PFelk on Existent Docker-elk installation

[arivas5]

Hi!

I have a docker-elk environment ready and I wanted to add pfelk so I can add my firewall logs into Kibana and have them at hand, I want to know if it's possible to implement pfelk on this?

If so, how I can accomplish it? should I pull from your repository or just by changing the docker-compose.yml it could work?

Any advise will be very helpful

I don't want to start all over again :(

Thanks!

[a3ilson]

Multiples options for this:

1. You could view the pfelk/docker repo here
2. I am currently running pfelk w/docker utilizing this (docker-compose.yml)[https://github.com/pfelk/pfelk/blob/main/docker-compose.yml] and the files from this repo which are located at the following:

tree /etc/pfelk/
/etc/pfelk/
├── conf.d
│   ├── 01-inputs.conf
│   ├── 02-types.conf
│   ├── 03-filter.conf
│   ├── 05-apps.conf
│   ├── 20-interfaces.conf
│   ├── 30-geoip.conf
│   ├── 35-rules-desc.conf
│   ├── 36-ports-desc.conf
│   ├── 45-cleanup.conf
│   └── 50-outputs.conf
├── config
│   ├── logstash.yml
│   └── pipelines.yml
├── databases
│   ├── private-hostnames.csv
│   ├── rule-names.csv
│   └── service-names-port-numbers.csv
└── patterns
    ├── openvpn.grok
    └── pfelk.grok

[benisai]

@a3ilson
What would the process be? I also have docker-elk configured and would like to incorporate PF-elk. Would I Copy the conf, csv, grok,yml to the existing location and it will run?

[a3ilson]

@benisai - you would simply copy the required files from above and amend the docker-compose.yml file:

1. Copy pfelk files
2. Amend docker-compose.yml

•     - ./etc/logstash/config/:/usr/share/logstash/config:ro       
      - ./etc/pfelk/conf.d/:/etc/pfelk/conf.d:ro
      - ./etc/pfelk/patterns/:/etc/pfelk/patterns:ro
      - ./etc/pfelk/databases/:/etc/pfelk/databases:ro
  

3. Amend pipelines.yml

• - pipeline.id: pfelk
  path.config: "/etc/pfelk/conf.d/*.pfelk"
  pipeline.ecs_compatibility: v8 #Disable if not running Elastic v8+
  
  

• You should have two pipeline.id's within the pipelines.yml file which should be one file (i.e. merge pfelk and whatever else is being used). This will be as far as we can assist (merging pfelk with another docker instance is beyond the scope of pfelk). Good luck and hope you are able to get it up and running.