version: '3.5'

services:
  helk-elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2
    container_name: helk-elasticsearch
    logging:
      driver: "json-file"
      options:
        max-file: "9"
        max-size: "6m"
    secrets:
      - source: elasticsearch.yml
        target: /usr/share/elasticsearch/config/elasticsearch.yml
    volumes:
      - esdata:/usr/share/elasticsearch/data
      - ./helk-elasticsearch/scripts:/usr/share/elasticsearch/scripts
      - ./helk-elasticsearch/config/jvm.options:/usr/share/elasticsearch/config/jvm.options
    entrypoint: /usr/share/elasticsearch/scripts/elasticsearch-entrypoint.sh
    environment:
      - cluster.name=helk-cluster
      - node.name=helk-1
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=false
      #- "HELK_ES_MEMORY=-Xms$2g -Xmx2g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nproc: 20480
      nofile:
        soft: 160000
        hard: 160000
    restart: always
    networks:
      helk:
  helk-logstash:
    image: otrf/helk-logstash:7.6.2.1
    container_name: helk-logstash
    logging:
      driver: "json-file"
      options:
        max-file: "9"
        max-size: "6m"
    volumes:
      - ./helk-logstash/pipeline:/usr/share/logstash/pipeline
      - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline
      - ./helk-logstash/output_templates:/usr/share/logstash/output_templates
      - ./helk-logstash/plugins:/usr/share/logstash/plugins
      - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti
      - ./helk-logstash/scripts:/usr/share/logstash/scripts
    entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
    environment:
      - xpack.monitoring.enabled=true
      - xpack.monitoring.elasticsearch.hosts=http://helk-elasticsearch:9200
      - log.level=warn
      - "HELK_LOGSTASH_JAVA_OPTS=-XX:-UseConcMarkSweepGC -XX:-UseCMSInitiatingOccupancyOnly -XX:+UseG1GC"
    ports:
      - "5044:5044"
      - "8531:8531"
      - "3515:3515"
      - "5514:5514"
      - "8515:8515"
      - "8516:8516"
      - "5514:5514/udp"
      - "8515:8515/udp"
      - "8516:8516/udp"
      - "9200:9200"
    restart: always
    depends_on:
      - helk-kibana
    networks:
      helk:
  helk-kibana:
    image: docker.elastic.co/kibana/kibana:7.6.2
    container_name: helk-kibana
    logging:
      driver: "json-file"
      options:
        max-file: "9"
        max-size: "6m"
    secrets:
      - source: kibana.yml
        target: /usr/share/kibana/config/kibana.yml
    volumes:
      - ./helk-kibana/objects:/usr/share/kibana/objects
      - ./helk-kibana/scripts:/usr/share/kibana/scripts
      - ./helk-kibana/custom:/usr/share/kibana/custom
    entrypoint: /usr/share/kibana/scripts/kibana-entrypoint.sh
    restart: always
    depends_on:
      - helk-elasticsearch
    networks:
      helk:
  helk-nginx:
    image: otrf/helk-nginx:0.3.0
    container_name: helk-nginx
    logging:
      driver: "json-file"
      options:
        max-file: "9"
        max-size: "6m"
    secrets:
      - source: htpasswd.users
        target: /etc/nginx/htpasswd.users
    volumes:
      - ./helk-nginx/config/basic-elk:/etc/nginx/conf.d/default.conf
      - ./helk-nginx/scripts/:/opt/helk/scripts/
    entrypoint: /opt/helk/scripts/nginx-entrypoint.sh
    ports:
      - "80:80"
      - "443:443"
    restart: always
    depends_on:
      - helk-kibana
    networks:
      helk:
  helk-zookeeper:
    image: otrf/helk-zookeeper:2.4.0
    container_name: helk-zookeeper
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "1m"
    restart: always
    depends_on:
      - helk-logstash
    networks:
      helk:
  helk-kafka-broker:
    image: otrf/helk-kafka-broker:2.4.0
    container_name: helk-kafka-broker
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "1m"
    restart: always
    depends_on:
      - helk-zookeeper
    environment:
      KAFKA_BROKER_NAME: helk-kafka-broker
      KAFKA_BROKER_ID: 1
      KAFKA_BROKER_PORT: 9092
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
      KAFKA_CREATE_TOPICS: winlogbeat, winevent, SYSMON_JOIN, filebeat, zeek
      KAFKA_HEAP_OPTS: -Xmx1G -Xms256M
      LOG_RETENTION_HOURS: 4
    ports:
      - "9092:9092"
    networks:
      helk:
  helk-ksql-server:
    image: confluentinc/cp-ksql-server:5.1.3
    container_name: helk-ksql-server
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "1m"
    restart: always
    depends_on:
      - helk-kafka-broker
    environment:
      KSQL_BOOTSTRAP_SERVERS: helk-kafka-broker:9092
      KSQL_LISTENERS: http://0.0.0.0:8088
      KSQL_KSQL_SERVICE_ID: wardog
      KSQL_CUB_KAFKA_TIMEOUT: 300
      KSQL_KSQL_COMMIT_INTERVAL_MS: 2000
      KSQL_KSQL_CACHE_MAX_BYTES_BUFFERING: 10000000
      KSQL_KSQL_STREAMS_AUTO_OFFSET_RESET: earliest
      KSQL_HEAP_OPTS: -Xmx1g
      KSQL_OPTS: "-Dconfluent.support.metrics.enable=false"
    ports:
      - 8088:8088
    networks:
      helk:
  helk-ksql-cli:
    image: confluentinc/cp-ksql-cli:5.1.3
    container_name: helk-ksql-cli
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "1m"
    depends_on:
      - helk-ksql-server
    environment:
        KSQL_HEAP_OPTS: -Xmx1g
    entrypoint: /bin/sh
    tty: true
    networks:
      helk:

networks:
  helk:
    driver: bridge

volumes:
  esdata:
    driver: local

secrets:
  elasticsearch.yml:
    file: ./helk-elasticsearch/config/elasticsearch.yml
  kibana.yml:
    file: ./helk-kibana/config/kibana.yml
  htpasswd.users:
    file: ./helk-nginx/htpasswd.users