elasticsearch、kibana
version: '3'
networks:
elasticsearch:
driver: bridge
services:
elasticsearch:
image: elasticsearch:7.17.9
container_name: elasticsearch
restart: 'always'
environment:
ES_JAVA_OPTS: '-Dlog4j2.formatMsgNoLookups=true -Xms4g -Xmx4g'
http.host: '0.0.0.0'
network.host: '0.0.0.0'
transport.host: 'localhost'
bootstrap.memory_lock: 'true'
indices.query.bool.max_clause_count: 8192
search.max_buckets: 250000
action.destructive_requires_name: 'true'
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
nproc: 8192
fsize: -1
volumes:
# mkdir /opt/elasticsearch && chown -R 1000:1000 /opt/elasticsearch
- /opt/elasticsearch:/usr/share/elasticsearch/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
networks:
- elasticsearch
ports:
- 9200:9200
- 9300:9300
# Kibana
kibana:
image: kibana:7.17.9
container_name: kibana
restart: 'always'
networks:
- elasticsearch
ports:
# 配置本地ip,后续进行nginx代理
- 5601:5601
depends_on:
- elasticsearch
volumes:
# mkdir /var/lib/elasticsearch && chown -R 1000:1000 /var/lib/elasticsearch
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
ELASTICSEARCH_URL: 'http://127.0.0.1:9200'
ELASTICSEARCH_REQUESTTIMEOUT: 132000
ELASTICSEARCH_SHARDTIMEOUT: 120000
#ELASTICSEARCH_SSL_CERTIFICATE: /etc/kibana/certs/node/node.crt
#ELASTICSEARCH_SSL_KEY: /etc/kibana/certs/node/node.key
#ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: /etc/kibana/certs/ca/ca.crt
ELASTICSEARCH_SSL_VERIFICATIONMODE: 'none'
KIBANA_AUTOCOMPLETETIMEOUT: 3000
KIBANA_AUTOCOMPLETETERMINATEAFTER: 2500000
VIS_TYPE_VEGA_ENABLEEXTERNALURLS: 'true'grafana
version: '3'
networks:
grafana:
driver: bridge
services:
grafana:
image: grafana/grafana:10.0.2
container_name: grafana
restart: 'always'
user: '104'
volumes:
# mkdir /opt/grafana && chmod 777 /opt/grafana
- /opt/grafana:/var/lib/grafana
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- 3000:3000
networks:
- grafana
elastiflow
# mkdir -p /etc/elastiflow/metadata
# touch /etc/elastiflow/metadata/netifs.yml
# touch /etc/elastiflow/metadata/ipaddrs.yml
version: '3'
services:
# ElastiFlow Unified Flow Collector
flow-collector:
image: elastiflow/flow-collector:5.6.1
container_name: flow-collector
restart: 'always'
network_mode: 'host'
volumes:
- /etc/elastiflow:/etc/elastiflow
environment:
#EF_FLOW_ACCOUNT_ID: ''
#EF_FLOW_LICENSE_KEY: ''
#EF_FLOW_LICENSED_UNITS:
#EF_FLOW_LOGGER_LEVEL: 'info'
#EF_FLOW_LOGGER_ENCODING: 'json'
#EF_FLOW_LOGGER_FILE_LOG_ENABLE: 'false'
#EF_FLOW_LOGGER_FILE_LOG_FILENAME: '/var/log/elastiflow/flowcoll/flowcoll.log'
#EF_FLOW_LOGGER_FILE_LOG_MAX_SIZE: 100
#EF_FLOW_LOGGER_FILE_LOG_MAX_AGE: ''
#EF_FLOW_LOGGER_FILE_LOG_MAX_BACKUPS: 4
#EF_FLOW_LOGGER_FILE_LOG_COMPRESS: 'false'
EF_FLOW_SERVER_UDP_IP: '0.0.0.0'
EF_FLOW_SERVER_UDP_PORT: 9995
#EF_FLOW_SERVER_UDP_PACKET_STREAM_MAX_SIZE:
#EF_FLOW_SERVER_UDP_READ_BUFFER_MAX_SIZE: 134217728
#EF_FLOW_DECODER_POOL_SIZE:
EF_FLOW_DECODER_SETTINGS_PATH: '/etc/elastiflow'
#EF_FLOW_DECODER_IPFIX_ENABLE: 'true'
#EF_FLOW_DECODER_NETFLOW1_ENABLE: 'true'
#EF_FLOW_DECODER_NETFLOW5_ENABLE: 'true'
#EF_FLOW_DECODER_NETFLOW6_ENABLE: 'true'
#EF_FLOW_DECODER_NETFLOW7_ENABLE: 'true'
#EF_FLOW_DECODER_NETFLOW9_ENABLE: 'true'
#EF_FLOW_DECODER_SFLOW5_ENABLE: 'true'
#EF_FLOW_DECODER_SFLOW_FLOWS_ENABLE: 'true'
