mirror of https://github.com/infosecn1nja/HELK.git
use custom logstash, fixes some more things with plugins. additionally monitoring is not limited to x-pack only now. also, use same logstash.yml now too :)
neu5ron
parent
9955e13b3c
commit
ce102c8328
|
|
@ -34,7 +34,7 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
image: docker.elastic.co/logstash/logstash:7.5.2
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
logging:
|
||||
driver: "json-file"
|
||||
|
|
@ -46,10 +46,13 @@ services:
|
|||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
- "5044:5044"
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
build: helk-logstash/
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
logging:
|
||||
driver: "json-file"
|
||||
|
|
@ -47,12 +47,15 @@ services:
|
|||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.elasticsearch.username=logstash_system
|
||||
- xpack.monitoring.elasticsearch.password=logstashpassword
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}"
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -34,17 +34,20 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
image: docker.elastic.co/logstash/logstash:7.5.2
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
volumes:
|
||||
- ./helk-logstash/pipeline:/usr/share/logstash/pipeline
|
||||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
- "5044:5044"
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
build: helk-logstash/
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
logging:
|
||||
driver: "json-file"
|
||||
|
|
@ -47,12 +47,15 @@ services:
|
|||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.elasticsearch.username=logstash_system
|
||||
- xpack.monitoring.elasticsearch.password=logstashpassword
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}"
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
image: docker.elastic.co/logstash/logstash:7.5.2
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
logging:
|
||||
driver: "json-file"
|
||||
|
|
@ -46,10 +46,13 @@ services:
|
|||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
- "5044:5044"
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
build: helk-logstash/
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
logging:
|
||||
driver: "json-file"
|
||||
|
|
@ -47,12 +47,15 @@ services:
|
|||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.elasticsearch.username=logstash_system
|
||||
- xpack.monitoring.elasticsearch.password=logstashpassword
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}"
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
image: docker.elastic.co/logstash/logstash:7.5.2
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
logging:
|
||||
driver: "json-file"
|
||||
|
|
@ -46,10 +46,13 @@ services:
|
|||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
- "5044:5044"
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ services:
|
|||
networks:
|
||||
helk:
|
||||
helk-logstash:
|
||||
build: helk-logstash/
|
||||
image: otrf/helk-logstash:7.5.2
|
||||
container_name: helk-logstash
|
||||
logging:
|
||||
driver: "json-file"
|
||||
|
|
@ -47,12 +47,15 @@ services:
|
|||
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
||||
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
||||
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
||||
- ./helk-logstash/config:/usr/share/logstash/config
|
||||
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
||||
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
||||
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
||||
environment:
|
||||
- xpack.monitoring.elasticsearch.username=logstash_system
|
||||
- xpack.monitoring.elasticsearch.password=logstashpassword
|
||||
- xpack.monitoring.enabled=true
|
||||
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
||||
- "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}"
|
||||
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -10,8 +10,17 @@ FROM docker.elastic.co/logstash/logstash:7.5.2
|
|||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for the HELK Logstash."
|
||||
|
||||
RUN mv /usr/share/logstash/config/logstash.yml /usr/share/logstash/config/logstash.yml.backup
|
||||
RUN mv /usr/share/logstash/config/pipelines.yml /usr/share/logstash/config/pipelines.yml.backup
|
||||
RUN rm -f /usr/share/logstash/pipeline/logstash.conf
|
||||
|
||||
COPY --chown=logstash:logstash config/logstash.yml /usr/share/logstash/config/logstash.yml
|
||||
COPY --chown=logstash:logstash config/pipelines.yml /usr/share/logstash/config/pipelines.yml
|
||||
# Build with plugins baked in
|
||||
ENV plugins_time_file="/usr/share/logstash/helk-plugins-updated-timestamp.txt"
|
||||
RUN printf "%s" "$(date +"%Y-%m-%d %T")" > "${plugins_time_file}"
|
||||
RUN chown logstash:logstash "${plugins_time_file}"
|
||||
#RUN echo"$(date +"%Y-%m-%d %T")" > "${plugins_time_file}"
|
||||
COPY --chown=logstash:logstash plugins/helk-offline-logstash-codec_and_filter_plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip
|
||||
COPY --chown=logstash:logstash plugins/helk-offline-logstash-input_and_output-plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip
|
||||
RUN logstash-plugin update
|
||||
RUN logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip
|
||||
RUN logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip
|
||||
RUN rm /usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip
|
||||
RUN rm /usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip
|
||||
|
|
@ -1,10 +1,10 @@
|
|||
# HELK Custom
|
||||
# pipeline.workers: 2
|
||||
# node.name: test
|
||||
pipeline.batch.size: 1000
|
||||
config.reload.automatic: true
|
||||
config.reload.interval: 60s
|
||||
log.level: warn
|
||||
http.host: "0.0.0.0"
|
||||
xpack.monitoring.elasticsearch.hosts: http://helk-elasticsearch:9200
|
||||
xpack.monitoring.enabled: true
|
||||
# Following variables and values be set at docker runtime
|
||||
#pipeline.workers: 2
|
||||
#xpack.monitoring.elasticsearch.hosts: http://helk-elasticsearch:9200
|
||||
#log.level: warn
|
||||
#http.host: "0.0.0.0"
|
||||
#xpack.monitoring.enabled: true
|
||||
Loading…
Reference in New Issue