ELK (Elasticsearch Logstash Kibana)

Dokumentasi buat pribadi aja ngikutin DigitalOcean website.

#add-apt-repository -y ppa:webupd8team/java
# apt-get update
# apt-get -y install oracle-java8-installer
# echo “deb http://packages.elastic.co/elasticsearch/2.x/debian stable main” | tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list
# apt-get update
# apt-get -y install elasticsearch
# vi /etc/elasticsearch/elasticsearch.yml
# cat /etc/elasticsearch/elasticsearch.yml

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please see the documentation for further information on configuration options:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html&gt;
#
# ———————————- Cluster ———————————–
#
# Use a descriptive name for your cluster:
#
# cluster.name: my-application
#
# ———————————— Node ————————————
#
# Use a descriptive name for the node:
#
# node.name: node-1
#
# Add custom attributes to the node:
#
# node.rack: r1
#
# ———————————– Paths ————————————
#
# Path to directory where to store the data (separate multiple locations by comma):
#
# path.data: /path/to/data
#
# Path to log files:
#
# path.logs: /path/to/logs
#
# ———————————– Memory ———————————–
#
# Lock the memory on startup:
#
# bootstrap.memory_lock: true
#
# Make sure that the `ES_HEAP_SIZE` environment variable is set to about half the memory
# available on the system and that the owner of the process is allowed to use this limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ———————————- Network ———————————–
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#

 

network.host: localhost
#
# Set a custom port for HTTP:
#
# http.port: 9200
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html&gt;
#
# ——————————— Discovery ———————————-
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is [“127.0.0.1”, “[::1]”]
#
# discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
#
# Prevent the “split brain” by configuring the majority of nodes (total number of nodes / 2 + 1):
#
# discovery.zen.minimum_master_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-discovery.html&gt;
#
# ———————————- Gateway ———————————–
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
# gateway.recover_after_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-gateway.html&gt;
#
# ———————————- Various ———————————–
#
# Disable starting multiple nodes on a single system:
#
# node.max_local_storage_nodes: 1
#
# Require explicit names when deleting indices:
#
# action.destructive_requires_name: true

# service elasticsearch restart
# systemctl enable elasticsearch
# echo “deb http://packages.elastic.co/kibana/4.4/debian stable main” | tee -a /etc/apt/sources.list.d/kibana-4.4.x.list
# apt-get update
# apt-get -y install kibana
# vi /opt/kibana/config/kibana.yml
# systemctl enable kibana
# apt-get install nginx
# cd /etc/nginx/sites-available/
# nano kibana.conf
# cat kibana.conf

server
{
listen 80;
server_name kibana.local;
auth_basic “Masukin Username Password Shaay”;
auth_basic_user_file /etc/nginx/htpas.user;
location /
{
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_cache_bypass $http_upgrade;
}
}

# cd ../sites-enabled/
# ln -s ../sites-available/kibana.conf
# nginx -t
# service nginx reload
# apt-get install apache2-utils
# htpasswd -c /etc/nginx/htpas.user kibanaadmin
# echo ‘deb http://packages.elastic.co/logstash/2.3/debian stable main’ | sudo tee /etc/apt/sources.list.d/logstash-2.2.x.list
# apt-get update
#systemctl enable kibana
# echo ‘deb http://packages.elastic.co/logstash/2.3/debian stable main’ | sudo tee /etc/apt/sources.list.d/logstash-2.2.x.list
# apt-get update
# apt-get install logstash
# mkdir -p /etc/pki/tls/certs
# mkdir /etc/pki/tls/private
# vi /etc/ssl/openssl.cnf
edit bagian subjectAltName=IP: 192.168.215.129
# openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
# vi /etc/logstash/conf.d/02-beats-input.conf
# vi /etc/logstash/conf.d/10-syslog-filter.conf
# vi /etc/logstash/conf.d/30-elasticsearch-output.conf
# service logstash configtest
# update-rc.d logstash defaults 96 9
# cd /home/rosada/
# curl -L -0 https://download.elastic.co/beats/dashboard/beats-dasboards-1.1.0.zip
# apt-get install curl
# curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip
# apt-get install -y unzip
# unzip beats-dashboards-1.1.0.zip
# cd beats-dashboards-1.1.0/
# ./load.sh
# curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json
# curl -XPUT ‘http://localhost:9200/-template/filebeat?pretty&#8217; -d@filebeat-index-template.json
# curl -XGET ‘http://localhost:9200/filebeat-*/_search?pretty&#8217;
kalo berhasil ada tampilan gini panjang tak copy dikit aja :

{
“took” : 133,
“timed_out” : false,
“_shards” : {
“total” : 45,
“successful” : 45,
“failed” : 0
},
“hits” : {
“total” : 3573,
“max_score” : 1.0,
“hits” : [ {
“_index” : “filebeat-2017.07.16”,
“_type” : “syslog”,
“_id” : “AV1qxuybu39taDcKqoeR”,
“_score” : 1.0,
“_source” : {
“message” : “Jul 16 08:39:01 ARS022-SUP-LAPTOP CRON[4267]: pam_unix(cron:session): session closed for user root”,
“@version” : “1”,
“@timestamp” : “2017-07-16T15:39:01.000Z”,
“source” : “/var/log/auth.log”

Client server side

# echo “deb https://packages.elastic.co/beats/apt stable main” | sudo tee -a /etc/apt/sources.list.d/beats.list
# wget -qO – https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
# apt-get update
# apt-get install filebeat
# apt-get install filebeat
# vi /etc/filebeat/filebeat.yml
# cat /etc/filebeat/filebeat.yml (contoh)
jgn lupa path crt  >> certificate_authorities: [“/home/rosada/logstash-forwarder.crt”]
# cd /home/rosada
# scp root@sv29:/etc/pki/tls/certs/logstash-forwarder.crt .
# service filebeat restart
Done

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s