#EF_FLOW_DECODER_SFLOW_FLOWS_KEEP_SAMPLES: 'false'
#EF_FLOW_DECODER_SFLOW_COUNTERS_ENABLE: 'true'
#EF_FLOW_DECODER_TRANSLATE_KEEP_IDS: 'default'
EF_FLOW_DECODER_ENRICH_IPADDR_METADATA_ENABLE: 'true'
EF_FLOW_DECODER_ENRICH_IPADDR_METADATA_USERDEF_PATH: 'metadata/ipaddrs.yml'
#EF_FLOW_DECODER_ENRICH_IPADDR_METADATA_REFRESH_RATE: 15
EF_FLOW_DECODER_ENRICH_DNS_ENABLE: 'false'
EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_IP: ''
EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_TIMEOUT: 3000
#EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PRIVATE: 'true'
#EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PUBLIC: 'true'
#EF_FLOW_DECODER_ENRICH_DNS_USERDEF_PATH: 'hostname/user_defined.yml'
#EF_FLOW_DECODER_ENRICH_DNS_USERDEF_REFRESH_RATE: 15
#EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_PATH: 'hostname/incl_excl.yml'
#EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_REFRESH_RATE: 15
EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_ENABLE: 'false'
#EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_PATH: 'maxmind/GeoLite2-ASN.mmdb'
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE: 'false'
#EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_PATH: 'maxmind/GeoLite2-City.mmdb'
#EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_VALUES: 'city,country,country_code,location,timezone'
#EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_LANG: 'en'
#EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_PATH: 'maxmind/incl_excl.yml'
#EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE: 15
EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE: 'false'
#EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENDPOINT: 'https://api.passivetotal.org/v2/netflow/as/download'
#EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_REFRESH_INTERVAL: 1440
EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE: 'false'
#EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENDPOINT: 'https://api.passivetotal.org/v2/netflow/blocklist/download'
#EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_REFRESH_INTERVAL: 1440
#EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_PATH: 'riskiq/incl_excl.yml'
#EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE: 15
#EF_FLOW_DECODER_ENRICH_RISKIQ_API_USER: ''
#EF_FLOW_DECODER_ENRICH_RISKIQ_API_KEY: ''
#EF_FLOW_DECODER_ENRICH_RISKIQ_API_TIMEOUT: 180
#EF_FLOW_DECODER_ENRICH_ASN_PREF: 'lookup'
EF_FLOW_DECODER_ENRICH_NETIF_METADATA_ENABLE: 'true'
EF_FLOW_DECODER_ENRICH_NETIF_METADATA_USERDEF_PATH: 'metadata/netifs.yml'
EF_FLOW_DECODER_ENRICH_NETIF_METADATA_REFRESH_RATE: 5
EF_FLOW_DECODER_ENRICH_NETIF_FLOW_OPTIONS_ENABLE: 'true'
EF_FLOW_DECODER_ENRICH_NETIF_SNMP_ENABLE: 'false'
#EF_FLOW_DECODER_ENRICH_NETIF_SNMP_PORT: 161
#EF_FLOW_DECODER_ENRICH_NETIF_SNMP_VERSION: 2
EF_FLOW_DECODER_ENRICH_NETIF_SNMP_COMMUNITIES: 'public'
#EF_FLOW_DECODER_ENRICH_NETIF_SNMP_TIMEOUT: 2
#EF_FLOW_DECODER_ENRICH_NETIF_SNMP_RETRIES: 1
#EF_FLOW_DECODER_ENRICH_APP_CACHE_SIZE: 8388608
#EF_FLOW_DECODER_ENRICH_APP_USERDEF_ENABLE: 'false'
#EF_FLOW_DECODER_ENRICH_APP_USERDEF_PRIVATE: 'true'
#EF_FLOW_DECODER_ENRICH_APP_USERDEF_PUBLIC: 'true'
#EF_FLOW_DECODER_ENRICH_APP_USERDEF_PATH: 'settings/apps_user_defined.yml'
