Installation from RPM
[root@NLRTM1-S0503 ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
[root@NLRTM1-S0503 ~]# vi /etc/yum.repos.d/elastic.repo
[logstash-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
[kibana-6.x]
name=Kibana repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
[root@NLRTM1-S0503 ~]# yum install elasticsearch
[root@NLRTM1-S0503 ~]# yum install kibana
[root@NLRTM1-S0503 ~]# yum install logstash
User preparation
Logstash
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using –path.settings. Continuing using the defaults
[root@NLRTM1-S0503 logstash]# ./bin/logstash -t
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2018-12-06 00:08:16.015 [main] writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[INFO ] 2018-12-06 00:08:16.024 [main] writabledirectory - Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
ERROR: Failed to read pipelines yaml file. Location: /usr/share/logstash/config/pipelines.yml
remedy:
[support@NLRTM1-S0503 logstash]$ ./bin/logstash --path.settings /etc/logstash -t
Start logstash as a service
Check logstash service user and correct permissions
[root@NLRTM1-S0503 logstash]# vi /etc/systemd/system/logstash.service
[root@NLRTM1-S0503 etc]# chown -R logstash:logstash /etc/logstash
[root@NLRTM1-S0503 etc]# chown -R logstash:logstash /usr/share/logstash
# chmod -R g+rwx /usr/share/logstash/
# chown -R logstash:logstash /var/log/logstash
[root@NLRTM1-S0503 logstash]# /bin/systemctl daemon-reload
[root@NLRTM1-S0503 logstash]# systemctl enable logstash.service
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[root@NLRTM1-S0503 logstash]# systemctl start logstash.service
Setting up ELK components as service
[root@cilacap etc]# chown -R logstash:logstash logstash
[root@cilacap etc]# chown -R elasticsearch:elasticsearch elasticsearch
[root@cilacap etc]# chown -R kibana:kibana kibana
[root@cilacap etc]# usermod -aG logstash elastic
[root@cilacap etc]# usermod -aG elasticsearch elastic
[root@cilacap etc]# usermod -aG kibana elastic
[root@cilacap etc]# groups elastic
elastic : elastic wheel logstash elasticsearch kibana
[root@cilacap etc]# sudo /bin/systemctl daemon-reload
[root@cilacap etc]# sudo /bin/systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@cilacap etc]# systemctl enable logstash.service
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[root@cilacap etc]# systemctl enable kibana.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[root@cilacap etc]#
# cp /etc/systemd/system/logstash-ecn4.service /etc/systemd/system/logstash-apex.service
# vi /etc/systemd/system/logstash-apex.service
# cd /etc/logstash/
# cp -R ecn4 apex
# cd apex
# vi logstash.yml
[root@NLRTM1-S0503 logstash]# vi /etc/logstash/apex/pipelines.yml
[root@NLRTM1-S0503 logstash]# chown -R logstash:logstash apex
[root@NLRTM1-S0503 logstash]# systemctl enable logstash-apex.service
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash-apex.service to /etc/systemd/system/logstash-apex.service.
Filebeat module APACHE2
[root@one filebeat]# ./filebeat modules enable apache2
[root@one filebeat]# nohup ./filebeat >/dev/null 2>&1 &
[root@one filebeat]# tail logs/filebeat
2018-12-08T21:06:44.246+0100 ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://www.atikin.nl:49200)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset apache2/access: This module requires the following Elasticsearch plugins: ingest-user-agent, ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
sudo bin/elasticsearch-plugin install ingest-user-agent
sudo bin/elasticsearch-plugin install ingest-geoip
Install Elasticsearch plugins
[root@cilacap ~]# cd /usr/share/elasticsearch/
[root@cilacap elasticsearch]# ./bin/elasticsearch-plugin install ingest-user-agent
-> Downloading ingest-user-agent from elastic
[=================================================] 100%
-> Installed ingest-user-agent
[root@cilacap elasticsearch]# ./bin/elasticsearch-plugin install ingest-geoip
-> Downloading ingest-geoip from elastic
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.reflect.ReflectPermission suppressAccessChecks
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y
-> Installed ingest-geoip
[root@cilacap elasticsearch]# systemctl restart elasticsearch
Apache module configuration
[root@one filebeat]# vi /opt/elastic/filebeat/modules.d/apache2.yml
- module: apache2
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/httpd/paulowna_site.com-access_log*","/var/log/httpd/paulowna_shop.com-access_log*" ]
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/httpd/paulowna_site.com_error_log", "/var/log/httpd/paulowna_shop.com-error_log"]
Run filebeat
[root@one filebeat]# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat -d "publish"
Run filebeat in background
nohup /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat -d "publish" 2>&1 >/dev/null &
Journalctl
[root@NLRTM1-S0503 es00]# journalctl -u elasticsearch.service