From de46783cd527180e59ed5dcb3c3eeb84b8cbfadd Mon Sep 17 00:00:00 2001
From: Jeff Moe <moe@forksand.com>
Date: Sun, 29 Jul 2018 15:56:25 -0600
Subject: [PATCH] Set up elasticsearch with rsyslog. Logstash/kibana

---
 source/resources/apps/elasticsearch/README | 36 ++++++++++++++++++++++
 source/resources/apps/kibana/README        | 17 ++++++++--
 source/resources/apps/logstash/README      |  9 ++++--
 3 files changed, 57 insertions(+), 5 deletions(-)

diff --git a/source/resources/apps/elasticsearch/README b/source/resources/apps/elasticsearch/README
index 9c42ea4..f7e5391 100644
--- a/source/resources/apps/elasticsearch/README
+++ b/source/resources/apps/elasticsearch/README
@@ -45,3 +45,39 @@ systemctl enable elasticsearch.service
 ### XXX Prometheus :)
 
 ##############################################################################
+# Setting up logging from rsyslog to Elasticsearch
+
+# On client machine:
+apt install rsyslog-elasticsearch
+
+cat >  /etc/rsyslog.d/elasticsearch.conf <<EOF
+module(load="omelasticsearch")
+template(name="rsyslog"
+         type="list"
+         option.json="on") {
+           constant(value="{")
+             constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
+             constant(value="\",\"message\":\"")     property(name="msg")
+             constant(value="\",\"host\":\"")        property(name="hostname")
+             constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
+             constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
+             constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
+           constant(value="\"}")
+         }
+action(type="omelasticsearch"
+       server="10.22.22.124"
+       serverport="9200"
+       template="rsyslog"
+       searchIndex="rsyslog-index"
+       searchType="rsyslog-type"
+       bulkmode="on"
+       maxbytes="100m"
+       queue.type="linkedlist"
+       queue.size="5000"
+       queue.dequeuebatchsize="300"
+       action.resumeretrycount="-1")
+EOF
+
+systemctl restart rsyslog
+
+##############################################################################
diff --git a/source/resources/apps/kibana/README b/source/resources/apps/kibana/README
index 0c2c3ca..ce7cab4 100644
--- a/source/resources/apps/kibana/README
+++ b/source/resources/apps/kibana/README
@@ -15,12 +15,23 @@ echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee
 # Disable apt cache in /etc/apt/apt.conf
 apt update
 # XXX Note the "kibana" package is non-free. Use the -oss package!
-apt-get install kibana-oss
+# XXX NOTE, the kibana-oss in the repo is old, so you have to get it manually:
+#apt-get install kibana-oss
+wget https://artifacts.elastic.co/downloads/kibana/kibana-oss-6.3.2-amd64.deb
+dpkg -i kibana-oss-6.3.2-amd64.deb
 
-# Start on boot:
-systemctl enable kibana.service
+# Edit config:
+vim /etc/kibana/kibana.yml
+#
+server.host: "10.22.22.123"
+server.name: "kibana1"
+elasticsearch.url: "http://10.22.22.124:9200"
+
+# Start:
+systemctl start kibana.service
 
 # Open firewall
+-A INPUT -p tcp --dport 5601 -j ACCEPT
 
 # Start on boot:
 systemctl enable kibana.service
diff --git a/source/resources/apps/logstash/README b/source/resources/apps/logstash/README
index b02cbd2..43f86c0 100644
--- a/source/resources/apps/logstash/README
+++ b/source/resources/apps/logstash/README
@@ -25,11 +25,11 @@ http.port: 9600
 cat > /etc/logstash/conf.d/logstash-syslog.conf <<EOF
 input {
   tcp {
-    port => 5000
+    port => 5140
     type => syslog
   }
   udp {
-    port => 5000
+    port => 5140
     type => syslog
   }
 }
@@ -58,6 +58,11 @@ EOF
 systemctl start logstash.service
 
 # Open firewall
+# Logstash
+-A INPUT -p tcp --dport 9600 -j ACCEPT
+# Logstash syslog
+-A INPUT -p tcp --dport 5140 -j ACCEPT
+-A INPUT -p udp --dport 5140 -j ACCEPT
 
 # Start on boot:
 systemctl enable logstash.service