siddou.tk

Install Kibana4, Logstash, Logstash-forwarder and Elasticsearch on Debian 8 Jessie

elastic.co
Here is a powerful solution to centralize logs:
Each client will securely forward their logs with logstash-forwarder to the logstash server. Logstash will process logs into Elasticsearch database.
Finally Kibana will be the web interface to check logs and display graphics.

In this example we will forward Apache logs.

Install java:

apt-get install openjdk-7-jre-headless

Add the IP server in hosts:

nano /etc/hosts
server_IP   elkserver elkserver

Install Elasticsearch:

Add elasticsearch to trusted repos and install:

wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add -
echo 'deb http://packages.elasticsearch.org/elasticsearch/1.5/debian stable main' | tee /etc/apt/sources.list.d/elasticsearch.list
apt-get update
apt-get install elasticsearch

Configure Elasticsearch

nano /etc/default/elasticsearch
# Run Elasticsearch as this user ID and group ID
ES_USER=elasticsearch
ES_GROUP=elasticsearch

# Heap Size (defaults to 256m min, 1g max)
#ES_HEAP_SIZE=2g

# Heap new generation
#ES_HEAP_NEWSIZE=

# max direct memory
#ES_DIRECT_SIZE=

# Maximum number of open files, defaults to 65535.
#MAX_OPEN_FILES=65535

# Maximum locked memory size. Set to "unlimited" if you use the
# bootstrap.mlockall option in elasticsearch.yml. You must also set
# ES_HEAP_SIZE.
#MAX_LOCKED_MEMORY=unlimited

# Maximum number of VMA (Virtual Memory Areas) a process can own
#MAX_MAP_COUNT=262144

# Elasticsearch log directory
LOG_DIR=/var/log/elasticsearch

# Elasticsearch data directory
DATA_DIR=/var/lib/elasticsearch

# Elasticsearch work directory
WORK_DIR=/tmp/elasticsearch

# Elasticsearch configuration directory
CONF_DIR=/etc/elasticsearch

# Elasticsearch configuration file (elasticsearch.yml)
CONF_FILE=/etc/elasticsearch/elasticsearch.yml

# Additional Java OPTS
#ES_JAVA_OPTS=

# Configure restart on package upgrade (true, every other setting will lead to not restarting)
RESTART_ON_UPGRADE=true
nano /etc/elasticsearch/elasticsearch.yml
cluster.name: elasticsearch_clustername
systemctl enable elasticsearch
systemctl restart elasticsearch

check logs:

tail /var/log/elasticsearch/elasticsearch_clustername.log

check ports 9200 and 9300:

netstat -ltap | egrep -e "9200|9300"

Install Logstash

Create keys for lumberjack:

mkdir /var/lib/logstash/{certs,private}
chmod 700 /var/lib/logstash/private
chown logstash:logstash /var/lib/logstash/{certs,private}
cd /var/lib/logstash/
openssl req -subj '/CN=elkserver/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

Add repo and install:

echo 'deb http://packages.elasticsearch.org/logstash/1.5/debian stable main' | tee /etc/apt/sources.list.d/logstash.list
apt-get update
apt-get install logstash
nano /etc/logstash/conf.d/logstash.conf
input {
  lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/var/lib/logstash/certs/logstash-forwarder.crt"
    ssl_key => "/var/lib/logstash/private/logstash-forwarder.key"
  }
}

filter {
  if [type] == "apache" {
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  }
}


output {
  if !("_grokparsefailure" in [tags]) {
    elasticsearch {
      cluster   => "elasticsearch_clustername"
    }
  }
}
systemctl enable logstash
systemctl restart logstash
tail -f /var/log/logstash/logstash.log

check ports 5000:

netstat -ltap | grep 5000

Install logstash-forwarder on your clients

nano /etc/ssl/certs/logstash-forwarder.crt

paste output of /var/lib/logstash/certs/logstash-forwarder.crt from elkserver

Add repo and install:

echo 'deb http://packages.elasticsearch.org/logstashforwarder/debian stable main' | tee /etc/apt/sources.list.d/logstashforwarder.list
apt-get update
apt-get install logstash-forwarder
nano /etc/logstash-forwarder.conf
{
"network": {
"servers": [ "elkserver:5000" ],
"ssl ca": "/etc/ssl/certs/logstash-forwarder.crt",
"timeout": 15
},
"files": [
   {
     "paths": [ "/var/log/apache2/*.log" ],
     "fields": { "type": "apache" }
   }
  ]
}
systemctl enable logstash-forwarder
systemctl restart logstash-forwarder
tail /var/log/logstash-forwarder/logstash-forwarder.err
 2015/05/19 18:14:04.558895 Registrar: processing 8 events

Back to the server elkserver
Install Kibana

Download and uncompress:

cd /opt &&
wget https://download.elastic.co/kibana/kibana/kibana-4.0.2-linux-x64.tar.gz &&
tar xvf kibana-4.0.2-linux-x64.tar.gz &&
mv kibana-4.0.2-linux-x64 kibana &&
rm kibana-4.0.2-linux-x64.tar.gz

Get init scripts

cd /etc/init.d &&
wget https://gist.githubusercontent.com/thisismitch/8b15ac909aed214ad04a/raw/bce61d85643c2dcdfbc2728c55a41dab444dca20/kibana4 &&
chmod +x kibana4
nano /opt/kibana/config/kibana.yml
host: "elkserver"
systemctl enable kibana4
systemctl restart kibana4

check ports 5601:

netstat -ltap | grep 5601

Go to http://elkserver:5601/
Settings
Untick Index contains time-based events
logstash-*
Create
elkserver01

Click on Discover
Add some fileds Fields:
timestamp
host
clientip
message
elkserver02
Now we starting to have something!

One thought on “Install Kibana4, Logstash, Logstash-forwarder and Elasticsearch on Debian 8 Jessie

  1. Daztingo

    Hello, and thanks for your tutorial (and sorry for my poor english)

    I followed your whole tutorial except for the part with logstash forwarder, because i’m trying to make it works only in local for moment. So i modified my logstash.conf as followed :
    input {
    file {
    path => “/home/adminsi/syslog”
    type => “syslog”
    start_position => “beginning”
    }
    syslog { }
    }
    output {
    elasticsearch { host => localhost }
    stdout { codec => rubydebug }
    }

    But when i restarted logstash, nothing happened, ES seems to get no logs. I tried this :
    curl 0:9200/_cat/indices

    And i got this as answer :
    yellow open .kibana 1 1 2 0 4.7kb 4.7kb

    I don’t know what went wrong, if u got any idea it might be really helpfull !

    Thank you again for this tutorial !

Leave a Reply

Your email address will not be published. Required fields are marked *