ELK Stack — Déploiement et configuration

Elasticsearch + Logstash + Kibana + Filebeat en Docker : déploiement, pipelines, index, dashboards

snippetintermediate 2026-05-14 3 min read

elkelasticsearchlogstashkibanafilebeatsiemdockermonitoring

Architecture

Agents  quipements rseau
        
         Filebeat logs fichiers Docker
                 
         Syslog UDP/TCP   Logstash 50445514
                                       pipeline parse enrich geoip
         Beats directs   Elasticsearch 9200
                                         
                                    Kibana 5601

Déploiement Docker

bash

cd monitoring
# Prérequis Linux (Elasticsearch requiert vm.max_map_count élevé)
sudo sysctl -w vmmax_map_count262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
# Copier et adapter le fichier d'environnement
cp env envlocal
nano envlocal   # changer les mots de passe !
# Démarrer le stack ELK
docker compose --profile elk up -d
# Suivre les logs
docker compose logs -f elasticsearch kibana

Post-installation Elasticsearch

bash

# Vérifier l'état du cluster
curl -s http//elasticchangemelocalhost9200/_cluster/health | jq
# Créer le mot de passe Kibana (première fois)
curl -X POST "http://elastic:changeme@localhost:9200/_security/user/kibana_system/_password" 
  -H "Content-Type: application/json" 
  -d '{"password":"changeme_kibana_2024"}'
# Vérifier les index
curl -s http//elasticchangemelocalhost9200/_cat/indicesv
# Vérifier les shards
curl -s http//elasticchangemelocalhost9200/_cat/shardsv

Index Lifecycle Management (ILM)

bash

# Créer une politique ILM pour la rotation des index
curl -X PUT "http://elastic:changeme@localhost:9200/_ilm/policy/logs-policy" 
  -H "Content-Type: application/json" -d 
  "policy" 
    "phases" 
      "hot" 
        "actions" 
          "rollover"  "max_size" "10gb" "max_age" "7d" 
        
      
      "warm" 
        "min_age" "7d"
        "actions"  "shrink"  "number_of_shards" 1  
      
      "delete" 
        "min_age" "90d"
        "actions"  "delete"

Logstash — Pipeline

Le pipeline principal est dans monitoring/logstash/pipeline/logstash.conf.

Sources supportées

| Input | Port | Usage | |---|---|---| | Beats | 5044 TCP | Filebeat, Winlogbeat, Auditbeat | | Syslog UDP | 5514 UDP | Cisco IOS, pfSense, Linux syslog | | Syslog TCP | 5514 TCP | Sources syslog fiables |

Tester le pipeline

bash

# Vérifier la config Logstash
docker exec logstash bin/logstash -t -f /usr/share/logstash/pipeline/
# Envoyer un log test via Netcat
echo "<134>May 14 10:00:00 router01 %SEC-6-IPACCESSLOGP: list ACL-IN denied tcp 192.168.1.5(1234) -> 10.0.0.1(80)" 
  | nc -u localhost 5514
# Vérifier l'arrivée dans Elasticsearch
curl -s "http://elastic:changeme@localhost:9200/logstash-*/_search?q=cisco&size=1" | jq '.hits.hits[0]._source'

Filebeat — Déploiement sur agent distant

bash

# Installer Filebeat sur le serveur à surveiller
curl -L -O https//artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-amd64.deb
dpkg -i filebeat-8.12.2-amd64.deb
# Configurer la sortie vers Logstash
cat > /etc/filebeat/filebeat.yml << 'EOF'
filebeatinputs
   type log
    enabled true
    paths /var/log/auth.log /var/log/syslog
outputlogstash
  hosts "<IP_LOGSTASH>:5044"
EOF
systemctl enable --now filebeat
filebeat test output    # tester la connexion

Kibana — Index Patterns et Dashboards

bash

# Créer un index pattern via API
curl -X POST "http://localhost:5601/api/index_patterns/index_pattern" 
  -H "Content-Type: application/json" 
  -H "kbn-xsrf: true" 
  -u "elastic:changeme" 
  -d '{"index_pattern": {"title": "logstash-*", "timeFieldName": "@timestamp"}}'
# Importer les dashboards Filebeat officiels
docker exec filebeat filebeat setup --dashboards 
  -E setupkibanahosthttp//kibana5601 
  -E outputelasticsearchhosts"http://elasticsearch:9200" 
  -E outputelasticsearchusernameelastic 
  -E outputelasticsearchpasswordchangeme

Winlogbeat (Windows)

powershell

# Télécharger et installer
Invoke-WebRequest -Uri "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.12.2-windows-x86_64.zip" -OutFile winlogbeat.zip
Expand-Archive winlogbeat.zip -DestinationPath "C:\Program Files\Winlogbeat"
# Configurer
@"
winlogbeat.event_logs:
  - name: Application
  - name: System
  - name: Security
    processors:
      - drop_event.when.not.or:
          - equals.winlog.event_id: 4624   # Logon
          - equals.winlog.event_id: 4625   # Failed logon
          - equals.winlog.event_id: 4648   # Explicit credentials
          - equals.winlog.event_id: 4720   # Account created
          - equals.winlog.event_id: 4728   # Added to privileged group
          - equals.winlog.event_id: 7045   # New service
output.logstash:
  hosts: ["<IP_LOGSTASH>:5044"]
"@ | Set-Content "C:\Program Files\Winlogbeat\winlogbeat.yml"
# Installer et démarrer le service
cd "C:\Program Files\Winlogbeat"
.\install-service-winlogbeat.ps1
Start-Service winlogbeat

⚠ Attention —

Modifier les mots de passe par défaut dans .env avant tout démarrage. Les credentials changeme_* ne sont là que pour l'initialisation.

💡 Tip —

Pour les équipements Cisco, configurer logging host <IP_LOGSTASH> transport udp port 5514 depuis la CLI IOS. Logstash parse automatiquement les messages de type %FACILITY-SEVERITY-MNEMONIC.

Sur cette page

Actions rapides

Exporter MD

OPS·BRAIN v1.05 notes · Monitoringlocal