Elastic - SIEM - Docker - Deploy
MVladislavabout
this repo is used to deploy elasticsearch with kibana as SIEM
with swarm and traefik support
-
then deploy
- elastic-agent for handle device integration to collect logs
- winlog-beats with sysmon on windows clients
- opnsense with zenarmor and syslog
-
+ deploy logstash from pfelk
-
+ deploy logstash with helk
some files copied from this repo
info to run all
cd into every folder (you need to run) and run following command in correct folder.
do not foget to create
.envfiles andcpconf templates (described in READMEs).
$docker-swarm-compose elasticsearch
$docker-swarm-compose kibana
$docker-swarm-compose logstash
$docker-swarm-compose elastic-agent
$docker-swarm-compose apm
$docker-swarm-compose filebeatother
best practice start-up
use docker-swarm to manage and start containers.
for that is in each service following defined:
services:
...:
...
deploy:
mode: replicated
replicas: 1
placement:
max_replicas_per_node: 1
constraints:
# - "node.id==${NODE_ID}"
- "node.role==${NODE_ROLE}"
restart_policy:
condition: on-failure
...
ports:
- target: ...
published: ...
mode: hostto start this configuration with all supportings between docker-stack and docker-composer run it with following commando:
$docker-compose config | docker stack deploy --compose-file - <STACK_NAME>or create directly an alias for it:
$alias docker-swarm-compose="docker-compose config | docker stack deploy --compose-file -"and run:
$docker-swarm-compose <STACK_NAME>production
run following on the host system:
$sysctl -w vm.max_map_count=262144☕ COFFEE is a HUG in a MUG ☕