Added readme

README.md

@@ -28,4 +28,6 @@ Student project that consists of creating SIEM center using ELK stack.
 
 - [Docker tips and cheatsheet](https://blog.jez.io/2015/07/12/docker-tips-and-cheatsheet/)
 
+- [Github repo for Docker cheatsheets](https://github.com/wsargent/docker-cheat-sheet)
+
 

deployment/elasticsearch/configure.sh → deployment/filebeat/start.sh

@@ -1,16 +1,32 @@
-#!/bin/bash
+#!/bin/sh
+
+./wait.sh -t 300 -h es -p 9200 #wait for elasticsearch
+
+
 #Add role that is configured for logstash indexer named logstash_writer
 curl -k \
    --user elastic:changeme \
    -X POST \
    -H "Content-Type: application/json"\
    -d "{ \"cluster\": [\"manage_index_templates\", \"monitor\"], \"indices\": [{ \"names\": [\"logstash-*\", \"filebeat-*\", \"winlogbeat-*\"], \"privileges\": [\"write\", \"delete\", \"create_index\"]}]}" \
-   https://localhost:9200/_xpack/security/role/logstash_writer
+   https://es:9200/_xpack/security/role/logstash_writer
 
 # Add user with role logstash writer
 curl -k \
    --user elastic:changeme \
    -X POST \
    -H "Content-Type: application/json"\
    -d "{ \"password\" : \"changeme\",\"roles\" : [ \"logstash_writer\"],\"full_name\" : \"Internal Logstash User\"}"\
-   https://localhost:9200/_xpack/security/user/logstash_internal
+   https://es:9200/_xpack/security/user/logstash_internal
+
+curl -k \
+ --user elastic:changeme \
+ -X PUT \
+ 'https://es:9200/_template/filebeat?pretty' \
+ -d@/etc/filebeat/filebeat.template.json
+./wait.sh -t 15 -h logstash -p 5044 # wait for logstash
+/etc/init.d/filebeat start -e
+
+mkdir /var/log/filebeat
+touch /var/log/filebeat/filebeat.log
+tail -f /var/log/filebeat/filebeat.log & wait