Initial

GDR! · GDR! · commit 3815364e1744 · 2018-07-13T19:40:33.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,13 @@
+FROM sebp/elk
+
+ENV ES_HOME /opt/elasticsearch
+WORKDIR ${ES_HOME}
+
+RUN CONF_DIR=/etc/elasticsearch gosu elasticsearch bin/elasticsearch-plugin \
+    install -b ingest-geoip
+
+WORKDIR ${LOGSTASH_HOME}
+RUN gosu logstash bin/logstash-plugin install logstash-codec-netflow
+
+ADD logstash-30-netflow.conf /etc/logstash/conf.d/30-netflow.conf
+ADD elk-post-hooks.sh /usr/local/bin/elk-post-hooks.sh
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,7 @@
+elk:
+  image: sebp/elk
+  ports:
+    - "5601:5601"
+    - "9200:9200"
+    - "5044:5044"
+    - "9995:9995/udp"
diff --git a/elk-post-hooks.sh b/elk-post-hooks.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+if [ -f /setup_complete ]; then
+	exit 0
+fi
+
+echo "Running first-run setup hooks"
+
+touch /setup_complete
+
+cd /opt/logstash
+bin/logstash --modules netflow --setup
+echo "Netflow module setup complete"
diff --git a/logstash-30-netflow.conf b/logstash-30-netflow.conf
@@ -0,0 +1,21 @@
+input {
+        udp {
+                 port => 9995
+                 type => "netflow"
+                 codec => "netflow"
+        }
+}
+
+filter {
+        if [type] == "netflow" {
+                geoip {
+                        source => "netflow.ipv4_src_addr"
+                        target => "netflow.src_geo"
+                }
+                geoip {
+                        source => "netflow.ipv4_dst_addr"
+                        target => "netflow.dst_geo"
+                }
+        }
+}
+
