Update all container files for ELK

elk-docker/docker-compose.yml

@@ -1,6 +1,6 @@
 #Need to increase vm.max_map_count
 
-#echo vm.max_map_count=262144 >> /etc/sysctl.conf 
+#echo vm.max_map_count=262144 >> /etc/sysctl.conf
 #sudo sysctl -p
 
 version: "3.5"
@@ -10,7 +10,7 @@ services:
     image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
     container_name: setup # Set the container name to "setup"
     volumes:
-      - certs:/usr/share/elasticsearch/config/certs # Map the "certs" volume to the Elasticsearch certs directory
+      - ./certs:/usr/share/elasticsearch/config/certs # Map the "certs" volume to the Elasticsearch certs directory
     user: "0" # Run the container as root (user ID 0)
     command: > # Define a multi-line command to run in the container
       bash -c '
@@ -49,7 +49,7 @@ services:
         echo "Setting ${KIBANA_USERNAME} password";
         until curl -s -X POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -H "Content-Type: application/json" https://es01:9200/_security/user/${KIBANA_USERNAME}/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
         echo "All done!";
-      '            
+      '
     healthcheck:
       # Healthcheck configuration for the setup service
       test: [ "CMD-SHELL", "[ -f config/certs/es01/es01.crt ]" ]
@@ -66,9 +66,49 @@ services:
         condition: service_healthy # Start only when the setup service is healthy (certificates and user passwords are created)
     image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} # Elasticsearch image to use
     container_name: es01 # Name for the container
+#    build:
+#      context: .
+#      dockerfile: Dockerfile
     volumes:
-      - certs:/usr/share/elasticsearch/config/certs # Mount the certificates directory
-      - esdata01:/usr/share/elasticsearch/data # Mount the data directory for Elasticsearch
+      - ./certs:/usr/share/elasticsearch/config/certs # Mount the certificates directory
+      - ./esdata01:/usr/share/elasticsearch/data # Mount the data directory for Elasticsearch
+#    user: "0"
+#    command: >
+#        bash -c '
+#          if [ x${ELASTIC_PASSWORD} == x ]; then
+#            echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
+#            exit 1;
+#          elif [ x${KIBANA_PASSWORD} == x ]; then
+#            echo "Set the KIBANA_PASSWORD environment variable in the .env file";
+#            exit 1;
+#          fi;
+#          if [ ! -f /usr/share/elasticsearch/config/certs/ca.zip ]; then
+#            echo "Creating CA";
+#            bin/elasticsearch-certutil ca --silent --pem -out /usr/share/elasticsearch/config/certs/ca.zip;
+#            unzip /usr/share/elasticsearch/config/certs/ca.zip -d /usr/share/elasticsearch/config/certs;
+#          fi;
+#          if [ ! -f /usr/share/elasticsearch/config/certs/certs.zip ]; then
+#            echo "Creating certs";
+#            echo -ne \
+#            "instances:\n"\
+#            "  - name: es01\n"\
+#            "    ip:\n"\
+#            "      - 10.0.2.109\n"\
+#
+#            > /usr/share/elasticsearch/config/certs/instances.yml;
+#            bin/elasticsearch-certutil cert --silent --pem -out /usr/share/elasticsearch/config/certs/certs.zip --in /usr/share/elasticsearch/config/certs/instances.yml --ca-cert /usr/share/elasticsearch/config/certs/ca/ca.crt --ca-key /usr/share/elasticsearch/config/certs/ca/ca.key;
+#            unzip /usr/share/elasticsearch/config/certs/certs.zip -d /usr/share/elasticsearch/config/certs;
+#          fi;
+#          echo "Setting file permissions"
+#          chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/config/certs;
+#          find /usr/share/elasticsearch/config/certs -type d -exec chmod 750 \{\} \;;
+#          find /usr/share/elasticsearch/config/certs -type f -exec chmod 640 \{\} \;;
+#          echo "Waiting for Elasticsearch availability";
+#          # until curl -s --cacert /usr/share/elasticsearch/config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
+#          echo "Setting kibana_system password";
+#          # until curl -s -X POST --cacert /usr/share/elasticsearch/config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
+#          echo "All done!";
+#        '
     ports:
       - ${ES_PORT}:${ES_PORT} # Expose Elasticsearch's HTTP API
     environment:
@@ -81,15 +121,16 @@ services:
       - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} # Set the password for the "elastic" user
       - bootstrap.memory_lock=true # Lock the process address space into RAM to prevent swapping
       - xpack.security.enabled=true # Enable X-Pack security features
+      - xpack.security.authc.api_key.enabled=true
       - xpack.security.http.ssl.enabled=true # Enable SSL for the HTTP API
-      - xpack.security.http.ssl.key=certs/es01/es01.key # Set the SSL key file
-      - xpack.security.http.ssl.certificate=certs/es01/es01.crt # Set the SSL certificate file
-      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt # Set the SSL certificate authority
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/es01/es01.key # Set the SSL key file
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/es01/es01.crt # Set the SSL certificate file
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt # Set the SSL certificate authority
       - xpack.security.http.ssl.verification_mode=certificate # Set the SSL verification mode
