-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Reconfigure logstash.conf
Marco Ochse edited this page Apr 23, 2024
·
5 revisions
docker exec -it logstash bash
cd /etc/logstash/
cp logstash.conf /data/elk/logstash.conf
exit
systemctl stop tpot
vi $HOME/tpotce/data/elk/logstash.conf
[...]
# Output section
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
# document_type => "doc"
}
if [type] == "Suricata" {
file {
file_mode => 0760
path => "/data/suricata/log/suricata_ews.log"
}
}
# Debug output
#if [type] == "XYZ" {
# stdout {
# codec => rubydebug
# }
#}
# Debug output
#stdout {
# codec => rubydebug
#}
}
[...]
chmod 760 $HOME/tpotce/data/elk/logstash.conf
chown tpot:tpot $HOME/tpotce/data/elk/logstash.conf
vi $HOME/tpotce/docker-compose.yml
[...]
## Logstash service
logstash:
container_name: logstash
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
- TPOT_TYPE=${TPOT_TYPE:-HIVE}
- TPOT_HIVE_USER=${TPOT_HIVE_USER}
- TPOT_HIVE_IP=${TPOT_HIVE_IP}
ports:
- "127.0.0.1:64305:64305"
mem_limit: 2g
image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
pull_policy: ${TPOT_PULL_POLICY}
volumes:
- ${TPOT_DATA_PATH}:/data
- ${TPOT_DATA_PATH}/elk/logstash.conf:/etc/logstash/logstash.conf
[...]
systemctl start tpot