Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the full HELK stack #592

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Update the full HELK stack #592

wants to merge 16 commits into from

Conversation

krapgras
Copy link

@krapgras krapgras commented May 20, 2024
edited

What is this PR for?
I have updated the HELK stack to the newest version of the stack.

What did I do?

  • Make all docker container builds locally, this way people can do upgrades if HELK stays unmaintained.
  • Update ELK (Elastic Search, Logstash, Kibana) stack to version 8.13.4
  • Update syntax of kibana objects and logstash templates/indexes
  • Upgrade to elastalert version 2
  • Upgrade to pysigma/sigma-cli instead of sigmac
  • Build base images but don't run them so save resources
  • Upgrade zookeeper/Kafka to the new kraft setup
  • Update logstash plugins
  • Change which files are loaded in elastalert as sigma HQ repo has changed in the years
  • Update other libs where possible (Python, postgres, Spark, Hadoop, ...)

What did I not do and should still be done?

  • Update the actual indexes / rules / intel (Mitre attack, ...) , I have fixed the syntax but not the actual context
  • Do end to end testing, only checked docker logs and kept running for 10+ hours, I fixed all errors / obvious issues
  • Clean up additional less used files like setup firewall, update, remove containers, ...
  • Update Documentation to reflect the new state

Questions:

Will I continue to maintain this?

  • Maybe partially, but probably not the content part

Do you need to accept this PR?

  • No, i just want to raise the awareness that i did this for people still wanting to use this at some point.

Does this needs documentation?

  • Probably needs a good update

Will there be bugs?

  • I'm sure there will be bugs, feel free to fix/report them if you encounter them.

Feel free to update all code as i know i'm not perfect!

Ignace De Cock added 16 commits May 19, 2024 02:01
Update all dependencies to last version and use local containers
0a2b7f1
Update to elastalert v2
1c0c32e
Update elastic search config
744073e
Update jupyter and add base images to build from local source
88eb3d5 
Also add jupyter to spark master
Switch kafka from zookeeper to new kraft system
83956c8
update kibana config
788aec1
update and fix some kibana issues
95c49db
Update template, plugins and options to new logstash syntax/version
d01b99a
update install file to use new docker compose and build base images l…
4952074 
…ocally before composing
build locally and add base images
732671b
update some docs
c79f4dc
Remove @ sign if owner starts with @ as it breaks parcing + map times…
00c456c 
…tamp field
Remove mapping as it fails to start
4f49e69
Forgot to remove old files after copy from WIP
d9c5808
Fix index elastalert + update rule processing
5ff7c52
Bug Fix: Remove data stream as new kibana tries to make .kibana analy…
4f9c43a 
…tics index

Error cannot create index because it matches with template that creates data streams only
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@krapgras