mirror of https://github.com/infosecn1nja/HELK.git
281 lines
7.2 KiB
YAML
281 lines
7.2 KiB
YAML
version: '3.5'
|
|
|
|
services:
|
|
helk-elasticsearch:
|
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2
|
|
container_name: helk-elasticsearch
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "9"
|
|
max-size: "6m"
|
|
secrets:
|
|
- source: elasticsearch.yml
|
|
target: /usr/share/elasticsearch/config/elasticsearch.yml
|
|
volumes:
|
|
- esdata:/usr/share/elasticsearch/data
|
|
- ./helk-elasticsearch/scripts:/usr/share/elasticsearch/scripts
|
|
- ./helk-elasticsearch/config/jvm.options:/usr/share/elasticsearch/config/jvm.options
|
|
entrypoint: /usr/share/elasticsearch/scripts/elasticsearch-entrypoint.sh
|
|
environment:
|
|
- cluster.name=helk-cluster
|
|
- node.name=helk-1
|
|
- xpack.license.self_generated.type=trial
|
|
- xpack.security.enabled=true
|
|
- "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}"
|
|
ulimits:
|
|
memlock:
|
|
soft: -1
|
|
hard: -1
|
|
nproc: 20480
|
|
nofile:
|
|
soft: 160000
|
|
hard: 160000
|
|
restart: always
|
|
networks:
|
|
helk:
|
|
helk-logstash:
|
|
image: otrf/helk-logstash:7.5.2.2
|
|
container_name: helk-logstash
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "9"
|
|
max-size: "6m"
|
|
volumes:
|
|
- ./helk-logstash/pipeline:/usr/share/logstash/pipeline
|
|
- ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
|
|
- ./helk-logstash/output_templates:/usr/share/logstash/output_templates
|
|
- ./helk-logstash/plugins:/usr/share/logstash/plugins
|
|
- ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
|
|
- ./helk-logstash/scripts:/usr/share/logstash/scripts
|
|
entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
|
|
environment:
|
|
- xpack.monitoring.elasticsearch.username=logstash_system
|
|
- xpack.monitoring.elasticsearch.password=logstashpassword
|
|
- xpack.monitoring.enabled=true
|
|
- xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
|
|
- log.level=warn
|
|
- "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}"
|
|
- "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
|
|
ports:
|
|
- "5044:5044"
|
|
- "8531:8531"
|
|
- "3515:3515"
|
|
restart: always
|
|
depends_on:
|
|
- helk-kibana
|
|
networks:
|
|
helk:
|
|
helk-kibana:
|
|
image: docker.elastic.co/kibana/kibana:7.5.2
|
|
container_name: helk-kibana
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "9"
|
|
max-size: "6m"
|
|
secrets:
|
|
- source: kibana.yml
|
|
target: /usr/share/kibana/config/kibana.yml
|
|
volumes:
|
|
- ./helk-kibana/objects:/usr/share/kibana/objects
|
|
- ./helk-kibana/scripts:/usr/share/kibana/scripts
|
|
entrypoint: /usr/share/kibana/scripts/kibana-entrypoint.sh
|
|
environment:
|
|
KIBANA_UI_PASSWORD: ${KIBANA_UI_PASSWORD}
|
|
ELASTICSEARCH_PASSWORD: ${ELASTIC_PASSWORD}
|
|
restart: always
|
|
depends_on:
|
|
- helk-elasticsearch
|
|
networks:
|
|
helk:
|
|
helk-nginx:
|
|
image: otrf/helk-nginx:0.0.8
|
|
container_name: helk-nginx
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "9"
|
|
max-size: "6m"
|
|
volumes:
|
|
- ./helk-nginx/config/trial-helk:/etc/nginx/sites-available/default
|
|
- ./helk-nginx/scripts/:/opt/helk/scripts/
|
|
entrypoint: /opt/helk/scripts/nginx-entrypoint.sh
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
restart: always
|
|
depends_on:
|
|
- helk-kibana
|
|
- helk-jupyter
|
|
networks:
|
|
helk:
|
|
helk-zookeeper:
|
|
image: otrf/helk-zookeeper:2.3.0
|
|
container_name: helk-zookeeper
