Building ELK on CentOS 7

JaredBusch

@scottalanmiller Why are you using Oracle's Java SDK and not just java from the repo?

I had read in another write up on the install that it works fine even if it is not the "official" method.

scottalanmiller

@scottalanmiller Why are you using Oracle's Java SDK and not just java from the repo?

I had read in another write up on the install that it works fine even if it is not the "official" method.

Even if it "works", Elasticsearch tests against and only officially supports the Oracle one. Just because I can get the OpenJDK to work, I'd hate to have it be buggy or problematic for someone down the line because I used one that wasn't tested against.

JaredBusch

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller Why are you using Oracle's Java SDK and not just java from the repo?

I had read in another write up on the install that it works fine even if it is not the "official" method.

Even if it "works", Elasticsearch tests against and only officially supports the Oracle one. Just because I can get the OpenJDK to work, I'd hate to have it be buggy or problematic for someone down the line because I used one that wasn't tested against.

I am not a fan of Oracle when it comes to Java

JaredBusch

@scottalanmiller

You hardcoded a DNS name in that script...

openssl req -subj '/CN=elk.lab.ntg.co/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

You also used a different port here for logstash than in the logstash forwarder example.

cat > /etc/logstash/conf.d/02-beats-input.conf <<EOF
input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}
EOF

You used 5000 in that other post.

scottalanmiller

@JaredBusch said:

You used 5000 in that other post.

Which post was that? I bet that one was a typo, 5044 is the standard port.

JaredBusch

@scottalanmiller said:

@JaredBusch said:

You used 5000 in that other post.

Which post was that? I bet that one was a typo, 5044 is the standard port.

It was this post

I would also like to note that the certificate your script in this post creates will not work with your logstash forwarder instructions by IP address.

2016/02/24 13:21:48.989719 Failed to tls handshake with 10.201.1.16 x509: cannot validate certificate for 10.201.1.16 because it doesn't contain any IP SANs

JaredBusch

As soon as I corrected all of those issues, I got this.

2016/02/24 13:42:26.611248 Connecting to [10.201.1.16]:5044 (elk.domain.local)
2016/02/24 13:42:28.167827 Connected to 10.201.1.16
2016/02/24 13:42:32.038421 Registrar: processing 1024 events
2016/02/24 13:42:33.923706 Registrar: processing 1024 events
2016/02/24 13:42:35.424984 Registrar: processing 891 events
2016/02/24 13:45:55.815543 Registrar: processing 3 events
2016/02/24 13:46:03.305215 Registrar: processing 1 events

scottalanmiller

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

You used 5000 in that other post.

Which post was that? I bet that one was a typo, 5044 is the standard port.

It was this post

I would also like to note that the certificate your script in this post creates will not work with your logstash forwarder instructions by IP address.
2016/02/24 13:21:48.989719 Failed to tls handshake with 10.201.1.16 x509: cannot validate certificate for 10.201.1.16 because it doesn't contain any IP SANs

Oh!! That post is for a different era using different tools. Can't use that with this. We are on the "beat" system now. A lot has changed, that's why I was doing the new write up as there was a lot new in the last few weeks that prompted new documentation.

JaredBusch

@scottalanmiller said:

@JaredBusch said:
@scottalanmiller said:

@JaredBusch said:

You used 5000 in that other post.

Which post was that? I bet that one was a typo, 5044 is the standard port.

It was this post

I would also like to note that the certificate your script in this post creates will not work with your logstash forwarder instructions by IP address.
2016/02/24 13:21:48.989719 Failed to tls handshake with 10.201.1.16 x509: cannot validate certificate for 10.201.1.16 because it doesn't contain any IP SANs
Oh!! That post is for a different era using different tools. Can't use that with this. We are on the "beat" system now. A lot has changed, that's why I was doing the new write up as there was a lot new in the last few weeks that prompted new documentation.

Well, i never did manage to get something working with beat. Your different era was only 8 months ago.

scottalanmiller

@JaredBusch said:

Well, i never did manage to get something working with beat. Your different era was only 8 months ago.

Well that's how paradigm changes work. ELK introduced a new scheme less than eight months ago. Whether it was a decade, eight months or two days ago, once they've changed their underlying architecture it's changed. It's not a gradual evolution over the years, it's one day they used one system and with the next release they used another. So at some point people installing "current" one minute had one thing and the next minute would have had the other. Has to change at some point in time.

scottalanmiller

Updated with information on generating the logstash certificate.

JaredBusch

@scottalanmiller said:

Updated with information on generating the logstash certificate.

You already had it in your instructions as I pointed out in a prior post in this topic.

Right here.
0_1457111310395_upload-5593fdc0-c299-4b3b-befa-136ba8fb5c01

Danp

Interesting article on cluster health here.

dafyre

So... I went through and ran the script and it seems to have worked fine... What next?

Edit: To collect logs from the local server, I also had to install filebeat on this server. So I reckon I can now go and install it on all my other systems as well.

scottalanmiller

@dafyre said in Building ELK on CentOS 7:

So... I went through and ran the script and it seems to have worked fine... What next?

Edit: To collect logs from the local server, I also had to install filebeat on this server. So I reckon I can now go and install it on all my other systems as well.

Yes, install Filebeat and point it to ELK. Check my Filebeat article for more info.

dafyre

@scottalanmiller said in Building ELK on CentOS 7:

@dafyre said in Building ELK on CentOS 7:

So... I went through and ran the script and it seems to have worked fine... What next?

Edit: To collect logs from the local server, I also had to install filebeat on this server. So I reckon I can now go and install it on all my other systems as well.

Yes, install Filebeat and point it to ELK. Check my Filebeat article for more info.

Didn't realize you had one. 8-) But I'm good now. Logs are collecting as we speak. Bonus: Fail2Ban and Apache logs also work great in ELK.