Testings
Object | Comment / Link | Status |
---|---|---|
ELK Stack | An excellent Guide for Ubuntu 14.04 is at https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-ubuntu-14-04 | TESTED |
TopBeat | https://www.digitalocean.com/community/tutorials/how-to-gather-infrastructure-metrics-with-topbeat-and-elk-on-ubuntu-14-04 | TESTED |
PacketBeat | https://z0z0.me/monitor-your-servers-with-elasticsearch-2-x-and-beats-and-display-it-in-kibana/ | TESTET |
GeoIP Support | https://www.digitalocean.com/community/tutorials/how-to-map-user-location-with-geoip-and-elk-elasticsearch-logstash-and-kibana | TESTED Gave some field mapping challenges, and I had to delete the filebeat index values. |
Tomcat Log Parsing | https://blog.lanyonm.org/articles/2014/01/12/logstash-multiline-tomcat-log-parsing.html | NOT TESTED |
Shield (Security) | https://www.elastic.co/guide/en/shield/current/kibana.html#using-kibana4-with-shield | NOT TESTED |
Tips
Make sure the server time is correct for all servers as in use NTP.
This actually gave me a problem where logstash => ElasticSearch did not work
Set congestion_threshold in the beats input to more than 5 (I use 25) - https://github.com/elastic/logstash/issues/4368 - I ran into this:
{:timestamp=>"2016-04-08T08:32:32.217000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn} {:timestamp=>"2016-04-08T08:32:32.721000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn} {:timestamp=>"2016-04-08T08:32:33.232000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn} {:timestamp=>"2016-04-08T08:32:33.733000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn} {:timestamp=>"2016-04-08T08:32:34.282000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn} {:timestamp=>"2016-04-08T08:32:34.783000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
Delete all values in an index
root@elkserver:/# curl -XDELETE http://localhost:9200/filebeat*
Sample filebeat.yml config for my Confluence Server
paths: - /var/log/auth.log - /var/log/syslog document_type: syslog input_type: log - paths: - /var/log/apache2/www.mos-eisley.dk-*.log document_type: apache input_type: log - paths: - /data/www/Fordor.log - /data/www/Baghus.log document_type: camfileslog input_type: log
Sample filebeat.yml config for my Alfresco Server
paths: - /var/log/auth.log - /var/log/syslog document_type: syslog input_type: log - paths: - /var/log/apache2/alfresco.mos-eisley.dk-*.log - /var/log/apache2/elk.mos-eisley.dk-*.log document_type: apache input_type: log - paths: - /var/log/pingkaf.txt document_type: pinglog input_type: log
Indexes
root@elkserver:/# curl localhost:9200/_cat/indices yellow open filebeat-2016.03.30 5 1 7 0 78.9kb 78.9kb yellow open logstash-2016.03.28 5 1 1 0 12.7kb 12.7kb yellow open filebeat-2016.03.31 5 1 10 0 112.2kb 112.2kb yellow open filebeat-2016.03.21 5 1 1 0 11.9kb 11.9kb yellow open filebeat-2016.03.22 5 1 1 0 11.9kb 11.9kb yellow open filebeat-2016.04.01 5 1 6 0 67.6kb 67.6kb yellow open filebeat-2016.03.23 5 1 1 0 11.9kb 11.9kb yellow open filebeat-2016.04.02 5 1 15 0 167.5kb 167.5kb yellow open logstash-2013.12.11 5 1 1 0 11.3kb 11.3kb yellow open filebeat-2016.03.13 5 1 1 0 11.9kb 11.9kb yellow open filebeat-2016.04.03 5 1 4718 0 5mb 5mb yellow open filebeat-2016.03.24 5 1 1 0 12.1kb 12.1kb yellow open filebeat-2016.03.25 5 1 1 0 11.9kb 11.9kb yellow open filebeat-2016.03.26 5 1 2 0 23kb 23kb yellow open packetbeat-2016.04.03 5 1 115546 0 78.3mb 78.3mb yellow open .kibana 1 1 115 0 86.3kb 86.3kb yellow open topbeat-2016.04.03 5 1 198026 0 75.9mb 75.9mb yellow open filebeat-2016.03.27 5 1 2 0 23kb 23kb yellow open filebeat-2016.03.28 5 1 4 0 45.3kb 45.3kb yellow open filebeat-2016.03.29 5 1 2 0 23kb 23kb yellow open filebeat-2016.03.18 5 1 2 0 23.1kb 23.1kb root@elkserver:/#
Other Stuff:
http://www.slideshare.net/aca_it/monitor-your-atlassian-stack-like-the-nsa
ELK - 3 THINGS I WISH I'D KNOWN
Little Logstash Lessons - Part I: Using grok and mutate to type your data