programming matrix: Docker ELK Stack and the geo ip plugin

https://docs.docker.com/compose/gettingstarted/#step-3-define-services-in-a-compose-file

http://elk-docker.readthedocs.io/#running-with-docker-compose

# https://elk-docker.readthedocs.io/#installation

sudo docker pull sebp/elk

docker images

# https://elk-docker.readthedocs.io/#usage

sudo docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk

# or setup a yml file
# create an entry for the ELK Docker image by adding the following lines to
# your docker-compose.yml file:

elk:
  image: sebp/elk
  ports:
    - "5601:5601"
    - "9200:9200"
    - "5044:5044"

You can then start the ELK container like this:

$ sudo docker-compose up elk

# follow the instructions to inject a log msg to log stash

# inject the msg

# in a browser view the injected msg

http://192.168.1.155:9200/_search?pretty

http://192.168.1.155:5601/app/kibana#/management/kibana/index?_g=()

# use the container id from the docker ps and stop the container

docker stop fce12628893c

docker stop
# Lets now build a elk-docker image using a git clone

cd

git clone https://github.com/spujadas/elk-docker

http://elk-docker.readthedocs.io/#building-image

https://stackoverflow.com/questions/36617904/extending-local-dockerfile

# build the cloned docker image

~/elk-docker$ docker build -t elk-docker

# now create the second docker file which will inject the geo ip plugin

A Dockerfile like the following will extend the base image and install the GeoIP processor plugin(which adds information about the geographical location of IP addresses):

FROM sebp/elk

ENV ES_HOME /opt/elasticsearch
WORKDIR ${ES_HOME}

RUN CONF_DIR=/etc/elasticsearch gosu elasticsearch bin/elasticsearch-plugin \
    install ingest-geoip

You can now build the new image (see the Building the image section above) and run the container in the same way as you did with the base image.

~$ mkdir elk-docker-geoip

~$ cd !$

cd elk-docker-geoip

~/elk-docker-geoip$ vi Dockerfile

FROM sebp/elk

ENV ES_HOME /opt/elasticsearch
WORKDIR ${ES_HOME}

RUN CONF_DIR=/etc/elasticsearch gosu elasticsearch bin/elasticsearch-plugin \
    install ingest-geoip

~/elk-docker-geoip$ docker build -t elk-docker .

docker run elk-docker-geoip

# lets download a log file with ip addresses

https://logz.io/blog/nginx-log-analysis/

https://www.elastic.co/blog/geoip-in-the-elastic-stack

########################################################################################

# other resources

########################################################################################

https://www.elastic.co/guide/en/elasticsearch/plugins/master/ingest-geoip.html

https://www.elastic.co/guide/en/elasticsearch/plugins/master/ingest-geoip.html#ingest-geoip

https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-geoip.html

https://www.elastic.co/blog/geoip-in-the-elastic-stack

# Kibana

https://github.com/elastic/kibana

https://www.elastic.co/guide/en/kibana/current/index.html

https://www.elastic.co/guide/en/kibana/current/tutorial-load-dataset.html

programming matrix

Thursday, November 9, 2017

Docker ELK Stack and the geo ip plugin

No comments:

Post a Comment

Followers

Blog Archive