Siddhant Academy

Setting Up an ELK Stack for Cybersecurity Monitoring Using Docker Compose

Siddhant Bhattarai's photo
Siddhant Bhattarai
·

3 min read

The ELK Stack (Elasticsearch, Logstash, and Kibana) is a powerful open-source solution for collecting, analyzing, and visualizing logs in real time. In this guide, we’ll focus on setting up an ELK Stack in Ubuntu using Docker Compose for cybersecurity purposes, with a specific focus on log aggregation and threat monitoring.

Why ELK for Cybersecurity?

In cybersecurity, the ELK Stack serves as a SIEM (Security Information and Event Management) solution. It helps detect threats, monitor network activity, and respond to incidents by visualizing logs from various sources (e.g., firewalls, intrusion detection systems, applications).

Repository Structure

Below is the structure of your ELK stack setup:

repo/
├── docker-compose.yml
└── logstash/
    └── pipeline/
        └── logstash.conf

1. Docker Compose Configuration (docker-compose.yml)

This file defines your ELK services (Elasticsearch, Logstash, Kibana) and their configurations.

docker-compose.yml:
version: '3.7'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false  # Disable security for local testing (enable in production)
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - esdata:/usr/share/elasticsearch/data
    ports:
      - "9200:9200"
      - "9300:9300"
    networks:
      - elk

  logstash:
    image: docker.elastic.co/logstash/logstash:7.14.0
    container_name: logstash
    volumes:
      - ./logstash/pipeline:/usr/share/logstash/pipeline
    ports:
      - "6000:6000"
      - "9600:9600"
    networks:
      - elk
    depends_on:
      - elasticsearch

  kibana:
    image: docker.elastic.co/kibana/kibana:7.14.0
    container_name: kibana
    environment:
      - ELASTICSEARCH_URL=http://elasticsearch:9200
    ports:
      - "5601:5601"
    networks:
      - elk
    depends_on:
      - elasticsearch

networks:
  elk:
    driver: bridge

volumes:
  esdata:
    driver: local

2. Logstash Configuration (logstash.conf)

This configuration defines the input, filter, and output for Logstash.

logstash/pipeline/logstash.conf:
input {
  beats {
    port => 6000  # Port for receiving logs
  }
}

filter {
  # Here, you can add grok patterns for parsing logs, enriching data, and applying transformations.
  # Example: Parsing Apache logs
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }

  # GeoIP enrichment for IP-based log entries
  geoip {
    source => "clientip"
  }
}

output {
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
  stdout { codec => rubydebug }
}

Explanation:

  • Input: Logstash listens on port 6000 for incoming logs.

  • Filter: Add security-based parsing (e.g., web server logs, login attempts, or network scans) using grok patterns.

  • Output: Logs are forwarded to Elasticsearch for indexing and to stdout for debugging.

Step-by-Step Guide to Deploy the ELK Stack

Step 1: Clone Your Repository

git clone git@github.com:siddhantbhattarai/ELK-Stack-Docker-Compose.git
cd ELK-Stack-Docker-Compose

Step 2: Launch the ELK Stack

Run the following command to start the ELK services:

docker-compose up -d

  • -d runs the containers in detached mode.

  • Ensure that the ports 9200, 9300, 6000, and 5601 are not blocked by your firewall.

Step 3: Verify the Services

  • Elasticsearch: Visit http://localhost:9200 to verify that Elasticsearch is running.

  • Kibana: Visit http://localhost:5601 to access the Kibana dashboard.

Integrating Beats for Log Forwarding

Filebeat and Packetbeat are lightweight agents that forward logs and network data to Logstash.

Step 1: Install Filebeat

  1. Download Filebeat from Elastic's website.

  2. Configure filebeat.yml:

     filebeat.inputs:
   - type: log
     paths:
       - /var/log/syslog
       - /var/log/auth.log

 output.logstash:
   hosts: ["localhost:6000"]

Step 2: Start Filebeat

sudo filebeat -e -c filebeat.yml

Creating a Security Dashboard in Kibana

  1. Load Data: Go to Kibana > Discover and verify that logs from Filebeat or Packetbeat are being ingested.

  2. Create Visualizations:

    • Number of login attempts.

    • Sources of network scans (geo-location map).

    • Failed vs successful login attempts.

  3. Build a Dashboard: Add the visualizations to a custom dashboard for easy monitoring.

Security Tips:

  • Enable xpack.security in production environments to require authentication.

  • Restrict access to Logstash and Elasticsearch ports.

  • Configure alerts in Kibana to detect anomalies.

By following this guide, you’ll have a fully operational ELK stack configured as a SIEM solution to monitor network activity, detect suspicious behavior, and investigate security events in real-time. Adjust the log parsing and dashboard metrics based on your cybersecurity use case.