DevSecOps Workshop in Azure > Class1 - Learn DevSecOps in Azure with Terraform and GitHub > Module 1 - Prepare your environment Source |
Lab 3 - Deploy an ECK with Logstash in your AKS¶
In order to visualize your security events, you can deploy an ECK (Elastic Cloud Kibanba) in your AKS - this is an optional lab but it will be very useful for your next POC/demo … We will deploy logstash aslo to parse the syslog messages.
Deploy ECK with Logstash¶
The current deployment is done manually but we have been working on an Helm chart to deploy it quickly.
Go to k8s-deployment/ECK directory and execute all the commands and manifests below:
kubectl create -f https://download.elastic.co/downloads/eck/2.1.0/crds.yaml kubectl apply -f https://download.elastic.co/downloads/eck/2.1.0/operator.yaml kubectl create secret generic kibana-saved-objects-encrypted-key --from-literal=xpack.encryptedSavedObjects.encryptionKey=12345678901234567890123456789012 kubectl apply -f kibana.yaml kubectl apply -f logstash-cm.yaml kubectl apply -f logstash.yaml kubectl apply -f logstash-service.yaml
Retrieve your ECK password, and save it somewhere
echo $(kubectl get secret elasticsearch-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')
Find your Logstash-lb public IP address
❯ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE elasticsearch-es-default ClusterIP None <none> <none> 107m elasticsearch-es-http LoadBalancer 10.0.28.236 20.223.17.201 9200:31190/TCP 107m elasticsearch-es-transport ClusterIP None <none> 9300/TCP 107m kibana-kb-http LoadBalancer 10.0.253.12 20.223.250.186 443:31235/TCP 104m kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 391d logstash ClusterIP 10.0.151.251 <none> 25826/TCP,5044/TCP 89m logstash-lb LoadBalancer 10.0.76.75 20.123.125.224 25826:32099/TCP,5044:31063/TCP 78m
Push the NAP Dashboard into ECK (change the password value with your password and the IP address with the Logstash LB IP)
KIBANA_URL=https://<your-public-ip-kibana-lb> jq -s . overview-dashboard-bot.ndjson | jq '{"objects": . }' | \ curl -k --location --user elastic:<your-password> --request POST "$KIBANA_URL/api/kibana/dashboards/import" \ --header 'kbn-xsrf: true' \ --header 'Content-Type: text/plain' -d @- \ | jq
Connect to your ECK https://<kibana-kb-http IP address>
Login is
elastic
and the password is the one from the steps aboveIn Dashboard, select the
Overview
dashboard
