ELK

Elastichsearch, Logstash and Kibana

Deploy using Docker

Elasticsearch

The vm.max_map_count kernel setting needs to be set to at least 262144 for production use

sysctl -w vm.max_map_count=262144

Deploy elasticsearch:

docker run \
  -tid \
  --name elasticsearch \
  -p 9200:9200 \
  -p 9300:9300 \
  docker.elastic.co/elasticsearch/elasticsearch:6.7.0

Kibana

docker run \
  -tid \
  --name kibana \
  --net=host \
  -p 5601:5601 \
  docker.elastic.co/kibana/kibana:6.7.0

If you want to mount the config file, use:

--volume="/your-path/kibana.yml:/usr/share/kibana/config/kibana.yml:ro" \

Deploy using docker-compose

Run:

git clone https://github.com/deviantony/docker-elk.git
cd docker-elk
docker-compose up

Deploy Filebeat

Create the config file:

sudo nano filebeat.docker.yml

Paste

filebeat:
  config:
    modules:
      path: ${path.config}/modules.d/*.yml
      reload.enabled: false
    
  autodiscover:
    providers:
      - type: docker
        hints.enabled: true

  prospectors:  
  - input_type: log
    paths:
      - /var/log/*.log

output.logstash:
  hosts: ["localhost:5044"]
  
#output.elasticsearch:
#  hosts: ["http://<HOST>:<IP>"]

logging:
  files:
    rotateeverybytes: 10485760 # = 10MB

Run the container:

docker run -tid \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  docker.elastic.co/beats/filebeat:6.7.0 filebeat

Access Kibana: http://localhost:5601

Go to Management -> Index Patterns and create your index.

PreviousCheat Sheet NextUbuntu NoVNC

Last updated 5 years ago