HELK VS docker-elk

Utilizing that api and juniper notebooks is exactly why Hunting Elk is the way it from my understanding.

So you can actual do both defensive while practicing offensive. If you can set up a lab system with an attacker, for ease using kali, and defensive systems like a single windows box, or you can go balls to the wall if you have the resources and set up an AD environment and then ship all the logs to a SIEM system like Splunk or HELK (https://github.com/Cyb3rWard0g/HELK). Building off the environment you can also include Mordor (https://github.com/UraSecTeam/mordor)

HELK + Mordor combo https://github.com/Cyb3rWard0g/HELK

On a side note - I somehow have the feeling that you are trying to recreate https://github.com/Cyb3rWard0g/HELK

You can find tools that leverage ELK that aren't necessarily plugins. SIEM looks like it has some free component to it, too: https://github.com/Cyb3rWard0g/HELK https://www.elastic.co/blog/elastic-siem-free-open

HELK can help for the SIEM and detection part

MISP is a Threat Intelligence Platform (TIP), not a hunting platform. That would be something like HELK

Hello everyone! I am trying to get started with ELK and I am facing a very frustrating situation. I am trying to use the stack with Docker Compose. I have tried 2 versions: https://github.com/deviantony/docker-elk and also https://www.elastic.co/blog/getting-started-with-the-elastic-stack-and-docker-compose but they both have the same problem. I inspected the Docker container logs and I get some weird errors:

The waters are further muddied since I started out trying to spin up a docker instance https://github.com/deviantony/docker-elk but I found the config for docker is setup with a different layout, for example with logstash there is no conf.d directory, and pipelines are layed out differently, making it more challenging to use web examples. Overall I've tried many config examples and all have failed.

This is the github project conainer I'm trying to create a stack with: https://github.com/deviantony/docker-elk

Here's a quick way to get your hands into an elasticstack using docker-compose: https://github.com/deviantony/docker-elk

Essentially I've got 2 sets of standard JSON files that I'm trying to ingest into a dockerized ELK stack. The first set was downloaded cloudflare logs, standard line separated JSON data, tried to use Filebeat to ingest and it kept prefixing the JSON data with some dumb ECS event data, basically exactly what this post describes if its easier to see in pics. All of the cloudflare data was nested within the event.original field and would not get mapped. But once I tried to use just logstash directly, it was fine and mapped correctly and no more event data.

i use the elk into the docker,using the docker-elk compose , the logstash logs shows that it is reciving the logs:

It depends on what you want to get out of visualizing your logs. I use the combination of Elastic + Logstash + Kibana (ELK Stack) on docker to visualize things like

I did end up kinda Frankensteining this project and docker-elk. Basically took out the entire etc/pfelk directory from pfelk project and added the pipelines/dashboard/groks etc to docker-elk. This works really will for me since I have several other devices that aren’t OPNSense that I wanted ingested to ELK.