DevSecOps Workshop in Azure > Class1 - Learn DevSecOps in Azure with Terraform and GitHub > Module 1 - Prepare your environment Source |

Lab 3 - Deploy an ECK with Logstash in your AKS¶

In order to visualize your security events, you can deploy an ECK (Elastic Cloud Kibanba) in your AKS - this is an optional lab but it will be very useful for your next POC/demo … We will deploy logstash aslo to parse the syslog messages.

Deploy ECK with Logstash¶

The current deployment is done manually but we have been working on an Helm chart to deploy it quickly.

Go to k8s-deployment/ECK directory and execute all the commands and manifests below:

kubectl create -f https://download.elastic.co/downloads/eck/2.1.0/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/2.1.0/operator.yaml
kubectl create secret generic kibana-saved-objects-encrypted-key --from-literal=xpack.encryptedSavedObjects.encryptionKey=12345678901234567890123456789012
kubectl apply -f kibana.yaml
kubectl apply -f logstash-cm.yaml
kubectl apply -f logstash.yaml
kubectl apply -f logstash-service.yaml

Retrieve your ECK password, and save it somewhere

echo $(kubectl get secret elasticsearch-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')

Find your Logstash-lb public IP address

❯ kubectl get services
 NAME                         TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                          AGE
 elasticsearch-es-default     ClusterIP      None           <none>           <none>                           107m
 elasticsearch-es-http        LoadBalancer   10.0.28.236    20.223.17.201    9200:31190/TCP                   107m
 elasticsearch-es-transport   ClusterIP      None           <none>           9300/TCP                         107m
 kibana-kb-http               LoadBalancer   10.0.253.12    20.223.250.186   443:31235/TCP                    104m
 kubernetes                   ClusterIP      10.0.0.1       <none>           443/TCP                          391d
 logstash                     ClusterIP      10.0.151.251   <none>           25826/TCP,5044/TCP               89m
 logstash-lb                  LoadBalancer   10.0.76.75     20.123.125.224   25826:32099/TCP,5044:31063/TCP   78m

Push the NAP Dashboard into ECK (change the password value with your password and the IP address with the Logstash LB IP)

KIBANA_URL=https://<your-public-ip-kibana-lb>
jq -s . overview-dashboard-bot.ndjson | jq '{"objects": . }' | \
   curl -k --location --user elastic:<your-password> --request POST "$KIBANA_URL/api/kibana/dashboards/import" \
   --header 'kbn-xsrf: true' \
   --header 'Content-Type: text/plain' -d @- \
   | jq

Connect to your ECK https://<kibana-kb-http IP address>
Login is elastic and the password is the one from the steps above
In Dashboard, select the Overview dashboard

Previous Next