NOTE: This Docker image is based around pre 2.0 Elastic Search and
Kibana 3. It will likely be superceded by a docker-compose setup in
the near future. Until then I highly suggest checking out
Amsterdam as an alternative.
A Docker image with Suricata and the ELK (Elastic Search, Logstash,
Unlike most Docker containers, this one uses host networking. At this
time it will attempt to bind the following ports:
- 7777: The web interface to expose Kibana and EveBox
- 9200: Elastic Search
This is to allow Suricata access to your physical interfaces while
running inside the Docker container. A more "Docker" approach would
probably be to break this one container into two, one for Suricata,
and one for ELK.
As this is a Docker container you need to be running Docker on Linux.
Please refer to the Docker documentation at https://docs.docker.com/
for installation help. Note that if running in a virtual machine you
should allocate at least 2GB of memory.
- git clone https://github.com/jasonish/docker-suricata-elk.git
- cd docker-suricata-elk
- ./launcher start [-i INTERFACE]
Then assuming your running on your localhost, point your browser at
The container is completely stateless with all persistent data stored
in ./data. This includes the Elastic Search database and all log
To get a shell into the running container (may require sudo):
- ./launcher enter
If you wish to rebuild the image yourself simply run:
- ./launcher build
Thats odd, Nginx is binding to port 7777 which is unlikely (but not impossible) to conflict with Apache running on your host system.
The issue here is that this container uses host networking to give Suricata access to the host interfaces. The real solution will be to use docker-compose where Suricata can run with host network, Nginx and Elastic Search can be confined to their containers with ports exposed or linked as needed.
My error was due to apache running on the host system. Any way to change that to another port?
when running on my system, I get the below every time, any suggestions?
2015-11-16 17:20:42,684 INFO exited: nginx (exit status 1; not expected)
2015-11-16 17:20:44,687 INFO spawned: 'nginx' with pid 96
2015-11-16 17:20:44,740 INFO exited: nginx (exit status 1; not expected)
2015-11-16 17:20:47,745 INFO spawned: 'nginx' with pid 140
2015-11-16 17:20:47,777 INFO exited: nginx (exit status 1; not expected)
2015-11-16 17:20:48,742 INFO gave up: nginx entered FATAL state, too many start retries too quickly