       - xpack.security.transport.ssl.enabled=true # Enable SSL for the transport layer
-      - xpack.security.transport.ssl.key=certs/es01/es01.key # Set the transport SSL key file
-      - xpack.security.transport.ssl.certificate=certs/es01/es01.crt # Set the transport SSL certificate file
-      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt # Set the transport SSL certificate authority
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/es01/es01.key # Set the transport SSL key file
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/es01/es01.crt # Set the transport SSL certificate file
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca/ca.crt # Set the transport SSL certificate authority
       - xpack.security.transport.ssl.verification_mode=certificate # Set the transport SSL verification mode
       - xpack.license.self_generated.type=${LICENSE} # Set the type of self-generated license
     mem_limit: ${MEM_LIMIT} # Set the memory limit for the container
@@ -120,12 +161,15 @@ services:
     image: docker.elastic.co/kibana/kibana:${STACK_VERSION} # Kibana image to use
     container_name: kibana # Name for the container
     volumes:
-      - certs:/usr/share/kibana/config/certs # Mount the certificates directory
-      - kibanadata:/usr/share/kibana/data # Mount the data directory for Kibana
+      - ./certs:/usr/share/kibana/config/certs # Mount the certificates directory
+      - ./kibanadata:/usr/share/kibana/data # Mount the data directory for Kibana
     ports:
       - ${KIBANA_PORT}:${KIBANA_PORT} # Expose Kibana's HTTP API
     environment:
       # Environment variables for configuring Kibana
+      - xpack.encryptedSavedObjects.encryptionKey=XPACK_SECURITY_ENCRYPTIONKEY
+      - elasticsearch.username=${KIBANA_USERNAME}
+      - elasticsearch.password=${KIBANA_PASSWORD}
       - SERVERNAME=kibana # Set the server name
       - ELASTICSEARCH_HOSTS=https://es01:9200 # Set the Elasticsearch hosts
       - ELASTICSEARCH_USERNAME=${KIBANA_USERNAME} # Set the Elasticsearch username
@@ -137,14 +181,14 @@ services:
       - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=${CRYPTO_PASSWORD} # Set the encryption key for encrypted saved objects
       - ES_ENFORCE_BOOTSTRAP_CHECKS=false # Disable enforcement of bootstrap checks
       - XPACK_REPORTING_ENCRYPTIONKEY=${CRYPTO_PASSWORD} # Set the encryption key for reporting
-      - XPACK_FLEET_AGENTS_ELASTICSEARCH_HOSTS:'["https://es01:9200"]'
+      - XPACK_FLEET_AGENTS_ELASTICSEARCH_HOSTS:"['https://es01:9200']"
     mem_limit: ${MEM_LIMIT} # Set the memory limit for the container
     healthcheck:
       # Healthcheck for the Kibana servi
       test:
         [
           "CMD-SHELL",
-          "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'"
+          "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 200 OK'"
         ]
       interval: 10s # Interval between healthcheck attempts
       timeout: 10s # Timeout for each healthcheck attempt
@@ -166,30 +210,32 @@ services:
       - ./logstash.conf:/usr/share/logstash/config/logstash.conf # Mount the Logstash configuration file
       - ./logs:/usr/share/logstash/logs # Mount the logs directory for Logstash
       - ./logstash.yml:/usr/share/logstash/config/logstash.yml # Mount the Logstash YAML configuration file
-      - certs:/usr/share/logstash/config/certs # Mount the certificates directory
+      - ./certs:/usr/share/logstash/config/certs # Mount the certificates directory
     environment:
       - "LS_JAVA_OPTS=-Xmx512m -Xms512m" # Set the Java options for Logstash (memory settings)
     ports:
       - ${LOGSTASH_PORT}:${LOGSTASH_PORT} # Expose Logstash's listening port
     mem_limit: ${MEM_LIMIT} # Set the memory limit for the container
     networks:
       - elk
-      #metricbeat:
-      ##Curretnly not working on EC2 and may not need to be used in favor of Fleet Agent##
-      # Metricbeat service
-      #image: docker.elastic.co/beats/metricbeat:${STACK_VERSION} # Metricbeat image to use
-      #container_name: metricbeat # Name for the container
-      #volumes:
-      #- ./metricbeat.yml:/usr/share/metricbeat/metricbeat.yml # Mount the Metricbeat configuration file
-      #- /var/run/docker.sock:/var/run/docker.sock # Mount the Docker socket for container metrics
-      #- certs:/usr/share/metricbeat/config/certs
-      #depends_on:
+
+  metricbeat:
+    # Metricbeat service
+    image: docker.elastic.co/beats/metricbeat:${STACK_VERSION} # Metricbeat image to use
+    container_name: metricbeat # Name for the container
+    volumes:
+      - ./metricbeat.yml:/usr/share/metricbeat/metricbeat.yml # Mount the Metricbeat configuration file
+      - ./var/run/docker.sock:/var/run/docker.sock # Mount the Docker socket for container metrics
+      - ./certs:/usr/share/metricbeat/config/certs
+    depends_on:
       # Define dependencies for the service
-      #- logstash
-      #- es01
-      #command: metricbeat -e -strict.perms=false # Start Metricbeat with error logging and disabled strict permission checks
-      #networks:
-      #- elk
+      - logstash
+      - es01
+    command: metricbeat -e -strict.perms=false # Start Metricbeat with error logging and disabled strict permission checks
+    env_file:
+      - .env
+    networks:
+      - elk
 
