Stand up a 100% containerized Elastic stack, TLS secured, with Elasticsearch, Kibana, Fleet, and the Detection Engine all pre-configured, enabled and ready to use, within minutes.
If you're interested in more details regarding this project and what to do once you have it running, check out our blog post on the Elastic Security Labs site.
Git clone
this repo- Install prerequisites (see below)
- Change into the
elastic-container/
folder - Change the default password of
changeme
in the.env
file (don't change theelastic
username, it's a required built-in user) - Bulk enable pre-built detection rules by OS in the
.env
file (not required, see usage below) - Make the
elastic-container.sh
shell script executable by runningchmod +x elastic-container.sh
- Execute the
elastic-container.sh
shell script with the start argument./elastic-container start
- Wait for the prompt to tell you to browse to https://localhost:5601
(You may be presented a browser warning due to the self-signed certificates. You can typethisisnotsafe
or click to proceed after which you will be directed to the Elastic log in screen)
- Linux or MacOS
- Docker suite, jq, curl, and git.
You can use the links above, the Linux package install commands below, or Homebrew if your'e on MacOS
MacOS:
brew install jq git curl docker-compose
brew install --cask docker
Once we have Docker installed we need to provide it with privileged access for it to function. Run the following command to open the Docker app and follow the proceeding steps.
open /Applications/Docker.app
- Confirm you would like to open the app
- Select ok when prompted to provide Docker with privileged access
- Enter your password
- Close or minimize the Docker app
Ubuntu:
Please follow the Docker installation instructions. Of specific note, you must install the docker-compose-plugin
, which is different than docker-compose
.
apt-get install jq git curl
CentOS/Fedora:
Please follow the Docker installation instructions. Of specific note, you must install the docker-compose-plugin
, which is different than docker-compose
.
dnf install jq git curl
Other Linux distributions:
Please follow the Docker installation instructions. Of specific note, you must install the docker-compose-plugin
, which is different than docker-compose
.
Arch Linux users should install inetutils
and change the shell script from hostname -I
to hostname -i
.
Windows 10/11 with WSL 2 (Ubuntu 20.04):
Make sure you are using WSL version 2. You can check the version using wsl -l -v
in PowerShell. If the version is wrong you can change it with wsl --set-version Ubuntu-20.04 2
apt-get update
apt-get install jq git curl
Please follow the Docker installation instructions. Of specific note, you must install the docker-compose-plugin
, which is different than docker-compose
.
Once the Docker suite is installed run sudo service docker start
to start it.
This uses default creds of elastic:changeme
and is intended purely for security research on a local Elastic stack. Change the password in the .env
file. Don't change the elastic
username, it's a required built-in user
This should not be Internet exposed or used in a production environment.
If you want to bulk enable Elastic's pre-built detection rules by OS, on startup, you can change the value of the chosen OS in the .env
file from 0 to 1.
# Bulk Enable Detection Rules by OS
LinuxDR=0
WindowsDR=1
MacOSDR=0
If you have not changed the default passwords in the .env
file, the script will exit.
Starting will:
- create a network called
elastic
- download the Elasticsearch, Kibana, and Elastic-Agent Docker images defined in the script
- start Elasticsearch, Kibana, and the Elastic-Agent configured as a Fleet Server w/all settings needed for Fleet and the Detection Engine
$ ./elastic-container.sh start
...
⠿ Container elasticsearch-security-setup Healthy 7.3s
⠿ Container elasticsearch Healthy 39.3s
⠿ Container kibana Healthy 59.3s
⠿ Container elastic-agent Started 59.7s
Attempting to enable the Detection Engine and Prebuilt-Detection Rules
Kibana is up. Proceeding
Detection engine enabled. Installing prepackaged rules.
Prepackaged rules installed!
Waiting 40 seconds for Fleet Server setup
Populating Fleet Settings
READY SET GO!
Browse to https://localhost:5601
Username: elastic
Passphrase: not-the-default!
After a few minutes, when prompted, browse to https://localhost:5601 and log in with your configured credentials.
Destroying will:
- stop the Elasticsearch and Kibana containers
- delete the Elasticsearch and Kibana containers
- delete the
elastic
container network - delete the created volumes
$ ./elastic-container.sh destroy
fleet-server
kibana
elasticsearch
elastic
Stopping will:
- stop the Elasticsearch and Kibana containers without deleting them
$ ./elastic-container.sh stop
fleet-server
kibana
elasticsearch
elastic
Restarting will:
- restart all the containers
$ ./elastic-container.sh restart
elasticsearch
kibana
fleet-server
Requesting the status will:
- return the current status of the running containers
$ ./elastic-container.sh status
NAMES: STATUS
fleet-server: Up 6 minutes
kibana: Up 6 minutes
elasticsearch: Up 6 minutes
Clearing will :
- clear all documents in logs and metrics indices
$ ./elastic-container.sh clear
Successfully cleared logs data stream
Successfully cleared metrics data stream
Staging the container images will:
- download all container images to your local system, but will not start them
$ ./elastic-container.sh stage
8.6.0: Pulling from elasticsearch/elasticsearch
e7bd69ff4774: Pull complete
d0a0f12aaf30: Pull complete
...
In .env
, the variables are defined, below are the variables that can be changed. You must change the default passwords.
ELASTIC_PASSWORD="changeme"
KIBANA_PASSWORD="changeme"
STACK_VERSION="8.11.2"
If you want to change the default values, simply replace whatever is appropriate in the variable declaration.
If you want to use different Elastic Stack versions, you can change those as well. Optional values are on Elastic's Docker hub: