Public | Automated Build

Last pushed: a year ago
Short Description
Send flat log files to logstash (ELK)
Full Description

FILEBEAT

Send flat log file to logstash (ELK). In this case, send ssh access log.

Setup

git clone https://bitbucket.org/sbex/filebeat && cd filebeat
nano filebeat.yml   (and add your logstash IP, and your log file)

docker build -t filebeat .

Run

To run on the target host, the flat log file will be mapped in the container via "-v"
Open firewall 5001/TCP

Prepare logstash.conf to receive log:
beats {
port => "5001"
type => auth
}

And run the image you built, or the sbex/filebeat one:

docker run -d --name filebeat -v /root/filebeat/filebeat.yml:/filebeat/filebeat.yml:ro -v /var/log/auth.log:/mnt/var/log/auth.log:ro --restart=on-failure:5 --security-opt="no-new-privileges" filebeat
docker run -d --name filebeat -v /root/filebeat/filebeat.yml:/filebeat/filebeat.yml:ro -v /var/log/auth.log:/mnt/var/log/auth.log:ro --restart=on-failure:5 --security-opt="no-new-privileges" sbex/filebeat

Security to improve

docker run -d --name filebeat -v /root/filebeat/filebeat.yml:/filebeat/filebeat.yml:ro -v /var/log/auth.log:/mnt/var/log/auth.log:ro --restart=on-failure:5 --read -only=true  --security-opt="no-new-privileges" filebeat
docker logs filebeat


2016/05/23 23:45:16.042884 registrar.go:151: ERR Failed to create tempfile (/filebeat/.filebeat.new) for writing: open /filebeat/.filebeat.new: read-only file system
2016/05/23 23:45:16.043477 registrar.go:109: ERR Writing of registry returned error: open /filebeat/.filebeat.new: read-only file system. Continuing..
  • problem with write access to /filebeat folder. But I can't use --tmfs /filebeat because folder getting empty... Wait for fix.
  • Same problem with run container as user: can't mount folder (-v) and and local user read access...
Docker Pull Command
Owner
sbex
Source Repository

Comments (0)