Install ELK (Elasticsearch Logstash Kibana) - khoanase62625/Snort-Capstone GitHub Wiki

1. Create ELK network

Create a seperate network for ELK in docker so it can communicate with each other. Moreover, Docker will isolate ELK service from other services which run on same host.

sudo docker network create elasticstack
  • docker network: interact with docker's network service
  • elasticstack: network name (Changing it into something suitable with you)

2. Deploy Elasticsearch

Version: 7.1.1

sudo docker run -d --name elasticsearch \
--net elasticstack \
-p 9200:9200 \
-p 9300:9300 \
-e "discovery.type=single-node" \
docker.elastic.co/elasticsearch/elasticsearch:7.1.1
  • -d: Run container in background
  • -name: container name (You can use a memorable name assigning to container. It help other container in same network communicate through name)
  • --net: network which created in step 1
  • -p host:container: map a host port to container port
  • -e: set container environment (Note: different container uses different environment) "discovery.type=single-node": run elasticsearch Development Mode
  • docker.elastic.co/elasticsearch/elasticsearch:: image to run container

3. Deploy Logstash

Version: 7.1.1

1. Create Logstash config

vim ~/snort_json.yml Paste these lines:

input {
    beats {
      port => 5044
    }
}

filter {
    json {
        source => "message"
    }
    mutate {
        convert => { 
            "pkt_num" => "integer"
            "pkt_len" => "integer"
            "src_port" => "integer"
            "dst_port" => "integer"
            "priority" => "integer"
        }
        gsub => ["timestamp", "\d{3}$", ""]
    }
    date {
        match => [ "timestamp", "yy/MM/dd-HH:mm:ss.SSS" ]
    }
    geoip { source => "src_addr" }
}

output {
    elasticsearch {
        hosts => "http://elasticsearch:9200"
        index => "logstash-snort3j"
    }
    stdout { }
}

snort_json.yml breakdown: This file uses YAML format

  • input: logstash get data from port 5044 with beat format
  • filter: logstash get json from "message" (input) and convert (mutate) "pkt_num","pkt_len","src_port","dst_port","priority" to integer. After that, it formats timestamp and add geographical data which map to "src_addr".
  • output: logstash push data to elasticsearch which "host" is "http://<elasticsearch_container>:9200" and index is the name separate from other data in elasticsearch.

2.Create pipelines.yml

vim ~/pipelines.yml Paste this lines:

- pipeline.id: snort
  path.config: "/usr/share/logstash/snort_json.yml"

snort_json.yml breakdown: This file uses YAML format

  • pipeline.id: ID is unique among other pipeline.id
  • path.config: path to logstash config which created in step 1

3. Deploy Logstash

docker run -d --name logstash --net elasticstack \
-p 5044:5044 \
-v ~/snort_json.yml:/usr/share/logstash/snort_json.yml \
-v ~/pipelines.yml:/usr/share/logstash/config/pipelines.yml \
docker.elastic.co/logstash/logstash:7.1.1
  • -d: Run container in background
  • -name: container name (You can use a memorable name assigning to container. It help other container in same network communicate through name)
  • --net: network which created in step 1
  • -p host:container: map a host port to container port
  • -v <host_volume:container_volume>: map a volume from host to container
  • docker.elastic.co/logstash/logstash:: image to run container

3. Deploy Kibana

Version: 7.1.1

docker run -d --name kibana \
--net elasticstack \
-e ELASTICSEARCH_URL=http://elasticsearch:9200 \
-p 5601:5601 \
docker.elastic.co/kibana/kibana:7.1.1
  • -d: Run container in background
  • -name: container name (You can use a memorable name assigning to container. It help other container in same network communicate through name)
  • --net: network which created in step 1
  • -e: set container environment (Note: different container uses different environment) ELASTICSEARCH_URL: url elasticsearch
  • docker.elastic.co/kibana/kibana:: image to run container
⚠️ **GitHub.com Fallback** ⚠️