Building ELK on CentOS 7


  • Service Provider

    @JaredBusch said:

    @scottalanmiller Why are you using Oracle's Java SDK and not just java from the repo?

    I had read in another write up on the install that it works fine even if it is not the "official" method.

    Even if it "works", Elasticsearch tests against and only officially supports the Oracle one. Just because I can get the OpenJDK to work, I'd hate to have it be buggy or problematic for someone down the line because I used one that wasn't tested against.


  • Service Provider

    @scottalanmiller said:

    @JaredBusch said:

    @scottalanmiller Why are you using Oracle's Java SDK and not just java from the repo?

    I had read in another write up on the install that it works fine even if it is not the "official" method.

    Even if it "works", Elasticsearch tests against and only officially supports the Oracle one. Just because I can get the OpenJDK to work, I'd hate to have it be buggy or problematic for someone down the line because I used one that wasn't tested against.

    I am not a fan of Oracle when it comes to Java


  • Service Provider

    @scottalanmiller

    You hardcoded a DNS name in that script...

    openssl req -subj '/CN=elk.lab.ntg.co/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
    

    You also used a different port here for logstash than in the logstash forwarder example.

    cat > /etc/logstash/conf.d/02-beats-input.conf <<EOF
    input {
      beats {
        port => 5044
        ssl => true
        ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
        ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
      }
    }
    EOF
    

    You used 5000 in that other post.


  • Service Provider

    @JaredBusch said:

    You used 5000 in that other post.

    Which post was that? I bet that one was a typo, 5044 is the standard port.


  • Service Provider

    @scottalanmiller said:

    @JaredBusch said:

    You used 5000 in that other post.

    Which post was that? I bet that one was a typo, 5044 is the standard port.

    It was this post

    I would also like to note that the certificate your script in this post creates will not work with your logstash forwarder instructions by IP address.

    2016/02/24 13:21:48.989719 Failed to tls handshake with 10.201.1.16 x509: cannot validate certificate for 10.201.1.16 because it doesn't contain any IP SANs

  • Service Provider

    As soon as I corrected all of those issues, I got this.

    2016/02/24 13:42:26.611248 Connecting to [10.201.1.16]:5044 (elk.domain.local)
    2016/02/24 13:42:28.167827 Connected to 10.201.1.16
    2016/02/24 13:42:32.038421 Registrar: processing 1024 events
    2016/02/24 13:42:33.923706 Registrar: processing 1024 events
    2016/02/24 13:42:35.424984 Registrar: processing 891 events
    2016/02/24 13:45:55.815543 Registrar: processing 3 events
    2016/02/24 13:46:03.305215 Registrar: processing 1 events
    

  • Service Provider

    @JaredBusch said:

    @scottalanmiller said:

    @JaredBusch said:

    You used 5000 in that other post.

    Which post was that? I bet that one was a typo, 5044 is the standard port.

    It was this post

    I would also like to note that the certificate your script in this post creates will not work with your logstash forwarder instructions by IP address.

    2016/02/24 13:21:48.989719 Failed to tls handshake with 10.201.1.16 x509: cannot validate certificate for 10.201.1.16 because it doesn't contain any IP SANs
    

    Oh!! That post is for a different era using different tools. Can't use that with this. We are on the "beat" system now. A lot has changed, that's why I was doing the new write up as there was a lot new in the last few weeks that prompted new documentation.


  • Service Provider

    @scottalanmiller said:

    @JaredBusch said:

    @scottalanmiller said:

    @JaredBusch said:

    You used 5000 in that other post.

    Which post was that? I bet that one was a typo, 5044 is the standard port.

    It was this post

    I would also like to note that the certificate your script in this post creates will not work with your logstash forwarder instructions by IP address.

    2016/02/24 13:21:48.989719 Failed to tls handshake with 10.201.1.16 x509: cannot validate certificate for 10.201.1.16 because it doesn't contain any IP SANs
    

    Oh!! That post is for a different era using different tools. Can't use that with this. We are on the "beat" system now. A lot has changed, that's why I was doing the new write up as there was a lot new in the last few weeks that prompted new documentation.

    Well, i never did manage to get something working with beat. Your different era was only 8 months ago.


  • Service Provider

    @JaredBusch said:

    Well, i never did manage to get something working with beat. Your different era was only 8 months ago.

    Well that's how paradigm changes work. ELK introduced a new scheme less than eight months ago. Whether it was a decade, eight months or two days ago, once they've changed their underlying architecture it's changed. It's not a gradual evolution over the years, it's one day they used one system and with the next release they used another. So at some point people installing "current" one minute had one thing and the next minute would have had the other. Has to change at some point in time.


  • Service Provider

    Updated with information on generating the logstash certificate.


  • Service Provider

    @scottalanmiller said:

    Updated with information on generating the logstash certificate.

    You already had it in your instructions as I pointed out in a prior post in this topic.

    Right here.
    0_1457111310395_upload-5593fdc0-c299-4b3b-befa-136ba8fb5c01



  • Interesting article on cluster health here.



  • So... I went through and ran the script and it seems to have worked fine... What next?

    Edit: To collect logs from the local server, I also had to install filebeat on this server. So I reckon I can now go and install it on all my other systems as well.


  • Service Provider

    @dafyre said in Building ELK on CentOS 7:

    So... I went through and ran the script and it seems to have worked fine... What next?

    Edit: To collect logs from the local server, I also had to install filebeat on this server. So I reckon I can now go and install it on all my other systems as well.

    Yes, install Filebeat and point it to ELK. Check my Filebeat article for more info.



  • @scottalanmiller said in Building ELK on CentOS 7:

    @dafyre said in Building ELK on CentOS 7:

    So... I went through and ran the script and it seems to have worked fine... What next?

    Edit: To collect logs from the local server, I also had to install filebeat on this server. So I reckon I can now go and install it on all my other systems as well.

    Yes, install Filebeat and point it to ELK. Check my Filebeat article for more info.

    Didn't realize you had one. 😎 But I'm good now. Logs are collecting as we speak. Bonus: Fail2Ban and Apache logs also work great in ELK.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.