Elastic does not provide a dockerized solution with Logstash integrated. This repository is based on Elastic's dockerized setup and Logstash has been integrated into a compose file. All communication between containers are performed using TLS with self-signed certificates. Validation of certificates is disabled.

If you choose to use this solution, follow the steps below and add your filters to Logstash, or eventually use Auditbeat.

Before proceeding, ensure that vm.max_map_count is set to a sufficient value, otherwise ELK might not be able to start.

sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" >> /etc/sysctl.conf

Step 1 Define versions and instances.

cp ~/elk/env.example ~/elk/.env
cp ~/elk/setup/instances.example.yml ~/elk/instances.yml

Step 2 Create certificates

sudo docker-compose -f ~/elk/create-certs.yml run --rm create_certs

Step 3 Start containers

sudo docker-compose -f ~/elk/elastic-docker-tls.yml up -d

Step 4 Generate passwords

sudo docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords auto --batch --url https://es01:9200" | tee -a passwords.txt

Step 5 Update .env with elastic username and password. Credentials for Kibana and Logstash in the elastic-docker-tls.yml and logstash/pipeline/9-output.conf are set automatically from .env file.

Step 6 Restart containers. Kibana might need 5-10 minutes to be ready at https://SERVERIP:5601 depending on your hardware.

sudo docker-compose stop && sudo docker-compose -f ~/elk/elastic-docker-tls.yml up -d