Apologies, pretty much a newbie to Docker and ELK. I have a Redhat system that I am trying to monitor on an Ubuntu system using ELK. I have the Ubuntu system running Elasticsearch, Logstash and Kibana 5.6.4 in separate containers and using Docker Compose to bring it up. (Tried v6, but hit a snag that Elastic said they were aware of, so just using 5.6.4 for the time being.)
I was running Linux Audit and Filebeats (6.0.0) on the RedHat system to send the log files to Logstash on the Ubuntu system and it was working.
While looking into the User ID being sent across as a number rather than the ID, came across Auditbeat which seems to combine Linux Audit and Filebeat and resolve the ID issue.
I also liked the idea of deploying the dashboards from Auditbeat, but that is when I started getting stumped. I had the three containers running Elasticsearch, Logstash and Kibana and talking happily to each other.
I had the impression that you installed the dashboards to Kibana and so installed Auditbeat in to the Kibana container (just for the purpose of installing the dashboards, not to run) and after getting past all the permissions issues in running "auditbeat setup --dashboards" got a message saying that it could not connect to Elasticsearch.
So after all that, the simple question, if you are running Elasticsearch, Logstash and Kibana in separate containers, how do you deploy the Auditbeat sample dashboards?
Should I be doing it in the Elasticsearch container?
Steep learning curve for an assembly language developer