forked from shazChaudhry/docker-elastic
-
Notifications
You must be signed in to change notification settings - Fork 0
/
auditbeat-docker-compose.yml
49 lines (43 loc) · 1.64 KB
/
auditbeat-docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
version: "3.8"
# https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html
# Does not look like Auditd is supported in Alpine linux: https://github.com/linuxkit/linuxkit/issues/52
services:
auditbeat:
image: docker.elastic.co/beats/auditbeat:${ELASTIC_VERSION:-7.9.1}
# https://github.com/docker/swarmkit/issues/1951
hostname: "{{.Node.Hostname}}-auditbeat"
# Need to override user so we can access the log files, and docker.sock
user: root
# https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html#_special_requirements
# PID and CAP_ADD options are ignored as they are Not yet available in swarm mode at the moment.
# Eagerly waiting for Docker 19.06 release which will bring --privileged flag to Docker
# Swarm Mode https://github.com/moby/moby/issues/24862#issuecomment-451594187
# support for capabilities https://github.com/moby/moby/pull/38380
pid: host
cap_add:
- AUDIT_CONTROL
- AUDIT_READ
networks:
- elastic
configs:
- source: ab_config
target: /usr/share/auditbeat/auditbeat.yml
volumes:
- auditbeat:/usr/share/auditbeat/data
- /var/log:/var/log:ro
environment:
- ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST:-node1}
- KIBANA_HOST=${KIBANA_HOST:-node1}
- ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME:-elastic}
- ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD:-changeme}
command: ["--strict.perms=false"]
deploy:
mode: global
networks:
elastic:
external: true
volumes:
auditbeat:
configs:
ab_config:
file: $PWD/elk/beats/auditbeat/config/auditbeat.yml