tweaking

docker/elk/logstash/Dockerfile

@@ -31,7 +31,9 @@ RUN apk -U --no-cache add \
     # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
     sed -i 's/! -x/! -e/g' /usr/share/logstash/bin/logstash.lib.sh && \
     /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
+    /usr/share/logstash/bin/logstash-plugin install logstash-input-http && \
     /usr/share/logstash/bin/logstash-plugin install logstash-output-gelf && \
+    /usr/share/logstash/bin/logstash-plugin install logstash-output-http && \
     /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
 #
 # Add and move files
@@ -40,6 +42,8 @@ RUN apk -U --no-cache add \
     chmod u+x /usr/bin/update.sh && \
     mkdir -p /etc/logstash/conf.d && \
     cp logstash.conf /etc/logstash/conf.d/ && \
+    cp http.conf /etc/logstash/conf.d/ && \
+    cp pipelines.yml /usr/share/logstash/config/pipelines.yml && \
     cp tpot_es_template.json /etc/logstash/ && \
 #
 # Setup user, groups and configs
@@ -60,4 +64,5 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
 # Start logstash
 #USER logstash:logstash
 #CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug
-CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
+#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
+CMD update.sh && exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution

docker/elk/logstash/dist/http.conf

@@ -0,0 +1,19 @@
+# Input section
+input {
+  http {
+    id => "tpot"
+    host => "0.0.0.0"
+    port => "80"
+  }
+}
+
+# Output section
+output {
+  elasticsearch {
+    hosts => ["elasticsearch:9200"]
+    # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
+    index => "logstash-%{+YYYY.MM.dd}"
+    template => "/etc/logstash/tpot_es_template.json"
+  }
+
+}

docker/elk/logstash/dist/pipelines.yml

@@ -0,0 +1,4 @@
+- pipeline.id: logstash
+  path.config: "/etc/logstash/conf.d/logstash.conf"
+- pipeline.id: http
+  path.config: "/etc/logstash/conf.d/http.conf"

docker/elk/logstash/docker-compose.yml

@@ -14,7 +14,10 @@ services:
 #        condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
+    ports:
+     - "127.0.0.1:64305:80"
     image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
+#     - /root/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf