ELK stack in Docker, with documentation issues fixed.
This is a lab env setup with insecure configs / hardcoded keys. Don't use this anywhere important
This repo adds nothing different other than having a working example of the docker-compose setup described here, the way I wanted it.
Setup the Linux host
sysctl -w vm.max_map_count=262144After cloning, run these in the elk-docker dir:
docker-compose -f create-certs.yml run --rm create_certs
docker-compose up -dGive the stack ~60 seconds to do whatever it does.
Now, get passwords to use it:
docker-compose exec es-node01 /bin/bash -c "bin/elasticsearch-setup-passwords auto --batch --url https://es-node01:9200" > credentials.txtShould result in a file with output something along these lines
Changed password for user apm_system
PASSWORD apm_system = IAniMOR30oTYLzXgiUTG
Changed password for user kibana_system
PASSWORD kibana_system = JcQqrfzgNV252iTVNfct
Changed password for user kibana
PASSWORD kibana = JcQqrfzgNV252iTVNfct
Changed password for user logstash_system
PASSWORD logstash_system = YCdnOaJiyPI42CpHOwhA
Changed password for user beats_system
PASSWORD beats_system = O13EDZcQeOfVLTthkvtC
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = spxKa5yy1WwUy3CW1pZa
Changed password for user elastic
PASSWORD elastic = 7ivx2Jp17QFQCuZK1vEP
Now, replace the password in the environment file (.env) for KIBANA_SYSTEM_PASSWORD with the newly generated one. This one liner should do it:
sed -i "s/KIBANA_SYSTEM_PASSWORD=CHANGEME/KIBANA_SYSTEM_PASSWORD=$(cat credentials.txt | grep 'kibana_system =' | awk '{ print $4 }')/g" .envBring the stack down and back up and you should be golden.
docker-compose stop
docker-compose up -dYour login URL will be something like https://192.168.241.30:5601/, using elastic:7ivx2Jp17QFQCuZK1vEP as the credentials (generated in the previous step)
Setup the fleet server on the same host that has the stack. We install it on the bare metal here as it's also an agent.
Navigate to Management -> Fleet. Download the latest agent and install it. dpkg -i should do it.
Step 3 deployment mode is quick start (this is a lab), https://127.0.0.1:8220 is your fleet server (will be the same host as the docker stack) (note the https), note your service token (dunno where else we use this yet).
Before we run the command, go to "Fleet Settings" at the top right, and flip the "Elasticsearch Host" from http://localhost:9200 to https://localhost:9200 (note the https there).
Finally, copy the "Start Fleet Server" command. We're going to edit it before we run it. The default command will not have you set the CA generated in the create_certificates step, so we need to add that. In my case, the docker stack lives in /root/elk-docker. If its different, update to the path to ca.crt.
elastic-agent enroll -f \
--fleet-server-es=https://localhost:9200 \
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2Mzg2MzE0MzQ1MTQ6VWY1UEpmdUdRbGV6a25SOGdWM0ZFUQ \
--fleet-server-policy=8c764c80-5515-11ec-97db-6dfa850f060a \
--fleet-server-es-ca=/root/elk-docker/certs/ca/ca.crtOnce done, enable and start the agent service.
systemctl start elastic-agent.service
systemctl enable elastic-agent.serviceBack in the WebUI you should see the "Fleet Server Connected!" message.
Because we used the "quick setup" mode for Fleet, remember to add the --insecure flag when you install the agent on hosts. Also, take note of the server URL. It is not localhost like Kibana will tell you.