tpotce/docker/elk/README.md

# dockerized elk stack


[elk](http://www.elasticsearch.org/overview/) is a stack combining elasticsearch, logstash and the kibana dashboard. It is used to structure and vizualize data in realtime.

This repository contains the necessary files to create a *dockerized* version of the elk stack.

This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.

The `Dockerfile` contains the blueprint for the dockerized elk stack and will be used to setup the docker image.  

Further, `elasticsearch.yml`, `logstash.conf`, `elkbase.tar.gz`, `elk.ico` and `kibana.svg`,  are all tailored to fit the T-Pot environment.

The `supervisord.conf` is used to start elk under supervision of supervisord.

Using systemd, copy the `systemd/elk.service` to `/etc/systemd/system/elk.service` and start using

```
systemctl enable elk
systemctl start elk
```

This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot.

Starting with T-Pot 16.10 you can simply access the kibana dashboard by browsing to ``https://<your.ip>:64297`` and enter your web user credentials.

Note: The kibana dashboard can be customized to fit your needs.

By default all data will be persistently stored in `/data/elk/`. Indexed events older than 90 days will be deleted. You can adjust this behavior in `/etc/crontab` to fit your needs, but be advised to provide enough RAM and free disk-space if you wish to do so.

# T-Pot Dashboard

![T-Pot Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/elk/master/doc/dashboard.png)
include docker repos ... skip emobility since it is a dev repo 2017-10-13 18:58:14 +00:00			`# dockerized elk stack`


			`[elk](http://www.elasticsearch.org/overview/) is a stack combining elasticsearch, logstash and the kibana dashboard. It is used to structure and vizualize data in realtime.`

			`This repository contains the necessary files to create a dockerized version of the elk stack.`

			`This dockerized version is part of the [T-Pot community honeypot](http://dtag-dev-sec.github.io/) of Deutsche Telekom AG.`

			The `Dockerfile` contains the blueprint for the dockerized elk stack and will be used to setup the docker image.

			Further, `elasticsearch.yml`, `logstash.conf`, `elkbase.tar.gz`, `elk.ico` and `kibana.svg`, are all tailored to fit the T-Pot environment.

			The `supervisord.conf` is used to start elk under supervision of supervisord.

			Using systemd, copy the `systemd/elk.service` to `/etc/systemd/system/elk.service` and start using

			```
			`systemctl enable elk`
			`systemctl start elk`
			```

			`This will make sure that the docker container is started with the appropriate permissions and port mappings. Further, it autostarts during boot.`

			Starting with T-Pot 16.10 you can simply access the kibana dashboard by browsing to ``https://<your.ip>:64297`` and enter your web user credentials.

			`Note: The kibana dashboard can be customized to fit your needs.`

			By default all data will be persistently stored in `/data/elk/`. Indexed events older than 90 days will be deleted. You can adjust this behavior in `/etc/crontab` to fit your needs, but be advised to provide enough RAM and free disk-space if you wish to do so.

			`# T-Pot Dashboard`

			`![T-Pot Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/elk/master/doc/dashboard.png)`