#EF_FLOW_DECODER_ENRICH_TOTALS_IF_NO_DELTAS: 'false'
#EF_FLOW_DECODER_ENRICH_SAMPLERATE_CACHE_SIZE: 32768
#EF_FLOW_DECODER_ENRICH_SAMPLERATE_USERDEF_ENABLE: 'false'
#EF_FLOW_DECODER_ENRICH_SAMPLERATE_USERDEF_PATH: 'settings/sample_rate.yml'
#EF_FLOW_DECODER_ENRICH_COMMUNITYID_ENABLE: 'true'
#EF_FLOW_DECODER_ENRICH_COMMUNITYID_SEED: 0
#EF_FLOW_DECODER_ENRICH_CONVERSATIONID_ENABLE: 'true'
#EF_FLOW_DECODER_ENRICH_CONVERSATIONID_SEED: 0
#EF_FLOW_DECODER_ENRICH_JOIN_ASN: 'true'
#EF_FLOW_DECODER_ENRICH_JOIN_GEOIP: 'true'
#EF_FLOW_DECODER_ENRICH_JOIN_SEC: 'true'
#EF_FLOW_DECODER_ENRICH_JOIN_NETATTR: 'true'
#EF_FLOW_DECODER_ENRICH_JOIN_SUBNETATTR: 'true'
#EF_FLOW_DECODER_DURATION_PRECISION: 'ms'
#EF_FLOW_DECODER_TIMESTAMP_PRECISION: 'ms'
#EF_FLOW_DECODER_PERCENT_NORM: 100
#EF_FLOW_DECODER_ENRICH_EXPAND_CLISRV: 'true'
#EF_FLOW_DECODER_ENRICH_KEEP_CPU_TICKS: 'false'
#EF_FLOW_DECODER_ENRICH_DROP_FIELDS: ''
#EF_FLOW_RECORD_STREAM_MAX_SIZE:
# stdout
#EF_FLOW_OUTPUT_STDOUT_ENABLE: 'false'
#EF_FLOW_OUTPUT_STDOUT_FORMAT: 'json_pretty'
# monitor
#EF_FLOW_OUTPUT_MONITOR_ENABLE: 'false'
#EF_FLOW_OUTPUT_MONITOR_INTERVAL: 300
# Elasticsearch
EF_FLOW_OUTPUT_ELASTICSEARCH_ENABLE: 'true'
EF_FLOW_OUTPUT_ELASTICSEARCH_ECS_ENABLE: 'false'
#EF_FLOW_OUTPUT_ELASTICSEARCH_BATCH_DEADLINE: 2000
#EF_FLOW_OUTPUT_ELASTICSEARCH_BATCH_MAX_BYTES: 8388608
#EF_FLOW_OUTPUT_ELASTICSEARCH_TIMESTAMP_SOURCE: 'end'
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_PERIOD: 'daily'
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_SUFFIX: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_DROP_FIELDS: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ENABLE: 'true'
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_OVERWRITE: 'true'
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_SHARDS: 1
EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REPLICAS: 0
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_REFRESH_INTERVAL: '10s'
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_CODEC: 'best_compression'
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_LIFECYCLE: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ILM_ROLLOVER_ALIAS: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_ISM_POLICY: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_PIPELINE_DEFAULT: '_none'
#EF_FLOW_OUTPUT_ELASTICSEARCH_INDEX_TEMPLATE_PIPELINE_FINAL: '_none'
# A comma separated list of Elasticsearch nodes to use. DO NOT include "http://" or "https://"
EF_FLOW_OUTPUT_ELASTICSEARCH_ADDRESSES: '127.0.0.1:9200'
# EF_FLOW_OUTPUT_ELASTICSEARCH_USERNAME: 'elastic'
# EF_FLOW_OUTPUT_ELASTICSEARCH_PASSWORD: 'changeme'
#EF_FLOW_OUTPUT_ELASTICSEARCH_CLOUD_ID: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_API_KEY: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_CLIENT_CA_CERT_FILEPATH:
#EF_FLOW_OUTPUT_ELASTICSEARCH_CLIENT_CERT_FILEPATH:
#EF_FLOW_OUTPUT_ELASTICSEARCH_CLIENT_KEY_FILEPATH:
EF_FLOW_OUTPUT_ELASTICSEARCH_TLS_ENABLE: 'false'
EF_FLOW_OUTPUT_ELASTICSEARCH_TLS_SKIP_VERIFICATION: 'false'
EF_FLOW_OUTPUT_ELASTICSEARCH_TLS_CA_CERT_FILEPATH: ''
#EF_FLOW_OUTPUT_ELASTICSEARCH_RETRY_ENABLE: 'true'
#EF_FLOW_OUTPUT_ELASTICSEARCH_RETRY_ON_TIMEOUT_ENABLE: 'true'
#EF_FLOW_OUTPUT_ELASTICSEARCH_MAX_RETRIES: 3
#EF_FLOW_OUTPUT_ELASTICSEARCH_RETRY_BACKOFF: 1000