Skip to content

KOFE (Kibana, OSSEC, Filebeat, and Elasticsearch) using Docker

Notifications You must be signed in to change notification settings

ossec/kofe-docker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Elastic stack (ELK) on Docker

Elastic Stack version Build Status Join the chat at https://gitter.im/deviantony/docker-elk

Run the latest version of the Elastic stack with Docker and Docker Compose.

It gives you the ability to analyze any data set by using the searching/aggregation capabilities of Elasticsearch and the visualization power of Kibana.

ℹ️ The Docker images backing this stack include X-Pack with paid features enabled by default (see How to disable paid features to disable them). The trial license is valid for 30 days. After this license expires, you can continue using the free features seamlessly, without losing any data.

Based on the official Docker images from Elastic:


Philosophy

KOFE (Kibana, OSSEC, Filebeat, and Elasticsearch) project's sole purpose is to provide a simple solution into the implementation of OSSEC while providing visualization of OSSEC alerts via Kibana.

Contents

  1. Requirements
  2. Usage
  3. Configuration
  4. JVM tuning

Requirements

Host setup

ℹ️ Especially on Linux, make sure your user has the [required permissions][linux-postinstall] to interact with the Docker daemon.

By default, the stack exposes the following ports:

  • 9200: Elasticsearch HTTP
  • 9300: Elasticsearch TCP transport
  • 5601: Kibana
  • 1515: OSSEC Authd Registration port
  • 1514: OSSEC Remoted Communications port

SELinux

On distributions which have SELinux enabled out-of-the-box you will need to either re-context the files or set SELinux into Permissive mode in order for docker-elk to start properly. For example on Redhat and CentOS, the following will apply the proper context:

$ chcon -R system_u:object_r:admin_home_t:s0 docker-elk/

Docker for Desktop

Windows

Ensure the [Shared Drives][win-shareddrives] feature is enabled for the C: drive.

macOS

The default Docker for Mac configuration allows mounting files from /Users/, /Volumes/, /private/, and /tmp exclusively. Make sure the repository is cloned in one of those locations or follow the instructions from the [documentation][mac-mounts] to add more locations.

Usage

Version selection

This repository tries to stay aligned with the latest version of the Elastic stack. The main branch tracks the current major version (7.x).

To use a different version of the core Elastic components, simply change the version number inside the .env file. If you are upgrading an existing stack, please carefully read the note in the next section.

⚠️ Always pay attention to the [official upgrade instructions][upgrade] for each individual component before performing a stack upgrade.

Older major versions are also supported on separate branches:

Bringing up the stack

Clone this repository onto the Docker host that will run the stack, then start services locally using Docker Compose:

$ make create

You can also run all services in the background (detached mode) by adding the -d flag to the above command.

⚠️ You must rebuild the stack images with docker-compose build whenever you switch branch or update the version of an already existing stack.

If you are starting the stack for the very first time, please read the section below attentively.

Cleanup

Elasticsearch data is persisted inside a volume by default.

In order to entirely shutdown the stack and remove all persisted data, use the following Docker Compose command:

$ make destroy

Initial setup

Setting up user authentication

ℹ️ Refer to How to disable paid features to disable authentication.

The stack is pre-configured with the following privileged bootstrap user:

  • user: elastic
  • password: changeme

Although all stack components work out-of-the-box with this user, we strongly recommend using the unprivileged [built-in users][builtin-users] instead for increased security.

  1. Initialize passwords for built-in users

     ```console
     $ docker-compose exec -T elasticsearch bin/elasticsearch-setup-passwords auto --batch
     ```
    
     Passwords for all 6 built-in users will be randomly generated. Take note of them.
    
  2. Unset the bootstrap password (optional)

     Remove the `ELASTIC_PASSWORD` environment variable from the `elasticsearch` service inside the Compose file
     (`docker-compose.yml`). It is only used to initialize the keystore during the initial startup of Elasticsearch.
    
  3. Replace usernames and passwords in configuration files

     Use the `kibana_system` user (`kibana` for releases <7.8.0) inside the Kibana configuration file
     (`kibana/config/kibana.yml`) and the `logstash_system` user inside the Logstash configuration file
     (`logstash/config/logstash.yml`) in place of the existing `elastic` user.
    
     Replace the password for the `elastic` user inside the Logstash pipeline file (`logstash/pipeline/logstash.conf`).
    
     *:information_source: Do not use the `logstash_system` user inside the Logstash **pipeline** file, it does not have
     sufficient permissions to create indices. Follow the instructions at [Configuring Security in Logstash][ls-security]
     to create a user with suitable roles.*
    
     See also the [Configuration](#configuration) section below.
    
