gkleiman/docker-compose.yml

## docker-compose.yml
version: '2.2'
services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
    container_name: es01
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es02,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - data01:/usr/share/elasticsearch/data
    ports:
      - 9200:9200
    networks:
      - elastic

  es02:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
    container_name: es02
    environment:
      - node.name=es02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - data02:/usr/share/elasticsearch/data
    networks:
      - elastic

  es03:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
    container_name: es03
    environment:
      - node.name=es03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es02
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - data03:/usr/share/elasticsearch/data
    networks:
      - elastic

  kib01:
    image: docker.elastic.co/kibana/kibana:7.11.2
    container_name: kib01
    ports:
      - 5601:5601
    environment:
      ELASTICSEARCH_URL: http://es01:9200
      ELASTICSEARCH_HOSTS: '["http://es01:9200","http://es02:9200","http://es03:9200"]'
    networks:
      - elastic

volumes:
  data01:
    driver: local
  data02:
    driver: local
  data03:
    driver: local

networks:
  elastic:
    driver: bridge

## filebeat.sh
#!/usr/bin/env bash

docker rm filebeat
docker run -d \
  --name=filebeat \
  --network=k8s-audit_elastic \
  --volume="$(pwd)/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="$(pwd)/new:/data:ro" \
  docker.elastic.co/beats/filebeat:7.11.2 filebeat -e -strict.perms=false \
  -E output.elasticsearch.hosts=["es01:9200"]

## filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - "/data/audit/*.log"
  json.keys_under_root: true
  json.add_error_key: true
output.elasticsearch:
  hosts: ["localhost:9200"]
  pipeline: kube-audit

## k8s-audit-pipeline.json
{
  "description" : "kube audit log",
  "processors" : [
    {
      "date" : {
        "field" : "requestReceivedTimestamp",
        "target_field" : "@timestamp",
        "formats" : ["ISO8601"]
      }
    }
  ]
}
	version: '2.2'
	services:
	es01:
	image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
	container_name: es01
	environment:
	- node.name=es01
	- cluster.name=es-docker-cluster
	- discovery.seed_hosts=es02,es03
	- cluster.initial_master_nodes=es01,es02,es03
	- bootstrap.memory_lock=true
	- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
	ulimits:
	memlock:
	soft: -1
	hard: -1
	volumes:
	- data01:/usr/share/elasticsearch/data
	ports:
	- 9200:9200
	networks:
	- elastic

	es02:
	image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
	container_name: es02
	environment:
	- node.name=es02
	- cluster.name=es-docker-cluster
	- discovery.seed_hosts=es01,es03
	- cluster.initial_master_nodes=es01,es02,es03
	- bootstrap.memory_lock=true
	- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
	ulimits:
	memlock:
	soft: -1
	hard: -1
	volumes:
	- data02:/usr/share/elasticsearch/data
	networks:
	- elastic

	es03:
	image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
	container_name: es03
	environment:
	- node.name=es03
	- cluster.name=es-docker-cluster
	- discovery.seed_hosts=es01,es02
	- cluster.initial_master_nodes=es01,es02,es03
	- bootstrap.memory_lock=true
	- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
	ulimits:
	memlock:
	soft: -1
	hard: -1
	volumes:
	- data03:/usr/share/elasticsearch/data
	networks:
	- elastic

	kib01:
	image: docker.elastic.co/kibana/kibana:7.11.2
	container_name: kib01
	ports:
	- 5601:5601
	environment:
	ELASTICSEARCH_URL: http://es01:9200
	ELASTICSEARCH_HOSTS: '["http://es01:9200","http://es02:9200","http://es03:9200"]'
	networks:
	- elastic

	volumes:
	data01:
	driver: local
	data02:
	driver: local
	data03:
	driver: local

	networks:
	elastic:
	driver: bridge
	#!/usr/bin/env bash

	docker rm filebeat
	docker run -d \
	--name=filebeat \
	--network=k8s-audit_elastic \
	--volume="$(pwd)/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro" \
	--volume="$(pwd)/new:/data:ro" \
	docker.elastic.co/beats/filebeat:7.11.2 filebeat -e -strict.perms=false \
	-E output.elasticsearch.hosts=["es01:9200"]
	filebeat.inputs:
	- type: log
	enabled: true
	paths:
	- "/data/audit/*.log"
	json.keys_under_root: true
	json.add_error_key: true
	output.elasticsearch:
	hosts: ["localhost:9200"]
	pipeline: kube-audit
	{
	"description" : "kube audit log",
	"processors" : [
	{
	"date" : {
	"field" : "requestReceivedTimestamp",
	"target_field" : "@timestamp",
	"formats" : ["ISO8601"]
	}
	}
	]
	}