elk-cloudtrail

ELK v5 stack for CloudTrail logs (Amazon Web Services API calls)

Docker images:

Kibana: 		latest version, Official
Elasticsearch: 		latest version, Official + Data on EFS
Logstash:		Modified version, cloudtrail codec plugin installed, create new image (Logstash)

Installation:

1. git clone https://github.com/prasenforu/elk-cloudtrail.git

2. Goto folder "elk-cloudtrail/logstash/" and edit "logstash.conf" file following section as per your configuration

   bucket => "CLOUD_TRAIL_BUCKET_NAME"

   access_key_id => "ACCESS_KEY"

   secret_access_key => "SECRET_ACCESS_KEY"

   prefix => "AWSLogs/AMAZON_ACCOUNT_ID/CloudTrail/"

3. Make executable docker-entrypoint.sh

   chmod 755 docker-entrypoint.sh

4. Build docker container

   docker build -t logstash5 .

5. Run Docker Compose form elk_v_5 folder

   docker-compose up -d

6. View Kibana at http://localhost:5601

   Use the **index pattern** as `logtash-*` and select the **time field** as `@timestamp`
   

For Stop, shutdown and restart

1. sudo docker-compose stop to shutdown all the docker containers.

2. sudo docker-compose down to shutdown and remove all the files from docker.

3. sudo docker-compose restart to restart docker container.