This version of SELKS is based on docker and intended to provide easier deployment and management on Kubernetes
For informations on standard SELKS implementation, see https://github.com/StamusNetworks/SELKS#selks
- 2 cores
- 8 GB of free RAM
- 10 GB of free disk space (actual disk occupation will mainly depend of the number of rules and the amount of traffic on the network). 200GB+ SSD grade is recommended.
git
,curl
Kubernetes
>= 1.21 (tested on k3s 1.22)docker or containerd
Clone the Git repository from SELKS
git clone https://github.com/StamusNetworks/SELKS.git
cd SELKS/kubernetes/
Update the PV's and storage class according to your own needs. Replace username and password in the secret definitions.
Choose between Logstash with Filebeat, or Fluentd with Fluent-bit. Fluentd uses rather significantly less memory (Logstash uses 1G to 1,5G by default, Fluentd uses about 100M), but you need to build your own container image with certain plugins and push to a (self-hosted) Private Docker Registry in order to use all of the features available by default via Logstash. We've included some basic Kubernetes logging in the Fluentd/Fluent-bit configuration.
# Setup storage
mkdir -p /data/arkime/{pcap,logs} /data/suricata/{logrotate,rules,run,logs/fpc} /data/scirius/{data,logs,static} /data/elasticsearch
chown -R 997:995 /data/suricata
chown -R 1000:995 /data/scirius
chown -R 1000:1000 /data/elasticsearch
chown -R 1000:1000 /data/arkime
# Create NGINX TLS keys and create secret template
openssl req -new -nodes -x509 -subj "/C=FR/ST=IDF/L=Paris/O=Stamus/CN=SELKS" -days 3650 -keyout ./tls.key -out tls.crt -extensions v3_ca
kubectl create secret tls nginx-tls --cert=tls.crt --key=tls.key --dry-run -o yaml > nginx/nginx-secret.yaml
chmod +x install.sh
./install.sh
# To load the Kibana dashboards, once Kibana is up and running
kubectl create --save-config -f kibana/alpine.yaml
Once the services have been applied, you can get the NodePort using the following command:
kubectl get svc -n suricata nginx
In the example below, 31584 is the NodePort to connect to.
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx NodePort 10.43.233.61 <none> 443:31584/TCP,80:30831/TCP 27h
Once the deployments are up and running, you should just point your browser to https://your.selks.IP.here:31584/
Alternatively, you can alter and apply the nginx-ingress YAML definition and access the cluster via FQDN.
In order to access scirius, you will need following credentials:
- user:
selks-user
- password:
selks-user
More info and details can be found on our wiki
There are many ways to get help including in our live chat - Getting Help
If you've encoutered an issue please let us know: Report Issue