Works for moving to central elasticsearch database.

docker/elk/logstash/dist/logstash.conf

@@ -690,13 +690,28 @@ if "_jsonparsefailure" in [tags] { drop {} }
 
 # Output section
 output {
-  elasticsearch {
-    hosts => ["elasticsearch:9200"]
-    # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
-    index => "logstash-%{+YYYY.MM.dd}"
-    template => "/etc/logstash/tpot_es_template.json"
-#    document_type => "doc"
-  }
+  # TODO: switch by auth config
+  #if "${MY_ELK_COLLECTOR_AUTH}" == "basic" {
+    elasticsearch {
+      hosts => ["${MY_ELK_COLLECTOR_HOST}"]
+      user => "${MY_ELK_COLLECTOR_USER}"
+      password => "${MY_ELK_COLLECTOR_PASSWORD}"
+      ssl => true
+      ssl_certificate_verification => false
+      # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/etc/logstash/tpot_es_template.json"
+      #document_type => "doc"
+    }
+  #} else {
+  #  elasticsearch {
+  #    hosts => ["${MY_ELK_COLLECTOR_HOST}"]
+  #    # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
+  #    index => "logstash-%{+YYYY.MM.dd}"
+  #    template => "/etc/logstash/tpot_es_template.json"
+  #    #document_type => "doc"
+  #  }
+  #}
 
   #if [type] == "Suricata" {
   #    file {

docker/elk/logstash/docker-compose.yml

@@ -14,6 +14,7 @@ services:
 #        condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
+     - /opt/tpot/etc/compose/elk_collector
     image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data

etc/compose/collector.yml

@@ -167,6 +167,7 @@ services:
         condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
+     - /opt/tpot/etc/compose/elk_collector
     image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data

etc/compose/elk_collector

@@ -0,0 +1,8 @@
+MY_ELK_COLLECTOR_HOST=elasticsearch:9200
+MY_ELK_COLLECTOR_AUTH=none
+# MY_ELK_COLLECTOR_HOST=https://you_collector_ip:64297/es/
+# MY_ELK_COLLECTOR_AUTH=basic
+# Password have to be created at collector host at file /data/nginx/conf/nginxpasswd
+# MY_ELK_COLLECTOR_USER=username
+# MY_ELK_COLLECTOR_PASSWORD=password
+

etc/compose/industrial.yml

@@ -374,6 +374,7 @@ services:
         condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
+     - /opt/tpot/etc/compose/elk_collector
     image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data

etc/compose/medical.yml

@@ -151,6 +151,7 @@ services:
         condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
+     - /opt/tpot/etc/compose/elk_collector
     image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data

etc/compose/nextgen.yml

@@ -537,6 +537,7 @@ services:
         condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
+     - /opt/tpot/etc/compose/elk_collector
     image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data

etc/compose/sensor.yml

@@ -535,3 +535,19 @@ services:
     volumes:
      - /data:/data
      - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+#    environment:
+#     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+     - /opt/tpot/etc/compose/elk_collector
+    image: "dtagdevsec/logstash:2006"
+    volumes:
+     - /data:/data

etc/compose/standard.yml

@@ -550,6 +550,7 @@ services:
         condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
+     - /opt/tpot/etc/compose/elk_collector
     image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data