  4. Restart Kibana and Logstash to apply changes

     ```console
     $ docker-compose restart kibana logstash
     ```
    
     *:information_source: Learn more about the security of the Elastic stack at [Tutorial: Getting started with
     security][sec-tutorial].*
    

Injecting data

Give Kibana about a minute to initialize, then access the Kibana web UI by opening http://localhost:5601 in a web browser and use the following credentials to log in:

  • user: elastic
  • password: <your generated elastic password>

Now that the stack is running, you can go ahead and inject some log entries. The shipped Logstash configuration allows you to send content via TCP:

# Using BSD netcat (Debian, Ubuntu, MacOS system, ...)
$ cat /path/to/logfile.log | nc -q0 localhost 5000
# Using GNU netcat (CentOS, Fedora, MacOS Homebrew, ...)
$ cat /path/to/logfile.log | nc -c localhost 5000

You can also load the sample data provided by your Kibana installation.

Default Kibana index pattern creation

When Kibana launches for the first time, it is not configured with any index pattern.

Via the Kibana web UI

ℹ️ You need to inject data into Logstash before being able to configure a Logstash index pattern via the Kibana web UI.

Navigate to the Discover view of Kibana from the left sidebar. You will be prompted to create an index pattern. Enter ossec-* to match Logstash indices then, on the next page, select @timestamp as the time filter field. Finally, click Create index pattern and return to the Discover view to inspect your log entries.

Refer to [Connect Kibana with Elasticsearch][connect-kibana] and [Creating an index pattern][index-pattern] for detailed instructions about the index pattern configuration.

On the command line

Generate OSSEC index using Kibana API.

$ make generate-index

Note: There will be a prompt to supply your Elasticsearch Password.

The created pattern will automatically be marked as the default index pattern as soon as the Kibana UI is opened for the first time.

Expected Output

$ make generate-index
$ /root/kofe-docker/scripts/index-manage.sh
$ Enter Elasticsearch Password: [REDACTED]
$ OSSEC index generated!

Configuration

ℹ️ Configuration is not dynamically reloaded, you will need to restart individual components after any configuration change.

How to configure Elasticsearch

The Elasticsearch configuration is stored in [elasticsearch/config/elasticsearch.yml][config-es].

You can also specify the options you want to override by setting environment variables inside the Compose file:

elasticsearch:

	environment:
		network.host: _non_loopback_
		cluster.name: my-cluster

Please refer to the following documentation page for more details about how to configure Elasticsearch inside Docker containers: [Install Elasticsearch with Docker][es-docker].

How to configure Kibana

The Kibana default configuration is stored in [kibana/config/kibana.yml][config-kbn].

It is also possible to map the entire config directory instead of a single file.

Please refer to the following documentation page for more details about how to configure Kibana inside Docker containers: [Install Kibana with Docker][kbn-docker].

How to disable paid features

Switch the value of Elasticsearch's xpack.license.self_generated.type option from trial to basic (see License settings).

How to reset a password programmatically

If for any reason your are unable to use Kibana to change the password of your users (including [built-in users][builtin-users]), you can use the Elasticsearch API instead and achieve the same result.

In the example below, we reset the password of the elastic user (notice "/user/elastic" in the URL):

$ curl -XPOST -D- 'http://localhost:9200/_security/user/elastic/_password' \
		-H 'Content-Type: application/json' \
		-u elastic:<your current elastic password> \
		-d '{"password" : "<your new password>"}'

JVM tuning

How to specify the amount of memory used by a service

By default, Elasticsearch starts with 1/4 of the total host memory allocated to the JVM Heap Size.

The startup script for Elasticsearch can append extra JVM options from the value of an environment variable, allowing the user to adjust the amount of memory that can be used by each component:

Service Environment variable
Elasticsearch ES_JAVA_OPTS

To accomodate environments where memory is scarce (Docker for Mac has only 2 GB available by default), the Heap Size allocation is capped by default to 256MB per service in the docker-compose.yml file. If you want to override the default JVM configuration, edit the matching environment variable(s) in the docker-compose.yml file.

For example, to increase the maximum JVM Heap Size for Logstash:

elasticsearch:

	environment:
		ES_JAVA_OPTS: -Xmx1g -Xms1g

How to enable a remote JMX connection to a service

As for the Java Heap memory (see above), you can specify JVM options to enable JMX and map the JMX port on the Docker host.

Update the {ES,LS}_JAVA_OPTS environment variable with the following content (I've mapped the JMX service on the port 18080, you can change that). Do not forget to update the -Djava.rmi.server.hostname option with the IP address of your Docker host (replace DOCKER_HOST_IP):

elasticsearch:

	environment:
		ES_JAVA_OPTS: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=18080 -Dcom.sun.management.jmxremote.rmi.port=18080 -Djava.rmi.server.hostname=DOCKER_HOST_IP -Dcom.sun.management.jmxremote.local.only=false

Coming Soon!

  • TLS support for Elasticsearch and Kibana

Thanks

Special thanks to:

About

KOFE (Kibana, OSSEC, Filebeat, and Elasticsearch) using Docker

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published