Created
May 23, 2017 00:47
-
-
Save gloria-sentinella/a0e62cf8d99513cb9a3ad8da344180e9 to your computer and use it in GitHub Desktop.
elk-centos-7.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vi /etc/ssh/sshd_config #Permitrootlogin -> permitir acceso por ssh | |
su - | |
yum clean all && yum update -y && yum upgrade -y | |
sudo sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux | |
sudo yum install epel-release -y | |
sudo yum install wget curl net-tools lsof zip unzip iperf cabextract -y | |
sudo yum install mlocate xorg-x11-font-utils fontconfig libSM libICE libXrender libXext xorg-x11-fonts-Type1 xorg-x11-fonts-75dpi freetype libpng zlib libjpeg-turbo gcc ImageMagick ImageMagick-devel ImageMagick-perl samba-client lua lua-devel pkgconfig asciidoc -y | |
sudo yum remove mysql-server mysql-libs mysql-devel mysql* mariadb-libs mariadb* percona percona-* mysql mysql-* mariadb mariadb-* -y | |
sudo rm -rf /var/lib/mysql & rm -rf /etc/my.cnf | |
sudo setsebool -P httpd_can_network_connect 1 | |
sudo systemctl disable firewalld | |
sudo systemctl stop firewalld | |
cd /tmp | |
wget --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz" | |
sudo mkdir -p /usr/lib/java | |
sudo tar -xzf jdk-8u121-linux-x64.tar.gz -C /usr/lib/java | |
sudo ln -s /usr/lib/java/jdk1.8.0_121 /usr/lib/java/jvm | |
sudo ln -s /usr/lib/java/jvm/bin/java /usr/bin/java | |
sudo ln -s /usr/lib/java/jvm/bin/javac /usr/bin/javac | |
sudo ln -s /usr/lib/java/jvm/bin/javah /usr/bin/javah | |
sudo ln -s /usr/lib/java/jvm/bin/javadoc /usr/bin/javadoc | |
sudo ln -s /usr/lib/java/jvm/bin/javaws /usr/bin/javaws | |
sudo ln -s /usr/lib/java/jvm/bin/jar /usr/bin/jar | |
sudo ln -s /usr/lib/java/jvm/bin/jconsole /usr/bin/jconsole | |
$ sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch | |
$ echo '[elasticsearch-2.x] | |
name=Elasticsearch repository for 2.x packages | |
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos | |
gpgcheck=1 | |
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch | |
enabled=1 | |
' | sudo tee /etc/yum.repos.d/elasticsearch.repo | |
sudo yum -y install elasticsearch | |
sudo vi /etc/elasticsearch/elasticsearch.yml | |
network.host: localhost | |
sudo systemctl start elasticsearch | |
sudo systemctl enable elasticsearch | |
sudo vi /etc/yum.repos.d/kibana.repo | |
[kibana-4.4] | |
name=Kibana repository for 4.4.x packages | |
baseurl=http://packages.elastic.co/kibana/4.4/centos | |
gpgcheck=1 | |
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch | |
enabled=1 | |
sudo yum -y install kibana | |
sudo vi /opt/kibana/config/kibana.yml | |
server.host: "localhost" | |
sudo systemctl start kibana | |
sudo chkconfig kibana on | |
sudo yum -y install epel-release | |
sudo yum -y install nginx httpd-tools | |
sudo htpasswd -c /etc/nginx/htpasswd.users kibanaadmin | |
sudo vi /etc/nginx/nginx.conf | |
Find the default server block (starts with server {), | |
the last configuration block in the file, and delete it. | |
When you are done, the last two lines in the file should look like this: | |
# For more information on configuration, see: | |
# * Official English Documentation: http://nginx.org/en/docs/ | |
# * Official Russian Documentation: http://nginx.org/ru/docs/ | |
user nginx; | |
worker_processes auto; | |
error_log /var/log/nginx/error.log; | |
pid /run/nginx.pid; | |
# Load dynamic modules. See /usr/share/nginx/README.dynamic. | |
include /usr/share/nginx/modules/*.conf; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
access_log /var/log/nginx/access.log main; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
# Load modular configuration files from the /etc/nginx/conf.d directory. | |
# See http://nginx.org/en/docs/ngx_core_module.html#include | |
# for more information. | |
include /etc/nginx/conf.d/*.conf; | |
# Settings for a TLS enabled server. | |
# | |
# server { | |
# listen 443 ssl http2 default_server; | |
# listen [::]:443 ssl http2 default_server; | |
# server_name _; | |
# root /usr/share/nginx/html; | |
# | |
# ssl_certificate "/etc/pki/nginx/server.crt"; | |
# ssl_certificate_key "/etc/pki/nginx/private/server.key"; | |
# ssl_session_cache shared:SSL:1m; | |
# ssl_session_timeout 10m; | |
# ssl_ciphers HIGH:!aNULL:!MD5; | |
# ssl_prefer_server_ciphers on; | |
# | |
# # Load configuration files for the default server block. | |
# include /etc/nginx/default.d/*.conf; | |
# | |
# location / { | |
# } | |
# | |
# error_page 404 /404.html; | |
# location = /40x.html { | |
# } | |
# | |
# error_page 500 502 503 504 /50x.html; | |
# location = /50x.html { | |
# } | |
# } | |
} | |
