Installing dashboards from Auditbeat to Docker containers


#1

Apologies, pretty much a newbie to Docker and ELK. I have a Redhat system that I am trying to monitor on an Ubuntu system using ELK. I have the Ubuntu system running Elasticsearch, Logstash and Kibana 5.6.4 in separate containers and using Docker Compose to bring it up. (Tried v6, but hit a snag that Elastic said they were aware of, so just using 5.6.4 for the time being.)

I was running Linux Audit and Filebeats (6.0.0) on the RedHat system to send the log files to Logstash on the Ubuntu system and it was working.

While looking into the User ID being sent across as a number rather than the ID, came across Auditbeat which seems to combine Linux Audit and Filebeat and resolve the ID issue.

I also liked the idea of deploying the dashboards from Auditbeat, but that is when I started getting stumped. I had the three containers running Elasticsearch, Logstash and Kibana and talking happily to each other.

I had the impression that you installed the dashboards to Kibana and so installed Auditbeat in to the Kibana container (just for the purpose of installing the dashboards, not to run) and after getting past all the permissions issues in running "auditbeat setup --dashboards" got a message saying that it could not connect to Elasticsearch.

So after all that, the simple question, if you are running Elasticsearch, Logstash and Kibana in separate containers, how do you deploy the Auditbeat sample dashboards?

Should I be doing it in the Elasticsearch container?

Steep learning curve for an assembly language developer :wink:


(Pier-Hugues Pellerin) #2

When you start Audibeat (or any other beats) you don't need to start -setup in the same container. The beats itself need to have network access to both Elasticsearch and Kibana. It need to access Kibana to install the dashboard with the API and Elasticsearch to install the templates require by the beat you are trying to run.

Also should run the 3 products on the same version in this case 6.2.1.


#3

Hi Pier, thanks for the reply. My understanding is that the beats will run with back level ELK. Is this correct or is it just that the templates will not deploy back level?

I have certainly had filebeats v6 working with ELK 5.6.4.

I had tried using v6 on ELK in separate containers, but hit a known bug (cannot remember which one, but stopped them talking to each other) that meant I had to go back a level hence why v6+ for the beats and 5.6.4 for ELK.

So if I did have ELK in separate containers all at v6 and talking to each other and run the auditbeat setup command from within the Kibana container, it should deploy the dashboards successfully?


(Pier-Hugues Pellerin) #4

Yes it should work in that case.


#5

Hi Pier, Thanks. Now I have just one problem, we want to use Sentinl rather than the x-pack and at the moment Sentinel is only at 6.0.0 and won't install on a later version of Kibana. :cry:

So when that hits a version past where the bug is in ELK running in separate containers, I might be able to get it to work! Other than that, guess I will have to create my own dashboards.

Any good documentation you are aware of for creating dashboards? Cheers!


(Pier-Hugues Pellerin) #6

Hello @nlh nhl,

It should not be too hard for Sentinl to update...

Concerning the Dashboard, I think the kibana getting started page is good. I also look at existing dashboards from Metricbeat or Filebeat code base.

I think the most important thing to keep in mind when you design a new dashboard, is to define your actionable data.


#7

Just in case anyone else is looking...... Turned out to be pretty easy, you just need to find the command and the place to run it.

Bring up the Elastic system and from the system with Auditbeat on, run the following:

deploy dashboards
auditbeat setup --dashboards -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["web.address.com:9200"]'

deploy templates
auditbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["web.address.com:9200"]'

Where web.address.com is the address of your server to install it on.