NOTE: This Docker image is based around pre 2.0 Elastic Search and
Kibana 3. It will likely be superceded by a docker-compose setup in
the near future. Until then I highly suggest checking out
Amsterdam as an alternative.
A Docker image with Suricata and the ELK (Elastic Search, Logstash,
Unlike most Docker containers, this one uses host networking. At this
time it will attempt to bind the following ports:
- 7777: The web interface to expose Kibana and EveBox
- 9200: Elastic Search
This is to allow Suricata access to your physical interfaces while
running inside the Docker container. A more "Docker" approach would
probably be to break this one container into two, one for Suricata,
and one for ELK.
As this is a Docker container you need to be running Docker on Linux.
Please refer to the Docker documentation at https://docs.docker.com/
for installation help. Note that if running in a virtual machine you
should allocate at least 2GB of memory.
- git clone https://github.com/jasonish/docker-suricata-elk.git
- cd docker-suricata-elk
- ./launcher start [-i INTERFACE]
Then assuming your running on your localhost, point your browser at
The container is completely stateless with all persistent data stored
in ./data. This includes the Elastic Search database and all log
To get a shell into the running container (may require sudo):
- ./launcher enter
If you wish to rebuild the image yourself simply run:
- ./launcher build