Elasticsearch¶
We got a script!!!! 🎉
FLASI provides an automated script to set up all necessary Elasticsearch components.
Prerequisites¶
- Elasticsearch running. Either cluster, cloud or serverless
- Access to Elasticsearch with appropriate permissions
- Curl
Installation Steps¶
- Clone the repository:
- Configure your environment:
Set your Elasticsearch URL, credentials, and toggle what to load. See Configuring Variables below.
- Make the script executable and run it:
load.sh automatically reads your .env file — no need to export variables first.
Configuring Variables¶
All variables can be set in .env or passed inline:
Connection¶
| Variable | Default | Description |
|---|---|---|
ES_URL | https://localhost:9200 | Elasticsearch endpoint |
AUTH_METHOD | user | user or apikey |
ES_USERNAME | elastic | Username (user auth) |
ES_PASSWORD | changeme | Password (user auth) |
ES_API_KEY | (empty) | API key (apikey auth) |
INSECURE | false | Skip SSL verification |
For local deployments with autogenerated certificates, set INSECURE=true.
What to load¶
Via LOAD_* variables, we control what modules are loaded to Elasticsearch. By default, only index related configuration is loaded.
| Variable | Default | Description |
|---|---|---|
LOAD_ECS | true | ECS component templates (cloned from GitHub) |
LOAD_COMPONENT | true | Custom component templates |
LOAD_ILM | true | ILM policies |
LOAD_INDEX_TEMPLATES | true | Index templates |
LOAD_INGEST_PIPELINES | false | Ingest pipelines |
LOAD_TRANSFORMS | false | Transforms |
Ingest Pipelines
❌ Ingest Pipelines had been deprecated in favor of Vector
✅ Deploy Vector instead
Transforms
❌ Transforms are not stable
😬 We are probably not using them as they are intended to be
Other options¶
| Variable | Default | Description |
|---|---|---|
ECS_VERSION | (latest) | Pin a specific ECS tag |
USE_EXISTING_ECS | true | Reuse an already-cloned ecs/ directory |
CONTINUE_ON_ERROR | true | Keep going if one upload fails |
VERBOSE | false | Print full curl request/response detail |
ECS templates
On first run, load.sh clones elastic/ecs into ELK/ecs/ and uploads the generated component templates. On subsequent runs it reuses the existing clone. Set USE_EXISTING_ECS=false to force a fresh clone.
What gets installed¶
The script automatically creates:
Index Templates¶
logs-fortinet.fortigate.trafficlogs-fortinet.fortigate.utmlogs-fortinet.fortigate.eventlogs-fortinet.forticlientlogs-fortinet.fortiedrlogs-fortinet.fortimail
Index Templates
You can manually add/remove component templates to the new created index templates
Component Templates¶
- ECS field mappings
- Fortinet specific mappings (FortiOS 7.2, 7.4, 7.6)
- ILM policies
- Index settings (refresh intervals, field limits, etc.)
ILM Policies¶
Automated lifecycle management for each datastream type:
logs-fortinet.fortigate.trafficlogs-fortinet.fortigate.utmlogs-fortinet.fortigate.eventlogs-fortinet.forticlientlogs-fortinet.fortiedrlogs-fortinet.fortimail
Ingest Pipelines¶
logs-fortinet.fortigatelogs-fortinet.forticlientlogs-fortinet.fortiedrlogs-fortinet.fortimaillogs-fortinet.fortiweb
Ingest Pipelines
Will only load if LOAD_INGEST_PIPELINES is set to true
Data Retention¶
Elasticsearch can manage data lifecycle either via:
Data stream lifecycle vs ILM Policies
Both options are set on created index templates
ILM has precedence over Data stream lifecycle, so be sure to remove them from your index template if you don't intended to use them.
Data stream lifecycle
Use them when you do not have a data tiered architecture
ILM Policy
Use them when you do have a data tiered architecture
Next Steps¶
Once Elasticsearch is configured:
-
Import dashboards in Kibana
-
Start dancing with your logs!