Install ELK (Elasticsearch Logstash Kibana) - khoanase62625/Snort-Capstone GitHub Wiki
Create a seperate network for ELK in docker so it can communicate with each other. Moreover, Docker will isolate ELK service from other services which run on same host.
sudo docker network create elasticstack
- docker network: interact with docker's network service
- elasticstack: network name (Changing it into something suitable with you)
Version: 7.1.1
sudo docker run -d --name elasticsearch \
--net elasticstack \
-p 9200:9200 \
-p 9300:9300 \
-e "discovery.type=single-node" \
docker.elastic.co/elasticsearch/elasticsearch:7.1.1
- -d: Run container in background
- -name: container name (You can use a memorable name assigning to container. It help other container in same network communicate through name)
- --net: network which created in step 1
- -p host:container: map a host port to container port
- -e: set container environment (Note: different container uses different environment) "discovery.type=single-node": run elasticsearch Development Mode
- docker.elastic.co/elasticsearch/elasticsearch:: image to run container
Version: 7.1.1
vim ~/snort_json.yml
Paste these lines:
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
}
mutate {
convert => {
"pkt_num" => "integer"
"pkt_len" => "integer"
"src_port" => "integer"
"dst_port" => "integer"
"priority" => "integer"
}
gsub => ["timestamp", "\d{3}$", ""]
}
date {
match => [ "timestamp", "yy/MM/dd-HH:mm:ss.SSS" ]
}
geoip { source => "src_addr" }
}
output {
elasticsearch {
hosts => "http://elasticsearch:9200"
index => "logstash-snort3j"
}
stdout { }
}
snort_json.yml breakdown: This file uses YAML format
- input: logstash get data from port 5044 with beat format
- filter: logstash get json from "message" (input) and convert (mutate) "pkt_num","pkt_len","src_port","dst_port","priority" to integer. After that, it formats timestamp and add geographical data which map to "src_addr".
- output: logstash push data to elasticsearch which "host" is "http://<elasticsearch_container>:9200" and index is the name separate from other data in elasticsearch.
vim ~/pipelines.yml Paste this lines:
- pipeline.id: snort
path.config: "/usr/share/logstash/snort_json.yml"
snort_json.yml breakdown: This file uses YAML format
- pipeline.id: ID is unique among other pipeline.id
- path.config: path to logstash config which created in step 1
docker run -d --name logstash --net elasticstack \
-p 5044:5044 \
-v ~/snort_json.yml:/usr/share/logstash/snort_json.yml \
-v ~/pipelines.yml:/usr/share/logstash/config/pipelines.yml \
docker.elastic.co/logstash/logstash:7.1.1
- -d: Run container in background
- -name: container name (You can use a memorable name assigning to container. It help other container in same network communicate through name)
- --net: network which created in step 1
- -p host:container: map a host port to container port
- -v <host_volume:container_volume>: map a volume from host to container
- docker.elastic.co/logstash/logstash:: image to run container
Version: 7.1.1
docker run -d --name kibana \
--net elasticstack \
-e ELASTICSEARCH_URL=http://elasticsearch:9200 \
-p 5601:5601 \
docker.elastic.co/kibana/kibana:7.1.1
- -d: Run container in background
- -name: container name (You can use a memorable name assigning to container. It help other container in same network communicate through name)
- --net: network which created in step 1
- -e: set container environment (Note: different container uses different environment) ELASTICSEARCH_URL: url elasticsearch
- docker.elastic.co/kibana/kibana:: image to run container