ELK
Overview¶
A following steps to shipping your onboard cluster logs to Accuknox SAAS ELK
Step 1: Edit Feeder-service chart¶
helm pull accuknox-agents/feeder-service --untar
ls feeder-service
Follow the below steps to update ELK endpoint:
1.1 Open the Values.yaml
1.2 Search the keyword [ELASTICSEARCH_HOST]
1.3 Update the ELK endpoint or DNS (kubectl get svc -n
Step 2: Helm Upgrade Feeder-service¶
helm upgrade --install feeder-service feeder-service --set elastic.enabled=false --set kibana.enabled=false -n accuknox-agents
Note: Disabling Kibana and Elastic-search helm package installing
Step 3: Login in to Kibana Dashboard¶
1. Apply the policy
nano nginx-kubearmor-policy.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: nginx-kubearmor-policy
# namespace: accuknox-agents # Change your namespace
spec:
tags: ["MITRE", "T1082"]
message: "System owner discovery command is blocked"
selector:
matchLabels:
app: nginx # use your own label here
process:
severity: 3
matchPaths:
- path: /usr/bin/who
- path: /usr/bin/w
- path: /usr/bin/id
- path: /usr/bin/whoami
action: Block
kubectl apply -f nginx-kubearmor-policy.yaml
2. Violating the policy
kubectl exec -it nginx-766b69bd4b-wqnpj -- bash
kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767
karmor log
3. Verify the logs in kibana dashboard
- Use "kubearmor" keyword in kibana dashboard
Note:
Follow the below command If Logs are not showing in ELK:
1. Execute in to feeder-service pod
kubectl exec -it feeder-service-7c9f847c76-fwtqj -c filebeat-sidecar -n accuknox-agents -- bash
2. Start the filebeat service
filebeat run -e “*”