Stand up a 100% containerized Elastic stack, TLS secured, with Elasticsearch, Kibana, Fleet, and the Detection Engine all pre-configured, enabled and ready to use, within minutes.
git clonethis repo- Install prerequisites
- Change into the
elastic-container/folder - Execute the
elastic-container.shshell script with the start argument./elastic-container start - Wait for the prompt to tell you to browse to https://localhost:5601
- Linux or MacOS
- docker, docker-compose, jq, curl, and git.
You can use the links above, the Linux package install commands below, or Homebrew if your'e on MacOS
MacOS:
brew install jq git curl
brew install --cask docker
Debian or Ubuntu:
apt install docker jq git curl docker-compose
Fedora or CentOS:
dnf install docker jq git curl docker-compose
This uses default creds of elastic:changeme and is intended purely for security research on a local Elastic stack. Change these credentials in the .env file.
This should not be Internet exposed or used in a production environment.
If you have not changed the default credentials in the .env file, the script will exit.
Starting will:
- create a network called
elastic - download the Elasticsearch, Kibana, and Elastic-Agent Docker images defined in the script
- start Elasticsearch, Kibana, and the Elastic-Agent configured as a Fleet Server w/all settings needed for Fleet and the Detection Engine
$ ./elastic-container.sh start
...
⠿ Container elasticsearch-security-setup Healthy 7.3s
⠿ Container elasticsearch Healthy 39.3s
⠿ Container kibana Healthy 59.3s
⠿ Container elastic-agent Started 59.7s
Attempting to enable the Detection Engine and Prebuilt-Detection Rules
Kibana is up. Proceeding
Detection engine enabled. Installing prepackaged rules.
Prepackaged rules installed!
Waiting 40 seconds for Fleet Server setup
Populating Fleet Settings
READY SET GO!
Browse to https://localhost:5601
Username: elastic
Passphrase: not-the-default!
After a few minutes, when prompted, browse to https://localhost:5601 and log in with your configured credentials.
Destroying will:
- stop the Elasticsearch and Kibana containers
- delete the Elasticsearch and Kibana containers
- delete the
elasticcontainer network - delete the created volumes
$ ./elastic-container.sh destroy
fleet-server
kibana
elasticsearch
elastic
Stopping will:
- stop the Elasticsearch and Kibana containers without deleting them
$ ./elastic-container.sh stop
fleet-server
kibana
elasticsearch
elastic
Restarting will:
- restart all the containers
$ ./elastic-container.sh restart
elasticsearch
kibana
fleet-server
Requesting the status will:
- return the current status of the running containers
$ ./elastic-container.sh status
NAMES: STATUS
fleet-server: Up 6 minutes
kibana: Up 6 minutes
elasticsearch: Up 6 minutes
Staging the container images will:
- download all container images to your local system, but will not start them
$ ./elastic-container.sh stage
8.4.0: Pulling from elasticsearch/elasticsearch
e7bd69ff4774: Pull complete
d0a0f12aaf30: Pull complete
...
In .env, the variables are defined, any can be changed. You must change the default credentials.
ELASTIC_PASSWORD="changeme"
KIBANA_PASSWORD="changeme"
STACK_VERSION="8.4.0"
If you want to change the default values, simply replace whatever is appropriate in the variable declaration.
If you want to use different Elastic Stack versions, you can change those as well. Optional values are on Elastic's Docker hub: