docker-compose 安装:
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
赋予可执行权限:
sudo chmod +x /usr/local/bin/docker-compose
创建软连接:
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
查看是否安装成功:
docker-compose --version
cker-compose version 1.24.1, build 4667896b
需要创建config,conf.d目录
logstash.yml
path.config: /usr/share/logstash/conf.d/*.conf
path.logs: /var/log/logstash
elasticsearch.yml
cluster.name: "docker-cluster"
network.host: 0.0.0.0
http.cors.allow-origin: "*"
http.cors.enabled: true
kibana.yml
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
monitoring.ui.container.elasticsearch.enabled: true
i18n.locale: "zh-CN"
docker-compose.yml
version: '3'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.9.1
container_name: elasticsearch
restart: always
volumes:
- ./config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
environment:
- discovery.type=single-node
ports:
- "9200:9200"
- "9300:9300"
elastc-head:
image: mobz/elasticsearch-head:5
container_name: elasticsearch-head
restart: always
ports:
- "9100:9100"
logstash:
image: docker.elastic.co/logstash/logstash:7.9.1
container_name: logstash
restart: always
volumes:
- ./config/logstash.yml:/usr/share/logstash/config/logstash.yml
- ./conf.d:/usr/share/logstash/conf.d/
ports:
- "5044:5044"
depends_on:
- elasticsearch
kibana:
image: docker.elastic.co/kibana/kibana:7.9.1
container_name: kibana
restart: always
volumes:
- ./config/kibana.yml:/usr/share/kibana/config/kibana.yml
depends_on:
- elasticsearch
ports:
- "5601:5601"
启动命令:
docker-compose up -d
启动metricbeat
docker run -d --user=root --name metricbeat -v /home/dnxx/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml:ro metricbeat:v1
metricbeat.yml
metricbeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
processors:
- add_cloud_metadata: ~
- add_docker_metadata: ~
setup.dashboards.enabled: true
#setup.dashboards.url: "http://192.168.30.51:5601"
setup.kibana:
host: "http://192.168.30.51:5601"
output.kafka:
hosts: ["192.168.30.51:9092"]
topic: "system_metric"
#output.elasticsearch:
# hosts: ["192.168.30.51:9200"]
启动auditbeat
docker run -d --name=auditbeat --user=root --cap-add="AUDIT_CONTROL" --cap-add="AUDIT_READ" --volume="/home/dnxx/myproject/config/auditbeat.yml:/usr/share/auditbeat/auditbeat.yml:ro" --pid=host docker.elastic.co/beats/auditbeat:7.9.1 -e --strict.perms=false
auditbeat.yml
auditbeat.modules:
- module: auditd
audit_rules: |
#不记录pid为19714的所有系统调用事件,备注:自动根据auditbeat PID定义此规则
-a never,exit -S all -F pid=19714
#记录CPU为32位所有系统调用事件
-a always,exit -F arch=b32 -S all -F key=32bit-abi
#记录CPU为64位"程序执行"相关系统调用事件
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
#记录CPU为64位"远程连接"相关系统调用事件
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
#对/etc/group、/etc/passwd、/etc/gshadow文件做审计,记录用户身份验证的变化
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
#记录文件打开、修改等因没有权限或不被允许的事件
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
# - /etc
processors:
- add_cloud_metadata: ~
- add_docker_metadata: ~
output.kafka:
hosts: ["192.168.30.51:9092"]
topic: "audit_metric"
#output.elasticsearch:
# hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
# username: '${ELASTICSEARCH_USERNAME:}'
# password: '${ELASTICSEARCH_PASSWORD:}'
安装filebeat
docker run -d --name=filebeat --user=root --volume="/home/dnxx/myproject/config/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro" 192.168.30.53:5000/filebeat:v1 filebeat -e -strict.perms=false