|
|
|
# Clone Debian Stretch template, set up IPs, hostname, ssh keys
|
|
|
|
apt update
|
|
|
|
apt -y dist-upgrade
|
|
|
|
|
|
|
|
##############################################################################
|
|
|
|
# Install Java dependency
|
|
|
|
apt install openjdk-8-jre-headless
|
|
|
|
|
|
|
|
|
|
|
|
# Install Elasticsearch version 6 (latest)
|
|
|
|
# Get key
|
|
|
|
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
|
|
|
|
# Install deps (should be installed already):
|
|
|
|
apt-get -y install apt-transport-https
|
|
|
|
# Set up repo for release 6.x
|
|
|
|
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
|
|
|
|
|
|
|
|
# Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https
|
|
|
|
apt update
|
|
|
|
|
|
|
|
# It doesn't appear the open source version is in the repo, needs manual install. XXX
|
|
|
|
#apt install elasticsearch-oss
|
|
|
|
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-6.3.2.deb
|
|
|
|
dpkg -i elasticsearch-oss-6.3.2.deb
|
|
|
|
|
|
|
|
# Configure a cluster name and answer on IP.
|
|
|
|
# Open firewall
|
|
|
|
# Allow elasticsearch
|
|
|
|
-A INPUT -p tcp --dport 9200 -j ACCEPT
|
|
|
|
-A INPUT -p tcp --dport 9300 -j ACCEPT
|
|
|
|
|
|
|
|
# Set up configuration:
|
|
|
|
vim /etc/elasticsearch/elasticsearch.yml
|
|
|
|
# Set:
|
|
|
|
cluster.name: elasticsearch
|
|
|
|
network.host: 10.22.22.124
|
|
|
|
|
|
|
|
# Start:
|
|
|
|
systemctl start elasticsearch.service
|
|
|
|
|
|
|
|
# Start on boot:
|
|
|
|
systemctl enable elasticsearch.service
|
|
|
|
|
|
|
|
### XXX Backups
|
|
|
|
### XXX Prometheus :)
|
|
|
|
|
|
|
|
##############################################################################
|
|
|
|
# Setting up logging from rsyslog to Elasticsearch
|
|
|
|
|
|
|
|
# On client machine:
|
|
|
|
apt install rsyslog-elasticsearch
|
|
|
|
|
|
|
|
cat > /etc/rsyslog.d/elasticsearch.conf <<EOF
|
|
|
|
module(load="omelasticsearch")
|
|
|
|
template(name="rsyslog"
|
|
|
|
type="list"
|
|
|
|
option.json="on") {
|
|
|
|
constant(value="{")
|
|
|
|
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
|
|
|
|
constant(value="\",\"message\":\"") property(name="msg")
|
|
|
|
constant(value="\",\"host\":\"") property(name="hostname")
|
|
|
|
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
|
|
|
|
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
|
|
|
|
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
|
|
|
|
constant(value="\"}")
|
|
|
|
}
|
|
|
|
action(type="omelasticsearch"
|
|
|
|
server="10.22.22.124"
|
|
|
|
serverport="9200"
|
|
|
|
template="rsyslog"
|
|
|
|
searchIndex="rsyslog-index"
|
|
|
|
searchType="rsyslog-type"
|
|
|
|
bulkmode="on"
|
|
|
|
maxbytes="100m"
|
|
|
|
queue.type="linkedlist"
|
|
|
|
queue.size="5000"
|
|
|
|
queue.dequeuebatchsize="300"
|
|
|
|
action.resumeretrycount="-1")
|
|
|
|
EOF
|
|
|
|
|
|
|
|
systemctl restart rsyslog
|
|
|
|
|
|
|
|
##############################################################################
|
|
|
|
# Enable plugins for syslog:
|
|
|
|
/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
|
|
|
|
##############################################################################
|