You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					
					
						
							87 lines
						
					
					
						
							2.9 KiB
						
					
					
				
			
		
		
	
	
							87 lines
						
					
					
						
							2.9 KiB
						
					
					
				| # Clone Debian Stretch template, set up IPs, hostname, ssh keys
 | |
| apt update
 | |
| apt -y dist-upgrade
 | |
| 
 | |
| ##############################################################################
 | |
| # Install Java dependency
 | |
| apt install openjdk-8-jre-headless
 | |
| 
 | |
| 
 | |
| # Install Elasticsearch version 6 (latest)
 | |
| # Get key
 | |
| wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
 | |
| # Install deps (should be installed already):
 | |
| apt-get -y install apt-transport-https
 | |
| # Set up repo for release 6.x
 | |
| echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
 | |
| 
 | |
| # Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https
 | |
| apt update
 | |
| 
 | |
| # It doesn't appear the open source version is in the repo, needs manual install. XXX
 | |
| #apt install elasticsearch-oss
 | |
| wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-6.3.2.deb
 | |
| dpkg -i elasticsearch-oss-6.3.2.deb
 | |
| 
 | |
| # Configure a cluster name and answer on IP.
 | |
| # Open firewall
 | |
| # Allow elasticsearch
 | |
| -A INPUT -p tcp --dport 9200 -j ACCEPT
 | |
| -A INPUT -p tcp --dport 9300 -j ACCEPT
 | |
| 
 | |
| # Set up configuration:
 | |
| vim /etc/elasticsearch/elasticsearch.yml
 | |
| # Set:
 | |
| cluster.name: elasticsearch
 | |
| network.host: 10.22.22.124
 | |
| 
 | |
| # Start:
 | |
| systemctl start elasticsearch.service
 | |
| 
 | |
| # Start on boot:
 | |
| systemctl enable elasticsearch.service
 | |
| 
 | |
| ### XXX Backups
 | |
| ### XXX Prometheus :)
 | |
| 
 | |
| ##############################################################################
 | |
| # Setting up logging from rsyslog to Elasticsearch
 | |
| 
 | |
| # On client machine:
 | |
| apt install rsyslog-elasticsearch
 | |
| 
 | |
| cat >  /etc/rsyslog.d/elasticsearch.conf <<EOF
 | |
| module(load="omelasticsearch")
 | |
| template(name="rsyslog"
 | |
|          type="list"
 | |
|          option.json="on") {
 | |
|            constant(value="{")
 | |
|              constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
 | |
|              constant(value="\",\"message\":\"")     property(name="msg")
 | |
|              constant(value="\",\"host\":\"")        property(name="hostname")
 | |
|              constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
 | |
|              constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
 | |
|              constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
 | |
|            constant(value="\"}")
 | |
|          }
 | |
| action(type="omelasticsearch"
 | |
|        server="10.22.22.124"
 | |
|        serverport="9200"
 | |
|        template="rsyslog"
 | |
|        searchIndex="rsyslog-index"
 | |
|        searchType="rsyslog-type"
 | |
|        bulkmode="on"
 | |
|        maxbytes="100m"
 | |
|        queue.type="linkedlist"
 | |
|        queue.size="5000"
 | |
|        queue.dequeuebatchsize="300"
 | |
|        action.resumeretrycount="-1")
 | |
| EOF
 | |
| 
 | |
| systemctl restart rsyslog
 | |
| 
 | |
| ##############################################################################
 | |
| # Enable plugins for syslog:
 | |
| /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
 | |
| ##############################################################################
 |