Docker ELK Winlogbeat FileBeat

  • Category: 電腦相關
  • Last Updated: Sunday, 11 October 2020 12:33
  • Published: Tuesday, 08 September 2020 20:58
  • Written by sam
  • Print

Quick start ELK in Docker

 

~ docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 --name elk -d sebp/elk
e8785c3afcc2f1a6883324f0e4a80947883f1e20258f7d44fcb3ef00e3d731d7
~ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                                                                        NAMES
e8785c3afcc2        sebp/elk            "/usr/local/bin/star…"   7 seconds ago       Up 5 seconds        0.0.0.0:5044->5044/tcp, 0.0.0.0:5601->5601/tcp, 9300/tcp, 0.0.0.0:9200->9200/tcp, 9600/tcp   elk
~ docker logs -f e87
 * Starting periodic command scheduler cron
   ...done.
 * Starting Elasticsearch Server
   ...done.
waiting for Elasticsearch to be up (1/30)
waiting for Elasticsearch to be up (2/30)
waiting for Elasticsearch to be up (3/30)
waiting for Elasticsearch to be up (4/30)
waiting for Elasticsearch to be up (5/30)

Waiting for Elasticsearch cluster to respond (1/30)
logstash started.
 * Starting Kibana5
   ...done.

Generate Certificate

docker exec -it e87 bash 

 

root@e8785c3afcc2:/etc/pki/tls# vi /etc/ssl/openssl.cnf 

 

find v3_ca and add 

 

[ v3_ca ] 

 

subjectAltName = IP: 192.168.9.142 --replace to yours 

 

root@e8785c3afcc2:/etc/pki/tls# pwd 

 

/etc/pki/tls 

 

root@e8785c3afcc2:/etc/pki/tls# openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-beats.key -out certs/logstash-beats.crt
 

Copy .crt to outside

docker cp e87:/etc/pki/tls/certs/logstash-beats.crt ./

Copy .crt to your winlogbeat and filebeat machine

Install Winlogbeat

Download winlogbeat reference install guide

winlogbeat config

output.logstash:

	# The Logstash hosts

	hosts: ["192.168.9.142:5044"] --replace to yours
		
	# Optional SSL. By default is off.

	# List of root certificates for HTTPS server verifications

	ssl.certificate_authorities: ["C:/Users/kalsdfi47a/Downloads/filebeat-7.9.1-windows-x86_64/logstash-beats.crt"] --replace to yours

Install Filebeat

Download filebeat reference install guide

filebeat config

output.logstash:

	# The Logstash hosts

	hosts: ["192.168.9.142:5044"] --replace to yours

	# Optional SSL. By default is off.

	# List of root certificates for HTTPS server verifications

	ssl.certificate_authorities: ["C:/Users/kalsdfi47a/Downloads/filebeat-7.9.1-windows-x86_64/logstash-beats.crt"] --replace to yours

 

And windows run services.msc or PowerShell

Start Service winlogbeat

Start Service filebeat
 

GoTo Web check data