Troubleshooting Guide
If the system is too slow, disabled auditbeat in docker-compose. Auditbeat is very consumer.
If you have this error in log elastisearch:
max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
Edit "/etc/sysctl.conf", add this line:
vm.max_map_count=262144
Do this command for changing the parameter:
sysctl -p
Docker-compose must be installed on the system
The user must be on the group "docker" or you do that:
sudo groupadd docker
sudo usermod -aG docker $USER
Run the following command or Logout and login again and run (that doesn't work you may need to reboot your machine first)
newgrp docker
Check if docker can be run without root
docker ps
If you have this warning:
WARNING: The HOSTNAME variable is not set. Defaulting to a blank string
You must do:
export HOSTNAME
docker-compose up -d
To change your default network driver:
Edit or create config file for docker daemon:
nano /etc/docker/daemon.json
Add lines:
{
"default-address-pools":
[
{"base":"10.10.0.0/16","size":24}
]
}
Restart dockerd:
service docker restart
If you have environment without ipv6 ( ipv6.disable=1 in grub ), you can have errors when you start the solution.
You must edit the docker-compose.yml and change ports:
Example:
Before:
ports:
- "5044:5044"
After:
ports:
- "0.0.0.0:5044:5044"
vi /etc/rsyslog.conf
Add the following line:
$FileCreateMode 0644
Filebeat can read the logs in the "/var/log" with the user rights