sudo vi /etc/nginx/conf.d/kibana. | |
server { | |
listen 80; | |
server_name example.com; | |
auth_basic "Restricted Access"; | |
auth_basic_user_file /etc/nginx/htpasswd.users; | |
location / { | |
proxy_pass http://localhost:5601; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection 'upgrade'; | |
proxy_set_header Host $host; | |
proxy_cache_bypass $http_upgrade; | |
} | |
} | |
} | |
sudo systemctl start nginx | |
sudo systemctl enable nginx | |
sudo vi /etc/yum.repos.d/logstash.repo | |
[logstash-2.2] | |
name=logstash repository for 2.2 packages | |
baseurl=http://packages.elasticsearch.org/logstash/2.2/centos | |
gpgcheck=1 | |
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch | |
enabled=1 | |
sudo yum -y install logstash | |
sudo vi /etc/pki/tls/openssl.cnf | |
buscar sección v3_ca | |
y en subjectAltName | |
subjectAltName = IP: ELK_server_private_ip | |
ELK_server_private_ip, sustituirlo por tu ip privada. | |
cd /etc/pki/tls | |
sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt | |
sudo vi /etc/logstash/conf.d/02-beats-input.conf | |
input { | |
beats { | |
port => 5044 | |
ssl => true | |
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" | |
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" | |
} | |
} | |
sudo vi /etc/logstash/conf.d/10-syslog-filter.conf | |
filter { | |
if [type] == "syslog" { | |
grok { | |
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } | |
add_field => [ "received_at", "%{@timestamp}" ] | |
add_field => [ "received_from", "%{host}" ] | |
} | |
syslog_pri { } | |
date { | |
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] | |
} | |
} | |
} | |
sudo vi /etc/logstash/conf.d/30-elasticsearch-output.conf | |
output { | |
elasticsearch { | |
hosts => ["localhost:9200"] | |
sniffing => true | |
manage_template => false | |
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" | |
document_type => "%{[@metadata][type]}" | |
} | |
} | |
sudo service logstash configtest | |
sudo systemctl restart logstash | |
sudo chkconfig logstash on | |
cd /tmp | |
curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip | |
unzip beats-dashboards-*.zip | |
cd beats-dashboards-* | |
./load.sh | |
curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json | |
curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json | |
Output: | |
{ | |
"acknowledged" : true | |
} | |
sudo systemctl daemon-reload | |
sudo systemctl start logstash | |
sudo systemctl enable logstash | |
En el servidor: | |
scp /etc/pki/tls/certs/logstash-forwarder.crt user@client_server_private_address:/tmp | |
En el cliente: | |
sudo mkdir -p /etc/pki/tls/certs | |
sudo cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/ | |
sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch | |
sudo vi /etc/yum.repos.d/elastic-beats.repo | |
[beats] | |
name=Elastic Beats Repository | |
baseurl=https://packages.elastic.co/beats/yum/el/$basearch | |
enabled=1 | |
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch | |
gpgcheck=1 | |
sudo yum -y install filebeat | |
sudo vi /etc/filebeat/filebeat.yml | |
paths: | |
- /var/log/secure | |
- /var/log/messages | |
# - /var/log/*.log | |
document_type: syslog | |
### Logstash as output | |
logstash: | |
# The Logstash hosts | |
hosts: ["ELK_server_private_IP:5044"] | |
El archivo debe verse más o menos así, como es yaml, es muy sensible a errores de identación: | |
https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/de660ffdd3decacdcaf88109e5683e1eef75c01f/filebeat.yml-centos | |
sudo systemctl start filebeat | |
sudo systemctl enable filebeat | |
Revisar la instalacion de filebeat: | |
curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty' | |
Sample Output: | |
... | |
{ | |
"_index" : "filebeat-2016.01.29", | |
"_type" : "log", | |
"_id" : "AVKO98yuaHvsHQLa53HE", | |
"_score" : 1.0, | |
"_source":{"message":"Feb 3 14:34:00 rails sshd[963]: Server listening on :: port 22.","@version":"1","@timestamp":"2016-01-29T19:59:09.145Z","beat":{"hostname":"topbeat-u-03","name":"topbeat-u-03"},"count":1,"fields":null,"input_type":"log","offset":70,"source":"/var/log/auth.log","type":"log","host":"topbeat-u-03"} | |
} | |
... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment