-elk.git
cd docker-elk
docker-compose up
Deploy Filebeat
Create the config file:
sudo nano filebeat.docker.yml
Paste
filebeat:
  config:
    modules:
      path: ${path.config}/modules.d/*.yml
      reload.enabled: false
    
  autodiscover:
    providers:
      - type: docker
        hints.enabled: true
​
  prospectors:  
  - input_type: log
    paths:
      - /var/log/*.log
​
output.logstash:
  hosts: ["localhost:5044"]
  
#output.elasticsearch:
#  hosts: ["http://<HOST>:<IP>"]
​
logging:
  files:
    rotateeverybytes: 10485760 # = 10MB
Run the container:
docker run -tid \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  docker.elastic.co/beats/filebeat:6.7.0 filebeat
Access Kibana: http://localhost:5601​
Go to Management -> Index Patterns and create your index.

Docker - Previous

Cheat Sheet

Next - Docker

Ubuntu NoVNC

Last modified 4yr ago