sudo apt-get update && apt-get upgrade
sudo vi /etc/hosts
127.0.0.1 localhost 10.0.10.33 elk-server.ss.lu elk-server
sudo echo “elk-server.ss.lu” > /etc/hostname sudo service hostname restart && /etc/init.d/networking restart
sudo add-apt-repository -y ppa:webupd8team/java sudo apt-get update sudo apt-get -y install oracle-java8-installer
sudo mkdir -p ~/ELK/releases/beats/filebeat/ sudo mkdir -p ~/ELK/releases/beats/packetbeat/ sudo mkdir -p ~/ELK/releases/beats/topbeat/ sudo mkdir -p ~/ELK/releases/beats/winlogbeat
sudo cd ~/ELK/releases/ sudo wget https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/deb/elasticsearch/2.2.0/elasticsearch-2.2.0.deb
sudo dpkg –i elasticsearch-2.2.0.deb
sudo sed -i "s|# cluster.name: my-application|cluster.name: elk-server.ss.lu|" /etc/elasticsearch/elasticsearch.yml sudo sed -i "s|# node.name: node-1| node.name: mynodename|" /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-server.ss.lu
node.name: mynodename
sudo update-rc.d elasticsearch defaults 95 10
sudo /etc/init.d/elasticsearch start
sudo curl http://localhost:9200
{ "name" : "qq", "cluster_name" : "elk-server.qq.qu", "version" : { "number" : "2.2.0", "build_hash" : "8ff36d139e16f8720f2947ef62c8167a888992fe", "build_timestamp" : "2016-01-27T13:32:39Z", "build_snapshot" : false, "lucene_version" : "5.4.1" }, "tagline" : "You Know, for Search"
sudo cd ~/ELK/releases/ sudo wget https://download.elastic.co/logstash/logstash/packages/debian/logstash_2.2.0-1_all.deb sudo dpkg –i logstash_2.2.0-1_all.deb
sudo vi /etc/logstash/conf.d/input-beats.conf
input { beats { port => 5044 } }
sudo vi /etc/logstash/conf.d/output-elasticsearch.conf
output { elasticsearch { hosts => ["localhost:9200"] sniffing => true manage_template => false index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } }
sudo service logstash configtest sudo service logstash restart sudo update-rc.d logstash defaults 96 9
netstat -a | grep 5044
tcp6 0 0 [::]:5044 [::]:* LISTEN
sudo wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo echo "deb http://packages.elastic.co/kibana/4.4/debian stable main" | sudo tee -a /etc/apt/sources.list
sudo apt-get update && sudo apt-get install kibana
sudo update-rc.d kibana defaults 95 10
sudo service kibana start
http://ip_elk-server.ss.lu:5601
cd ~/ELK/releases/beats/ sudo curl -L -O http://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip sudo unzip beats-dashboards-1.1.0.zip cd beats-dashboards-1.1.0/ ./load.sh
http://ip_elk-server.ss.lu:5601
cd ~/ELK/releases/beats/topbeat/ sudo curl -L -O https://download.elastic.co/beats/topbeat/topbeat_1.1.0_amd64.deb sudo dpkg -i topbeat_1.1.0_amd64.deb
sudo curl -XPUT 'http://localhost:9200/_template/topbeat' -d@/etc/topbeat/topbeat.template.json
{"acknowledged":true}
sudo vi /etc/topbeat/topbeat.yml
### Elasticsearch as output #elasticsearch: #hosts: ["localhost:9200"]
logstash: hosts: ["ip_elk-server.ss.lu:5044"]
Loading config file error: YAML config parsing failed on /etc/topbeat /topbeat.yml: yaml: line 14: found character that cannot start any token. Exiting.
sudo /etc/ini.d/topbeat start
cd ~/ELK/releases/beats/filebeat/ sudo curl -L -O https://download.elastic.co/beats/filebeat/filebeat_1.1.0_amd64.deb sudo dpkg -i filebeat_1.1.0_amd64.deb
sudo curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@/etc/filebeat/filebeat.template.json
sudo vi /etc/filebeat/filebeat.yml
prospectors: paths: - /var/log/*.log
paths: # - /var/log/*.log - /var/log/elasticsearch/*.log - /var/log/syslog - /var/log/nginx/*.log # - c:\programdata\elasticsearch\logs\*
### Elasticsearch as output #elasticsearch: # Array of hosts to connect to. # Scheme and port can be left out and will be set to the default (http and 9200) # In case you specify and additional path, the scheme is required: http://localhost:9200/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 #hosts: ["localhost:9200"] ... ### Logstash as output logstash: # The Logstash hosts hosts: ["ip_elk-server.ss.lu:5044"]
sudo /etc/init.d/filebeat start
sudo apt-get install libpcap0.8 sudo curl -L -O https://download.elastic.co/beats/packetbeat/packetbeat_1.1.0_amd64.deb sudo dpkg -i packetbeat_1.1.0_amd64.deb
#elasticsearch: #hosts: ["localhost:9200"] logstash: hosts: ["ip_elk-server.ss.lu:5044""]
sudo curl -XPUT 'http://localhost:9200/_template/packetbeat' -d@/etc/packetbeat/packetbeat.template.json
sudo /etc/ini.d/packetbeat start
PS C:\Users\Administrator> cd 'C:\Winlogbeat' PS C:\Winlogbeat> .\install-service-winlogbeat.ps1
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1
Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R Status Name DisplayName ------ ---- ----------- Stopped winlogbeat winlogbeat
output: #elasticsearch: # hosts: localhost:9200 logstash: hosts: ["ip_elk-server.ss.lu:5044"]
winlogbeat: registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml event_logs: - name: Application - name: Security - name: System logging: to_files: true files: path: C:/winlogbeat/winlogbeat/Logs level: info
PS C:\Users\Administrator> Get-EventLog *
PS C:\Users\Administrator> Get-WinEvent -ListLog * | Format-List -Property LogName
PS C:\Winlogbeat> Invoke-WebRequest -Method Put -InFile winlogbeat.template.json -Uri http://IP_address_elk-server:9200/_template/winlogbeat?pretty
{ "mappings": { "_default_": { "_all": { "enabled": true, "norms": { "enabled": false } }, "dynamic_templates": [ { "template1": { "mapping": { "doc_values": true, "ignore_above": 1024, "index": "not_analyzed", "type": "{dynamic_type}" }, "match": "*" } } ], "properties": { "@timestamp": { "type": "date" }, "message": { "index": "analyzed", "type": "string" } } } }, "settings": { "index.refresh_interval": "5s" }, "template": "winlogbeat-*" }
cd ~/ELK/releases/beats/winlogbeat ll 12 drwxr-xr-x 2 root root 4096 . 8 23:10 ./ drwxr-xr-x 7 root root 4096 . 8 16:00 ../ -rw-r--r-- 1 root root 729 . 8 23:10 winlogbeat.template.json # sudo curl -XPUT 'http://localhost:9200/_template/winlogbeat' -d@winlogbeat.template.json
{"acknowledged":true}
curl 'localhost:9200/_cat/indices?v'
curl -XDELETE 'localhost:9200/*'
pip install elasticsearch-curator
apt-get install python-pip
crontab -e
# 5 : 20 0 20 0 * * * root /usr/local/bin/curator --host localhost delete --disk-space 5 >/dev/null # , , 30 : 20 0 * * * root /usr/local/bin/curator --host localhost delete --older-than 30 >/dev/null
curl 'localhost:9200/_cat/nodes?v'
curl 'localhost:9200/_cat/health?v'
Source: https://habr.com/ru/post/277029/
All Articles