Install Java

yum install java-1.8.0-openjdk.x86_64
alternatives --config java

Install ELK using RPM

wget https://artifacts.elastic.co/downloads/logstash/logstash-5.0.0-rc1.rpm -O logstash-5.0.0-rc1.rpm
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.0.0-rc1.rpm -O elasticsearch-5.0.0-rc1.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-5.0.0-rc1-x86_64.rpm -O kibana-5.0.0-rc1-x86_64.rpm
rpm -ihv elasticsearch-5.0.0-rc1.rpm kibana-5.0.0-rc1-x86_64.rpm logstash-5.0.0-rc1.rpm

Install ELKusing yum

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elasticsearch.repo
vi /etc/yum.repos.d/kibana.repo
vi /etc/yum.repos.d/logstash.repo
/etc/yum.repos.d/elasticsearch.repo
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x-prerelease/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
/etc/yum.repos.d/kibana.repo
[kibana-5.0.0-rc]
name=Kibana repository for 5.0.0-rc packages
baseurl=https://artifacts.elastic.co/packages/5.x-prerelease/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
/etc/yum.repos.d/logstash.repo
[logstash-5.x]
name=Elastic repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x-prerelease/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
yum install elasticsearch
yum install kibana
yum install logstash

 

Start ELK

enable services

/bin/systemctl enable kibana.service
/bin/systemctl enable elasticsearch.service
/bin/systemctl enable logstash.service

start services

/bin/systemctl enable kibana.service
/bin/systemctl enable elasticsearch.service
/bin/systemctl enable logstash.service

 

Configure Logstash

vi /etc/logstash/conf.d/10-input.conf
vi /etc/logstash/conf.d/20-filter.conf
vi /etc/logstash/conf.d/30-output.conf

to listen gelf

input {
  gelf {
    type => "gelf"
  }
}

some filtering

filter {
  date {
    match => [ "timestamp" , "UNIX" ]
    target => "timestamp"
  }
  mutate {
    rename => [ "StackTrace", "message_full" ]
    rename => [ "message", "message_text" ]
    rename => [ "Severity", "severity" ]
    uppercase => [ "env" ]
    remove_field => ["SClassName", "SMethodName"]
  }
}

send to elasticsearch

output {
  elasticsearch {
    hosts => [ "localhost:9200" ]
}
}

 

 

 

  • No labels

Site may be often unavailable due to Russian invasion, but you can Help Ukraine