Added certs folder containing helper scripts for creating SSL .key, .crt and truststore.jks files. Changed logstash and kibana configuration to make use of SSL. No longer exposing elasticsearch on localhost. Updated readme.
This commit is contained in:
parent
0ce815ebe8
commit
03ebac1b33
|
@ -0,0 +1,3 @@
|
|||
domain.crt
|
||||
domain.key
|
||||
*.jks
|
13
README.md
13
README.md
|
@ -1,4 +1,15 @@
|
|||
# Docker ELK stack
|
||||
|
||||
# SSL-ifyed Docker ELK stack
|
||||
|
||||
- Added `certs/` folder with helper scripts for creating self-signed certs.
|
||||
- Configured docker-compose, logstash and kibana to use SSL.
|
||||
- No longer exposing Elasticsearch ports on localhost.
|
||||
|
||||
Things to think about
|
||||
|
||||
- [Logstash is finicky about IP SAN](https://github.com/elastic/logstash-forwarder#important-tlsssl-certificate-notes).
|
||||
|
||||
## Docker ELK stack
|
||||
|
||||
[![Join the chat at https://gitter.im/deviantony/fig-elk](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/deviantony/fig-elk?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
|
||||
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
#!/usr/bin/env bash
|
||||
openssl req \
|
||||
-newkey rsa:2048 -nodes -keyout domain.key \
|
||||
-x509 -sha256 -days 365 -out domain.crt
|
|
@ -0,0 +1,3 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
keytool -import -alias selfsigned -file domain.crt -keystore truststore.jks
|
|
@ -1,14 +1,12 @@
|
|||
elasticsearch:
|
||||
image: elasticsearch:latest
|
||||
command: elasticsearch -Des.network.host=0.0.0.0
|
||||
ports:
|
||||
- "9200:9200"
|
||||
- "9300:9300"
|
||||
logstash:
|
||||
image: logstash:latest
|
||||
command: logstash -f /etc/logstash/conf.d/logstash.conf
|
||||
volumes:
|
||||
- ./logstash/config:/etc/logstash/conf.d
|
||||
- ./certs:/etc/certs
|
||||
ports:
|
||||
- "5000:5000"
|
||||
links:
|
||||
|
@ -17,6 +15,7 @@ kibana:
|
|||
build: kibana/
|
||||
volumes:
|
||||
- ./kibana/config/kibana.yml:/opt/kibana/config/kibana.yml
|
||||
- ./certs:/etc/certs
|
||||
ports:
|
||||
- "5601:5601"
|
||||
links:
|
||||
|
|
|
@ -53,8 +53,8 @@ shard_timeout: 0
|
|||
verify_ssl: true
|
||||
|
||||
# SSL for outgoing requests from the Kibana Server (PEM formatted)
|
||||
# ssl_key_file: /path/to/your/server.key
|
||||
# ssl_cert_file: /path/to/your/server.crt
|
||||
ssl_key_file: /etc/certs/domain.key
|
||||
ssl_cert_file: /etc/certs/domain.crt
|
||||
|
||||
# Set the path to where you would like the process id file to be created.
|
||||
# pid_file: /var/run/kibana.pid
|
||||
|
|
|
@ -1,11 +1,18 @@
|
|||
input {
|
||||
tcp {
|
||||
port => 5000
|
||||
codec => json_lines
|
||||
ssl_key => "/etc/certs/domain.key"
|
||||
ssl_cert => "/etc/certs/domain.crt"
|
||||
ssl_enable => true
|
||||
|
||||
# FIXME turn certificate validation
|
||||
# if client certificate does not have a correct IP SAN value
|
||||
# source: https://github.com/elastic/logstash-forwarder#important-tlsssl-certificate-notes
|
||||
ssl_verify => false
|
||||
}
|
||||
}
|
||||
|
||||
## Add your filters here
|
||||
|
||||
output {
|
||||
elasticsearch {
|
||||
hosts => "elasticsearch:9200"
|
||||
|
|
Loading…
Reference in New Issue