Log file location

[weev3]

Hi @Cyb3rWard0g , it is possible to change logs storage location in new mount folder?. I think default HELK log files are in /var/lib/docker/overlay2. In my case, new mount folder in /mnt/nfs_share, how to change log storage location to that folder?. Can you help me?. I followed HELK docker installation instruction for enterprise usage. Our company has 300-400 computers, so log files need to stored in that location.

[Cyb3rWard0g]

Hey @weev3 ! sorry for the late response. I have been a little busy lately. Regarding the logs storage location in a new mount folder, I have not dealt with it yet. I will have to do some research on how it can be done.

[weev3]

@cyb3rWard0g Thank you. I tried too many answers on Google but all didn't fits for me. I used 24GB of RAM and 100GB storage for production use, our company can't provide more than 100GB for physical storage so I need to find a way to store only logs file to /mnt/share folder. Thanks for creating this HELK. Attackers can't hide when they doing Lateral movement.

[neu5ron]

You can create a snapshot of the ELK indexes and then restore them into your new desired location.

You can then change the path of where your indexes are in the elasticsearch.yml (the configuration file for elasticsearch) by altering: the path.data: line. probably better option is to edit the docker compose file and the definitions under the "volumes" line: https://github.com/Cyb3rWard0g/HELK/blob/5f303c83ae09707ba3d0bc987fe81d874e570e76/docker/helk-kibana-analysis-basic.yml#L10 and the re-run through the docker compose after modifying.

[weev3]

YES @neu5ron , I already tried this way. I changed path.data location and also add a volume in dockercompose file. But, I didn't received any logs. Mounted NTFS have read and write permission. I will try again. Thanks for your reply.

[neu5ron]

@weev3 fixed, wonder so we can close

[Cyb3rWard0g]

Closing the issue. Happy to reopen it if this is something that can be done from a HELK's perspective. Unfortunately, I cannot control the environment provided for HELK that is not recommended for the current version of the project. If this is fixed, please let me know how and I can add that as an option for the project.