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "1m"
|
|
restart: always
|
|
depends_on:
|
|
- helk-logstash
|
|
networks:
|
|
helk:
|
|
helk-kafka-broker:
|
|
image: otrf/helk-kafka-broker:2.3.0
|
|
container_name: helk-kafka-broker
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "1m"
|
|
restart: always
|
|
depends_on:
|
|
- helk-zookeeper
|
|
environment:
|
|
KAFKA_BROKER_NAME: helk-kafka-broker
|
|
KAFKA_BROKER_ID: 1
|
|
KAFKA_BROKER_PORT: 9092
|
|
REPLICATION_FACTOR: 1
|
|
ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
|
|
ZOOKEEPER_NAME: helk-zookeeper
|
|
KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat
|
|
KAFKA_HEAP_OPTS: -Xmx1g -Xms1g
|
|
LOG_RETENTION_HOURS: 4
|
|
ports:
|
|
- "9092:9092"
|
|
networks:
|
|
helk:
|
|
helk-ksql-server:
|
|
image: confluentinc/cp-ksql-server:5.1.3
|
|
container_name: helk-ksql-server
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "1m"
|
|
restart: always
|
|
depends_on:
|
|
- helk-kafka-broker
|
|
environment:
|
|
KSQL_BOOTSTRAP_SERVERS: helk-kafka-broker:9092
|
|
KSQL_LISTENERS: http://0.0.0.0:8088
|
|
KSQL_KSQL_SERVICE_ID: wardog
|
|
KSQL_CUB_KAFKA_TIMEOUT: 300
|
|
KSQL_KSQL_COMMIT_INTERVAL_MS: 2000
|
|
KSQL_KSQL_CACHE_MAX_BYTES_BUFFERING: 10000000
|
|
KSQL_KSQL_STREAMS_AUTO_OFFSET_RESET: earliest
|
|
KSQL_HEAP_OPTS: -Xmx500m
|
|
KSQL_OPTS: "-Dconfluent.support.metrics.enable=false"
|
|
ports:
|
|
- 8088:8088
|
|
networks:
|
|
helk:
|
|
helk-ksql-cli:
|
|
image: confluentinc/cp-ksql-cli:5.1.3
|
|
container_name: helk-ksql-cli
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "1m"
|
|
depends_on:
|
|
- helk-ksql-server
|
|
environment:
|
|
KSQL_HEAP_OPTS: -Xmx500m
|
|
entrypoint: /bin/sh
|
|
tty: true
|
|
networks:
|
|
helk:
|
|
helk-jupyter:
|
|
build: helk-jupyter/
|
|
container_name: helk-jupyter
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "1m"
|
|
environment:
|
|
JUPYTER_TYPE: notebook
|
|
JUPYTER_BASE_URL: /jupyter
|
|
volumes:
|
|
- notebooks:/opt/helk/jupyter/notebooks
|
|
restart: always
|
|
depends_on:
|
|
- helk-logstash
|
|
networks:
|
|
helk:
|
|
helk-spark-master:
|
|
image: otrf/helk-spark-master:2.4.4
|
|
container_name: helk-spark-master
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "1m"
|
|
environment:
|
|
SPARK_MASTER_PORT: 7077
|
|
SPARK_MASTER_WEBUI_PORT: 8080
|
|
ports:
|
|
- "8080:8080"
|
|
restart: always
|
|
depends_on:
|
|
- helk-logstash
|
|
networks:
|
|
helk:
|
|
helk-spark-worker:
|
|
image: otrf/helk-spark-worker:2.4.4
|
|
container_name: helk-spark-worker
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "1m"
|
|
environment:
|
|
SPARK_MASTER: spark://helk-spark-master:7077
|
|
SPARK_WORKER_MEMORY: 1g
|
|
SPARK_WORKER_WEBUI_PORT: 8081
|
|
SPARK_WORKER_PORT: 42950
|
|
restart: always
|
|
depends_on:
|
|
- helk-spark-master
|
|
networks:
|
|
helk:
|
|
helk-elastalert:
|
|
image: otrf/helk-elastalert:0.2.6
|
|
container_name: helk-elastalert
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-file: "5"
|
|
max-size: "6m"
|
|
restart: always
|
|
depends_on:
|
|
- helk-logstash
|
|
environment:
|
|
ES_HOST: helk-elasticsearch
|
|
ES_PORT: 9200
|
|
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD}
|
|
networks:
|
|
helk:
|
|
|
|
networks:
|
|
helk:
|
|
driver: bridge
|
|
|
|
volumes:
|
|
esdata:
|
|
driver: local
|
|
notebooks:
|
|
driver: local
|
|
|
|
secrets:
|
|
elasticsearch.yml:
|
|
file: ./helk-elasticsearch/config/elasticsearch.yml
|
|
kibana.yml:
|
|
file: ./helk-kibana/config/kibana.yml
|
|
|