You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jeff Moe c9e8c4cf55
Rename README files to README.md
6 years ago
..
README-v5 Add ELK 7 years ago
README.md Rename README files to README.md 6 years ago

README.md

Clone Debian Stretch template, set up IPs, hostname, ssh keys

apt update apt -y dist-upgrade

##############################################################################

Install Java dependency

apt install openjdk-8-jre-headless

Install Elasticsearch version 6 (latest)

Get key

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Install deps (should be installed already):

apt-get -y install apt-transport-https

Set up repo for release 6.x

echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https

apt update

It doesn't appear the open source version is in the repo, needs manual install. XXX

#apt install elasticsearch-oss wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-6.3.2.deb dpkg -i elasticsearch-oss-6.3.2.deb

Configure a cluster name and answer on IP.

Open firewall

Allow elasticsearch

-A INPUT -p tcp --dport 9200 -j ACCEPT -A INPUT -p tcp --dport 9300 -j ACCEPT

Set up configuration:

vim /etc/elasticsearch/elasticsearch.yml

Set:

cluster.name: elasticsearch network.host: 10.22.22.124

Start:

systemctl start elasticsearch.service

Start on boot:

systemctl enable elasticsearch.service

XXX Backups

XXX Prometheus :)

##############################################################################

Setting up logging from rsyslog to Elasticsearch

On client machine:

apt install rsyslog-elasticsearch

cat > /etc/rsyslog.d/elasticsearch.conf <<EOF module(load="omelasticsearch") template(name="rsyslog" type="list" option.json="on") { constant(value="{") constant(value=""timestamp":"") property(name="timereported" dateFormat="rfc3339") constant(value="","message":"") property(name="msg") constant(value="","host":"") property(name="hostname") constant(value="","severity":"") property(name="syslogseverity-text") constant(value="","facility":"") property(name="syslogfacility-text") constant(value="","syslogtag":"") property(name="syslogtag") constant(value=""}") } action(type="omelasticsearch" server="10.22.22.124" serverport="9200" template="rsyslog" searchIndex="rsyslog-index" searchType="rsyslog-type" bulkmode="on" maxbytes="100m" queue.type="linkedlist" queue.size="5000" queue.dequeuebatchsize="300" action.resumeretrycount="-1") EOF

systemctl restart rsyslog

##############################################################################

Enable plugins for syslog:

/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip ##############################################################################