   filebeat:
     # Filebeat Service
@@ -202,9 +248,11 @@ services:
     user: root
     volumes:
       - ./filebeats.yml:/usr/share/filebeat/filebeat.yml # Mount the Filebeats configuration file
-      - certs:/usr/share/filebeat/config/certs # Mount the certificates directory
+      - ./certs:/usr/share/filebeat/config/certs # Mount the certificates directory
       - /var/log:/var/log
-    command: filebeat -e -strict.perms=false # Start Filebeats with error logging and disabled strict permission checks
+    command: /bin/sh -c "echo $$ELASTIC_USERNAME && echo $$ELASTIC_PASSWORD && filebeat -e -strict.perms=false" # Start Filebeats with error logging and disabled strict permission checks
+    env_file:
+      - .env
     networks:
       - elk
 

elk-docker/env.sh

@@ -13,6 +13,10 @@ echo "ELASTIC_PASSWORD=${ELASTIC_PASSWORD}" >> .env
 KIBANA_PASSWORD=$(aws ssm get-parameter --name /ELK-Test/KIBANA_PASSWORD --with-decryption --query 'Parameter.Value' --output text)
 echo "KIBANA_PASSWORD=${KIBANA_PASSWORD}" >> .env
 
+# Get the Kibana IP address parameter, decrypt it, and append it to the .env file.
+KIBANA_IP=$(aws ssm get-parameter --name /ELK-Test/KIBANA_IP --with-decryption --query 'Parameter.Value' --output text)
+echo "KIBANA_IP=${KIBANA_IP}" >> .env
+
 # Get the Cluster Name parameter, decrypt it, and append it to the .env file.
 CLUSTER_NAME=$(aws ssm get-parameter --name /ELK-Test/CLUSTER_NAME --with-decryption --query 'Parameter.Value' --output text)
 echo "CLUSTER_NAME=${CLUSTER_NAME}" >> .env

elk-docker/logstash.conf

@@ -18,7 +18,7 @@ input {
     # ssl_extra_chain_certs => ["/path/to/another-ca-file.ca"] # Uncomment this line if you need to provide an additional CA file for the certificate chain.
   }
 }
-    
+
 # Filter section: This is where you process and enrich the input data.
 filter {
   # Use the grok filter plugin to parse the log message using the COMBINEDAPACHELOG pattern.
@@ -34,7 +34,7 @@ filter {
   mutate {
     add_field => { "client_ip" => "172.16.6.129" }
   }
-  
+
   # Use the geoip filter plugin to add geolocation information to the event based on the client_ip field.
   geoip {
     source => "[client_ip]"
@@ -46,12 +46,12 @@ output {
   elasticsearch {
     hosts => "http://es01:9200/"    # Elasticsearch host URL.
     index => "logs-%{+YYYY.MM.dd}"        # Index pattern for storing the data in Elasticsearch.
-    user => "${ELASTIC_USERNAME}" # or the appropriate user if it's different 
-    password => "${ELASTIC_PASSWORD}"  # replace with your actual password 
-    ssl => true 
+    user => "${ELASTIC_USERNAME}" # or the appropriate user if it's different
+    password => "${ELASTIC_PASSWORD}"  # replace with your actual password
+    ssl => true
     cacert => "/usr/share/logstash/config/certs/es01/es01.crt" # replace with the path to your CA certificate file }
   }
-  
+
   # Output the processed data to the console using the rubydebug codec.
   stdout {
     codec => rubydebug

elk-docker/metricbeat.yml

@@ -14,14 +14,17 @@ metricbeat.modules:
 
 # Configure the output destination for the collected metrics.
 output.elasticsearch:
-  hosts: "es01:9200"
-  protocol: "https"
+  hosts: ["https://es01:9200"]  # Specify the hosts of your Elasticsearch instance.
   username: "${ELASTIC_USERNAME}"             # The username used to connect to Elasticsearch.
   password: "${ELASTIC_PASSWORD}"        # The password used to connect to Elasticsearch.
-  ssl.verification_mode: "true"  # To skip verification. Use with caution.
+  ssl.verification_mode: "full"  # To skip verification. Use with caution.
   # Or, provide the path to the CA certificate.
-  ssl.certificate_authorities: ["/usr/share/metricbeat/config/certs/CA.pem"]
+  ssl.certificate_authorities: [ "/usr/share/metricbeat/config/certs/ca/ca.crt" ]
+  ssl.certificate: "/usr/share/metricbeat/config/certs/ca/ca.crt"
+  ssl.key: "/usr/share/metricbeat/config/certs/ca/ca.key"
 
 # Configure the Kibana settings for index pattern setup and dashboard loading.
 setup.kibana:
   host: "kibana:5601"
+
+