Our ELK stack setup has four main components:
- Logstash: The server component of Logstash that processes incoming logs
- Elasticsearch: Stores all of the logs
- Kibana: Web interface for searching and visualizing logs, which will be proxied through Nginx
- Filebeat: Installed on client servers that will send their logs to Logstash, Filebeat serves as a log shipping agent that utilizes the lumberjack networking protocol to communicate with Logstash
These are the versions we are currently setting up in this installment, please make note accordingly if you have specific version requirements.
JDK Version - 8
Elasticsearch - 2.x
Logstash - 2.2
Kibana - 4.5
For production go with three separate instances for each, elasticsearch, logstash and kibana. Currently we are setting it up on a single machine. You can opt for similar configuration on any cloud provider.
OS - Ubuntu 14.04 LTS
RAM - 4Gb
CPU - 2
####1 - Java 8 Installation
-
Add Oracle Java PPA to apt:
$ sudo add-apt-repository -y ppa:webupd8team/java
-
Update your apt package database:
$ sudo apt-get update
-
Install the latest version of Oracle Java 8
$ sudo apt-get -y install oracle-java8-installer
####2 - Elasticsearch Installation
-
Import Elasticsearch public GPG key into apt
$ wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
-
Create the Elasticsearch source list
$ echo "deb http://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list
-
Update your package database
$ sudo apt-get update
-
Install Elasticsearch
$ sudo apt-get -y install elasticsearch
-
Start Elasticsearch service
$ sudo service elasticsearch restart
-
Test
$ curl localhost:9200
-
If the output is similar to this, then you will know that Elasticsearch is running properly:
{
"status" : 200,
"name" : "Jigsaw",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "1.7.1",
"build_hash" : "b88f43fc40b0bcd7f173a1f9ee2e97816de80b19",
"build_timestamp" : "2015-07-29T09:54:16Z",
"build_snapshot" : false,
"lucene_version" : "4.10.4"
},
"tagline" : "You Know, for Search"
}- Enable Elasticsearch to start on boot
$ sudo update-rc.d elasticsearch defaults 95 10
Production tip: DO NOT open any other ports, like 9200, to the world! There are many bots that search for 9200 and execute groovy scripts to overtake machines.
####3 - Logstash Installation
-
The Logstash package is available from the same repository as Elasticsearch, and public key is already installed, so let's create the Logstash source list:
$ echo 'deb http://packages.elastic.co/logstash/2.2/debian stable main' | sudo tee /etc/apt/sources.list.d/logstash-2.2.x.list
-
Update apt package database:
$ sudo apt-get update
-
Install Logstash
$ sudo apt-get install logstash
-
Enable start on boot
$ sudo update-rc.d logstash defaults 97 8
-
Run service logstash
$ sudo service logstash start
-
We have yet to configure Logstash, but let leave it for later.
####4 - Kibana Installation
-
Download and install the Public Signing Key
$ wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
-
Add the repository definition to your
/etc/apt/sources.list.d/kibana.listfile$ echo "deb http://packages.elastic.co/kibana/4.5/debian stable main" | sudo tee -a /etc/apt/sources.list
WARNING
Use the echo method described above to add the Kibana repository. Do not use add-apt-repository, as that command adds a deb-src entry with no corresponding source package. When the deb-src entry, is present, the commands in this procedure generate an error similar to the following:
Unable to find expected entry 'main/source/Sources' in Release file (Wrong sources.list entry or malformed file)
Delete the deb-src entry from the /etc/apt/sources.list.d/kibana.list file to clear the error.
-
Update apt and install Kibana
$ sudo apt-get update && sudo apt-get install kibana
-
Enable start on boot
$ sudo update-rc.d kibana defaults 95 10
-
Start service Kibana
$ sudo service kibana4 start
Cool works