Public | Automated Build

Last pushed: 2 years ago
Short Description
Send flat log files to logstash (ELK)
Full Description


Send flat log file to logstash (ELK). In this case, send ssh access log.


git clone && cd filebeat
nano filebeat.yml   (and add your logstash IP, and your log file)

docker build -t filebeat .


To run on the target host, the flat log file will be mapped in the container via "-v"
Open firewall 5001/TCP

Prepare logstash.conf to receive log:
beats {
port => "5001"
type => auth

And run the image you built, or the sbex/filebeat one:

docker run -d --name filebeat -v /root/filebeat/filebeat.yml:/filebeat/filebeat.yml:ro -v /var/log/auth.log:/mnt/var/log/auth.log:ro --restart=on-failure:5 --security-opt="no-new-privileges" filebeat
docker run -d --name filebeat -v /root/filebeat/filebeat.yml:/filebeat/filebeat.yml:ro -v /var/log/auth.log:/mnt/var/log/auth.log:ro --restart=on-failure:5 --security-opt="no-new-privileges" sbex/filebeat

Security to improve

docker run -d --name filebeat -v /root/filebeat/filebeat.yml:/filebeat/filebeat.yml:ro -v /var/log/auth.log:/mnt/var/log/auth.log:ro --restart=on-failure:5 --read -only=true  --security-opt="no-new-privileges" filebeat
docker logs filebeat

2016/05/23 23:45:16.042884 registrar.go:151: ERR Failed to create tempfile (/filebeat/ for writing: open /filebeat/ read-only file system
2016/05/23 23:45:16.043477 registrar.go:109: ERR Writing of registry returned error: open /filebeat/ read-only file system. Continuing..
  • problem with write access to /filebeat folder. But I can't use --tmfs /filebeat because folder getting empty... Wait for fix.
  • Same problem with run container as user: can't mount folder (-v) and and local user read access...
Docker Pull Command
Source Repository