ELK Stack and Client Support

ELK_IconELK stack support is coming soon merged into Browbeat. This provides fully automated ELK server and client deployments with some additional tuning and settings.

 


What is ELK?
ELK stands for a set of log aggregation and datastore utilities that are very useful for centralizing log management and analysis.  I’ve written a few posts on the topic before but here I’ll show you how to easily get it deployed on both servers and associated clients on Red Hat based systems (RHEL, CentOS, Fedora).

What Does it Do?

  • elk.yml
  • Installs and configures Elasticsearch, Logstash and Kibana on a target Linux server
    • Sets up firewall rules depending on if you’re using a firewall and what type (firewalld or iptables-services)
    • Uses nginx as a reverse proxy and htpasswd authentication.
    • Adjusts the Elasticsearch heapsize to 1/2 of the system memory to a max of 32G
    • Generates client and server SSL certificates including SubjectAltName support (for test environments without proper DNS)
  • elk-client.yml
  • Installs the Filebeat client to send logs to the target ELK server on target clients
    • Sets up forwarding of most system services and OpenStack logs
    • Immediately starts forwarding logs to your specified ELK stack

Install your ELK Server
Run the elk.yml playbook against your target ELK server.

ansible-playbook -i hosts install/elk.yml

elk-server-ansible

When this finishes you’ll see some messages displayed, including the second Ansible command to install on the clients to send logs to the server.

Setup Index
I did not automate this part because I wanted to give people an opportunity to name their index prefix and type as they wish.

Navigate to the ELK URL generated when the playbook completes (mine was http://host-01) and click the green button to create your index.  Use admin/admin to login (change this later at your leisure).

elk-index

Once this is done you should see some of the local logs sent to Elasticsearch via the “Discover” tab.  You should now have a fully functioning ELK server stack.

Install Filebeat on Clients
Now you’re ready to start sending remote logs to the ELK stack.  Go back to your Ansible terminal and copy the printout command at the end, it should reflect how your ELK server was setup.  For example in my VM setup my command was:

ansible-playbook -i hosts install/elk-client.yml \
--extra-vars 'elk_server=192.168.122.82'

Just like the ELK server Ansible run you'll start to see things come together.

elk-client-ansible

At this point you should see logs trickle in from all the client(s) you have setup.  Note that your client /etc/filebeat/filebeat.yml file is setup for generic /var/log/*.log and OpenStack services, edit to your liking to pull in what you desire to ELK.

elk-ui

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s