Building a SIEM on AKS with ECK

Overview

The SIEMply Secure project at Awan Infotech required a centralized platform to collect and correlate logs from biometric systems, CCTV infrastructure, and enterprise applications. We chose ECK (Elastic Cloud on Kubernetes) on AKS as the foundation — giving us operator-managed Elasticsearch and Kibana with native Kubernetes lifecycle management.

Architecture

The platform runs entirely inside a dedicated AKS namespace with the following components:

• ECK Operator — manages Elasticsearch and Kibana CRDs
• Elasticsearch (3-node cluster) — stores and indexes all ingested logs
• Kibana — dashboards, alerting, and SIEM app
• Filebeat + Winlogbeat — log shippers on Linux and Windows sources
• Traefik Ingress — TLS termination for Kibana with cert-manager

Deploying ECK

ECK is deployed via the official Elastic Helm chart. The operator watches for Elasticsearch and Kibana custom resources and handles rolling upgrades, TLS certificate rotation, and resource scaling automatically.

helm repo add elastic https://helm.elastic.co
helm install elastic-operator elastic/eck-operator \
  --namespace elastic-system \
  --create-namespace

Elasticsearch Cluster Manifest

We defined a 3-node Elasticsearch cluster with persistent storage backed by Azure Managed Disks:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: siem-es
  namespace: siem
spec:
  version: 8.12.0
  nodeSets:
    - name: default
      count: 3
      config:
        node.store.allow_mmap: false
      volumeClaimTemplates:
        - metadata:
            name: elasticsearch-data
          spec:
            accessModes: [ReadWriteOnce]
            storageClassName: managed-premium
            resources:
              requests:
                storage: 100Gi

Securing Kibana with Traefik + cert-manager

Kibana is exposed through Traefik Ingress with a Let's Encrypt certificate managed by cert-manager. This means TLS renewal is fully automated — no manual certificate rotation needed.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kibana-ingress
  namespace: siem
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  tls:
    - hosts: [kibana.internal.example.com]
      secretName: kibana-tls
  rules:
    - host: kibana.internal.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: siem-es-kb-http
                port:
                  number: 5601

Log Ingestion

Filebeat runs as a DaemonSet on all Linux nodes, shipping container logs and audit logs to Elasticsearch. Winlogbeat agents on Windows sources (CCTV and biometric servers) ship Windows Event Logs over TLS.

Key Outcomes

• Centralized logs from 200+ sources into a single queryable platform
• Reduced mean time to detect (MTTD) security incidents from hours to minutes
• Automated TLS — no manual certificate work since deployment
• ECK operator handles Elasticsearch rolling upgrades without manual intervention

ECK on Kubernetes is significantly easier to operate than self-managed Elasticsearch. The operator handles the hard parts — TLS, rolling upgrades, and node coordination — so you can focus on the data.