elasticsearch_kibana

An inventory management example consists of elasticsearch/kibana + filebeat + osquery

Architecture

This example include just one test docker conainer with osquery preinstalled. Other docker containers are for unrelated purpose.

Usage:

Prepare

1. Install Docker

2. If you are using Docker for Mac or Windows, please allocate enough memory(2GB?) for it because elasticsearch/kibana cost pretty much memory.

3. Download docker-compose.yml and related files https://github.com/jjqq2013/misc/tree/master/elasticsearch6.2.2

   git clone https://github.com/jjqq2013/misc
   cd misc/elasticsearch6.2.2
   

   or if you do not want to clone unrelated files, you can use:

   svn export https://github.com/jjqq2013/misc/trunk/elasticsearch6.2.2
   cd elasticsearch6.2.2
   

Run

docker-compose up

Then you can use kibana at http://localhost:5601 to view elasticsearch.

The cool things of osquery

osquery can be set to output only changed info such as new installed packages (of course can send complete info), perioidically.

The cool things of elasticsearch/kibana6.2.2

• All available search keys and values are automatically listed in filter input dialog.
• All available search keys and top 5 values are automatically listed in panel.

So you no longer need to input query language normally.

Here are some snapshots: