An inventory management example consists of elasticsearch/kibana + filebeat + osquery
This example include just one test docker conainer with osquery preinstalled. Other docker containers are for unrelated purpose.
-
Install Docker
-
If you are using Docker for Mac or Windows, please allocate enough memory(2GB?) for it because elasticsearch/kibana cost pretty much memory.
-
Download docker-compose.yml and related files https://github.com/jjqq2013/misc/tree/master/elasticsearch6.2.2
git clone https://github.com/jjqq2013/misc cd misc/elasticsearch6.2.2or if you do not want to clone unrelated files, you can use:
svn export https://github.com/jjqq2013/misc/trunk/elasticsearch6.2.2 cd elasticsearch6.2.2
docker-compose up
Then you can use kibana at http://localhost:5601 to view elasticsearch.
osquery can be set to output only changed info such as new installed packages (of course can send complete info), perioidically.
- All available search keys and values are automatically listed in filter input dialog.
- All available search keys and top 5 values are automatically listed in panel.
So you no longer need to input query language normally.
Here are some snapshots:
