Skip to content

ELK

Overview

A following steps to shipping your onboard cluster logs to Accuknox SAAS ELK

Step 1: Edit Feeder-service chart

helm pull accuknox-agents/feeder-service --untar
ls feeder-service

Alt

Follow the below steps to update ELK endpoint:

1.1 Open the Values.yaml

1.2 Search the keyword [ELASTICSEARCH_HOST]

1.3 Update the ELK endpoint or DNS (kubectl get svc -n )

Alt

Step 2: Helm Upgrade Feeder-service

helm upgrade --install feeder-service feeder-service  --set elastic.enabled=false --set kibana.enabled=false  -n accuknox-agents

Note: Disabling Kibana and Elastic-search helm package installing

Alt

Step 3: Login in to Kibana Dashboard

1. Apply the policy

nano nginx-kubearmor-policy.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy
 # namespace: accuknox-agents # Change your namespace
spec:
  tags: ["MITRE", "T1082"]
  message: "System owner discovery command is blocked"
  selector:
    matchLabels:
      app: nginx # use your own label here
  process:
    severity: 3
    matchPaths:
      - path: /usr/bin/who
      - path: /usr/bin/w
      - path: /usr/bin/id
      - path: /usr/bin/whoami
  action: Block
kubectl apply -f nginx-kubearmor-policy.yaml

Alt

2. Violating the policy

kubectl exec -it nginx-766b69bd4b-wqnpj -- bash

Alt

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767
karmor log

Alt

3. Verify the logs in kibana dashboard

  • Use "kubearmor" keyword in kibana dashboard

Alt

Note:

Follow the below command If Logs are not showing in ELK:

1. Execute in to feeder-service pod

kubectl exec -it feeder-service-7c9f847c76-fwtqj -c filebeat-sidecar -n accuknox-agents -- bash

2. Start the filebeat service

filebeat run -e “*”

Alt

Back to top