# ELK

## Deploy using Docker

### Elasticsearch

The vm.max\_map\_count kernel setting needs to be set to at least 262144 for production use

```bash
sysctl -w vm.max_map_count=262144
```

Deploy elasticsearch:

```
docker run \
  -tid \
  --name elasticsearch \
  -p 9200:9200 \
  -p 9300:9300 \
  docker.elastic.co/elasticsearch/elasticsearch:6.7.0
```

### Kibana

```
docker run \
  -tid \
  --name kibana \
  --net=host \
  -p 5601:5601 \
  docker.elastic.co/kibana/kibana:6.7.0
```

{% hint style="info" %}
If you want to mount the config file, use:

\--volume="/your-path/kibana.yml:/usr/share/kibana/config/kibana.yml:ro" \\
{% endhint %}

## Deploy using docker-compose

Run:

```bash
git clone https://github.com/deviantony/docker-elk.git
cd docker-elk
docker-compose up
```

## Deploy Filebeat

Create the config file:

```bash
sudo nano filebeat.docker.yml
```

Paste

```
filebeat:
  config:
    modules:
      path: ${path.config}/modules.d/*.yml
      reload.enabled: false
    
  autodiscover:
    providers:
      - type: docker
        hints.enabled: true

  prospectors:  
  - input_type: log
    paths:
      - /var/log/*.log

output.logstash:
  hosts: ["localhost:5044"]
  
#output.elasticsearch:
#  hosts: ["http://<HOST>:<IP>"]

logging:
  files:
    rotateeverybytes: 10485760 # = 10MB
```

Run the container:

```bash
docker run -tid \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  docker.elastic.co/beats/filebeat:6.7.0 filebeat
```

Access Kibana: <http://localhost:5601>

Go to Management -> Index Patterns and create your index.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.devops.buzz/public/docker/elk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.