Set up elasticsearch with rsyslog. Logstash/kibana

master
Jeff Moe 6 years ago
parent 208a82f2e7
commit de46783cd5

@ -45,3 +45,39 @@ systemctl enable elasticsearch.service
### XXX Prometheus :) ### XXX Prometheus :)
############################################################################## ##############################################################################
# Setting up logging from rsyslog to Elasticsearch
# On client machine:
apt install rsyslog-elasticsearch
cat > /etc/rsyslog.d/elasticsearch.conf <<EOF
module(load="omelasticsearch")
template(name="rsyslog"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\"}")
}
action(type="omelasticsearch"
server="10.22.22.124"
serverport="9200"
template="rsyslog"
searchIndex="rsyslog-index"
searchType="rsyslog-type"
bulkmode="on"
maxbytes="100m"
queue.type="linkedlist"
queue.size="5000"
queue.dequeuebatchsize="300"
action.resumeretrycount="-1")
EOF
systemctl restart rsyslog
##############################################################################

@ -15,12 +15,23 @@ echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee
# Disable apt cache in /etc/apt/apt.conf # Disable apt cache in /etc/apt/apt.conf
apt update apt update
# XXX Note the "kibana" package is non-free. Use the -oss package! # XXX Note the "kibana" package is non-free. Use the -oss package!
apt-get install kibana-oss # XXX NOTE, the kibana-oss in the repo is old, so you have to get it manually:
#apt-get install kibana-oss
wget https://artifacts.elastic.co/downloads/kibana/kibana-oss-6.3.2-amd64.deb
dpkg -i kibana-oss-6.3.2-amd64.deb
# Start on boot: # Edit config:
systemctl enable kibana.service vim /etc/kibana/kibana.yml
#
server.host: "10.22.22.123"
server.name: "kibana1"
elasticsearch.url: "http://10.22.22.124:9200"
# Start:
systemctl start kibana.service
# Open firewall # Open firewall
-A INPUT -p tcp --dport 5601 -j ACCEPT
# Start on boot: # Start on boot:
systemctl enable kibana.service systemctl enable kibana.service

@ -25,11 +25,11 @@ http.port: 9600
cat > /etc/logstash/conf.d/logstash-syslog.conf <<EOF cat > /etc/logstash/conf.d/logstash-syslog.conf <<EOF
input { input {
tcp { tcp {
port => 5000 port => 5140
type => syslog type => syslog
} }
udp { udp {
port => 5000 port => 5140
type => syslog type => syslog
} }
} }
@ -58,6 +58,11 @@ EOF
systemctl start logstash.service systemctl start logstash.service
# Open firewall # Open firewall
# Logstash
-A INPUT -p tcp --dport 9600 -j ACCEPT
# Logstash syslog
-A INPUT -p tcp --dport 5140 -j ACCEPT
-A INPUT -p udp --dport 5140 -j ACCEPT
# Start on boot: # Start on boot:
systemctl enable logstash.service systemctl enable logstash.service

Loading…
Cancel
Save