@tulja This seems very good.
I think that it should be better to have less interaction with the dockers, the installation process will be simpler.
Creating a subdirectory for the extending the modsecurity container:
mkdir modsec_elk/waf_filebeat
mv modsec_elk/filebeat.xml modsec_elk/waf_filebeat
cat > modsec_elk/waf_filebeat/Dockerfile <<EOF
FROM owasp/modsecurity-crs
...
RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
RUN echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
RUN apt-get update && apt-get install -y filebeat && rm -rf /var/lib/apt/lists/*
...
COPY filebeat.yml /etc/filebeat/filebeat.yml
...
(other steps for creating a self-contained docker)
Then modify docker-compose like this:
...
modsec_elk:
links:
- elk
build: modsec_elk
To build the new, extended container, just use `docker-compose build`.
Links also has the property of defining that name inside the containers, so it will be available for use in the config files (you don't need or care about the IP address, just use `elk:5044`.
I have a couple additional comments, but need to board my flight :)
Thank you @fzipi for feedback. I'm done with the above changes. Please let me know the additional comments as well so I can incorporate those in my next PR.
@tulja This seems very good. I think that it should be better to have less interaction with the dockers, the installation process will be simpler.
Then modify docker-compose like this: