[ABANDONED] A Docker container running Suricata and the ELK stack.
Clone or download
jasonish Update README.md
Point users to Amsterdam.
Latest commit 121e85f Jan 27, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
image Move back to Suricata stable now that 3.0 is out. Jan 27, 2016
.gitignore Initial docker image of ELK+Suricata. Sep 12, 2014
README.md Update README.md Jan 27, 2016
launcher More launcher script cleanup. Jul 9, 2015

README.md

About

NOTE: I have stopped maintaining this Docker image. For Suricata + ELK check out the Amsterdam project which uses more recent versions of Elastic Search and Kibana, as well as docker-compose, a better way to run multiple related apps in containers.

A Docker image with Suricata and the ELK (Elastic Search, Logstash, Kibana).

NOTE

Unlike most Docker containers, this one uses host networking. At this time it will attempt to bind the following ports:

  • 7777: The web interface to expose Kibana and EveBox
  • 9200: Elastic Search

This is to allow Suricata access to your physical interfaces while running inside the Docker container. A more "Docker" approach would probably be to break this one container into two, one for Suricata, and one for ELK.

Running

As this is a Docker container you need to be running Docker on Linux. Please refer to the Docker documentation at https://docs.docker.com/ for installation help. Note that if running in a virtual machine you should allocate at least 2GB of memory.

Then assuming your running on your localhost, point your browser at http://localhost:7200.

The container is completely stateless with all persistent data stored in ./data. This includes the Elastic Search database and all log files.

To get a shell into the running container (may require sudo):

  • ./launcher enter

Building

If you wish to rebuild the image yourself simply run:

  • ./launcher build