ELK

elk.md

ELK Setup

Elastic Search

1. Install

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install elasticsearch

2. Configuration

   sudo vim /etc/elasticsearch/elasticsearch.yml and set network.host: localhost

3. Start

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

4. Set Password

cd /usr/share/elasticsearch/
sudo bin/elasticsearch-reset-password -u elastic -i

5. Test

curl -k -u elastic:<password> https://localhost:9200

Kibana

1. Install

sudo apt install kibana
sudo systemctl enable kibana
sudo systemctl start kibana

2. Configure

cd /usr/share/elasticsearch/
sudo bin/elasticsearch-create-enrollment-token -s kibana

Use the token obtained here to setup elasticsearch in kibana

Logstash

1. Install

sudo apt install logstash

Note : Copy contents of /etc/elasticsearch/certs/ and add it to /etc/logstash/config/certs

2. Configure

sudo vim /etc/logstash/conf.d/app.conf

input {
  file {
    path => "/data/logs/*.log"
    start_position => "beginning"
  }
}

output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    ssl_certificate_authorities => "/etc/logstash/config/certs/http_ca.crt"
    user => "elastic"
    password => "admin123"
  }
  stdout { codec => rubydebug }
}

3. Test

sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t

4. Start

sudo systemctl start logstash
sudo systemctl enable logstash