You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jeff Moe de46783cd5
Set up elasticsearch with rsyslog. Logstash/kibana
7 years ago
..
README Set up elasticsearch with rsyslog. Logstash/kibana 7 years ago
README-v5 Add ELK 7 years ago

README

# Clone Debian Stretch template, set up IPs, hostname, ssh keys

apt update
apt -y dist-upgrade

##############################################################################
# Install Java dependency
apt install openjdk-8-jre-headless


# Install Elasticsearch version 6 (latest)
# Get key
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
# Install deps (should be installed already):
apt-get -y install apt-transport-https
# Set up repo for release 6.x
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

# Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https
apt update

# It doesn't appear the open source version is in the repo, needs manual install. XXX
#apt install elasticsearch-oss
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-6.3.2.deb
dpkg -i elasticsearch-oss-6.3.2.deb

# Configure a cluster name and answer on IP.
# Open firewall
# Allow elasticsearch
-A INPUT -p tcp --dport 9200 -j ACCEPT
-A INPUT -p tcp --dport 9300 -j ACCEPT

# Set up configuration:
vim /etc/elasticsearch/elasticsearch.yml
# Set:
cluster.name: elasticsearch
network.host: 10.22.22.124

# Start:
systemctl start elasticsearch.service

# Start on boot:
systemctl enable elasticsearch.service

### XXX Backups
### XXX Prometheus :)

##############################################################################
# Setting up logging from rsyslog to Elasticsearch

# On client machine:
apt install rsyslog-elasticsearch

cat > /etc/rsyslog.d/elasticsearch.conf <<EOF
module(load="omelasticsearch")
template(name="rsyslog"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\"}")
}
action(type="omelasticsearch"
server="10.22.22.124"
serverport="9200"
template="rsyslog"
searchIndex="rsyslog-index"
searchType="rsyslog-type"
bulkmode="on"
maxbytes="100m"
queue.type="linkedlist"
queue.size="5000"
queue.dequeuebatchsize="300"
action.resumeretrycount="-1")
EOF

systemctl restart rsyslog

##############################################################################