commit 549a273141708f1ebee23b6c9bdbeb52ba8141c1 Author: Knut Ahlers Date: Sat Jan 13 18:08:48 2018 +0100 Initial version Signed-off-by: Knut Ahlers diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..a8f6328 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,32 @@ +FROM golang:alpine + +ENV FILEBEAT_VERSION=v6.1.1 + +RUN set -ex \ + && apk --no-cache add build-base git ca-certificates \ + && mkdir -p /go/src/github.com/elastic \ + && git clone https://github.com/elastic/beats.git /go/src/github.com/elastic/beats \ + && git -C /go/src/github.com/elastic/beats fetch origin --tags \ + && git -C /go/src/github.com/elastic/beats reset --hard ${FILEBEAT_VERSION} \ + && go install -v github.com/elastic/beats/filebeat + + +FROM alpine + +LABEL maintainer Knut Ahlers + +RUN set -ex \ + && apk --no-cache add ca-certificates + +COPY --from=0 /go/bin/filebeat /opt/filebeat/filebeat + +ADD fields.yml /opt/filebeat/ +ADD filebeat.yml /opt/filebeat/ +ADD start.sh /opt/filebeat/ + +WORKDIR /opt/filebeat + +VOLUME ["/var/log/vault", "/config"] + +ENTRYPOINT ["sh", "/opt/filebeat/start.sh"] +CMD ["--"] diff --git a/fields.yml b/fields.yml new file mode 100644 index 0000000..40f799c --- /dev/null +++ b/fields.yml @@ -0,0 +1,71 @@ +--- + +- key: vault-audit + title: "vault-audit" + fields: + - name: "@timestamp" + type: date + - name: auth + type: group + fields: + - name: accessor + type: keyword + - name: client_token + type: keyword + - name: display_name + type: keyword + - name: entity_id + type: keyword + - name: metadata + type: object + - name: policies + type: keyword + - name: beat + type: group + fields: + - name: hostname + type: keyword + - name: name + type: keyword + - name: version + type: keyword + - name: error + type: text + - name: offset + type: long + - name: request + type: group + fields: + - name: client_token + type: keyword + - name: client_token_accessor + type: keyword + - name: data + type: object + - name: headers + type: object + - name: id + type: keyword + - name: operation + type: keyword + - name: path + type: keyword + - name: policy_override + type: boolean + - name: remote_address + type: keyword + - name: wrap_ttl + type: long + - name: response + type: group + fields: + - name: auth + type: object + - name: data + type: object + - name: secret + type: object + - name: time + type: date + +... diff --git a/filebeat.yml b/filebeat.yml new file mode 100644 index 0000000..398af52 --- /dev/null +++ b/filebeat.yml @@ -0,0 +1,28 @@ +--- + +filebeat.prospectors: +- type: log + enabled: true + paths: + - /var/log/vault/*.log + json.keys_under_root: true + json.overwrite_keys: true + +output.elasticsearch: + hosts: + - ${HOST} + + protocol: ${PROTOCOL:http} + username: ${USERNAME:} + password: ${PASSWORD:} + + index: "vault-audit-%{+yyyy.MM.dd}" + +path.home: /opt/filebeat + +setup.template.enabled: true +setup.template.name: "vault-audit" +setup.template.pattern: "vault-audit-*" +setup.template.overwrite: true + +... diff --git a/start.sh b/start.sh new file mode 100644 index 0000000..a1c10cd --- /dev/null +++ b/start.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +[ -e /config/filebeat.yml ] && cp /config/filebeat.yml /opt/filebeat/filebeat.yml + +# filebeat refuses to work if config is writable for others than owner +chmod 644 /opt/filebeat/filebeat.yml + +exec /opt/filebeat/filebeat "$@"