Install browser plugin

/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head

Dump database

curl -XPUT 'http://localhost:9200/_snapshot/my_backup' -d '{ "type": "fs", "settings": { "location": "/mount/backups/my_backup", "compress": true }}'

Configure cluster

  • Edit /etc/elasticsearch/elasticsearch.yml
  • Set cluster.name, node.name, network.host and discovery.zen.ping.unicast.hosts
  • Make sure TCP port 9300 is open

Cluster autodiscovery is not working

  • Edit /etc/elasticsearch/elasticsearch.yml
  • Make one node the master node
node.master: true
node.data: true
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["node1.example.com"]
  • Let the others connect to the master node
node.master: false
node.data: true
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["node1.example.com"]

Add authentication to Elasticsearch

  • Does not work in cluster mode
bin/plugin install license
bin/plugin install shield
  • Edit elasticsearch.yml
action.auto_create_index: .security
  • Restart elasticsearch and add a user
bin/shield/esusers useradd admin -r admin

Insert data manually

curl -XPUT 'http://localhost:9200/dept/employee/1' -d '{ "empname": "emp1"}'

Configure Rsyslog to log to Logstash

  • Create file /etc/rsyslog.d/logstash.conf
*.* @

Configure Rsyslog to log to Fluentd

  • Create file /etc/rsyslog.d/fluentd.conf
*.* @

Configure Rsyslog to log directly to Elasticsearch

yum install rsyslog-elasticsearch
  • Now edit /etc/rsyslog.conf
module(load="imuxsock")             # for listening to /dev/log
module(load="omelasticsearch") # for outputting to Elasticsearch
# this is for index names to be like: logstash-YYYY.MM.DD
  type="list") {
    property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
    property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
    property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")

# this is for formatting our syslog in JSON with @timestamp
  type="list") {
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"host\":\"")        property(name="hostname")
      constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"tag\":\"")   property(name="syslogtag" format="on")
      constant(value="\",\"message\":\"")    property(name="msg" format="on")
# this is where we actually send the logs to Elasticsearch (localhost:9200 by default)

Let Elasticsearch listen only on loopback

  • Edit /etc/elasticsearch/elasticsearch.yml

Use logstash as log aggregator

  • Create /etc/logstash/conf.d/10-syslog.conf
input {
  syslog {
    type => syslog
    port => 5544

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  • Create /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }

Use fluentd as log aggregator

  • Can collecd and parse log from many sources (200+)
  • Is written in Ruby and needs no Java like Logstash
  • Can output to many directions including files, mongodb and of course elasticsearch
  • For installation see http://docs.fluentd.org/categories/installation
  • Install Elasticsearch plugin
gem install fluent-plugin-elasticsearch
  • If your ruby version is too old or buggy install fluentd inside rvm
curl -sSL https://get.rvm.io | bash -s stable --ruby
source /usr/local/rvm/scripts/rvm
gem install fluentd
gem install fluent-plugin-elasticsearch
 # live debugging agent
 #  type debug_agent
 #  bind
 #  port 24230

 # Listen to Syslog
   type syslog
   port 42185
   tag system.raw

 # Apache Access Logs
   type tail
   format apache2
   path /var/log/httpd/access_log
   pos_file /var/log/fluentd/httpd.access.pos
   tag httpd.access

 # Apache Error Logs
   type tail
   format apache_error
   path /var/log/httpd/error_log
   pos_file /var/log/fluentd/httpd.error.pos
   tag httpd.error

 # Tag kernel messages
 <match system.raw.**>
   type rewrite_tag_filter
   rewriterule1 ident ^kernel$  kernel.raw # kernel events
   rewriterule2 ident .* system.unmatched     # let all else through

 # Identify iptables messages
 <match kernel.raw.**>
   type rewrite_tag_filter
   rewriterule1 message ^IN=.* OUT=.+$ iptables.raw  # iptables events
   rewriterule2 message .* kernel.unmatched      # let all else through

 # Parse iptables messages
 # IN=eno1 OUT= MAC=aa:bb:cc:aa:bb:cc:aa:bb:cc:aa:bb:cc:aa:00 SRC= DST= LEN=148 TOS=0x00 PREC=0x00 TTL=255 ID=53270 DF PROTO=UDP SPT=5353 DPT=5353 LEN=128
 <match iptables.raw.**>
   type parser
   key_name message # this is the field to be parsed!
   format /^IN=(?<iface>.*) OUT=(?<oface>.*) MAC=(?<mac>.*?) (SRC=(?<srcip>.*))? (DST=(?<dstip>.*))? LEN=(?<pkglen>.+) TOS=(?<pkgtos>.+) PREC=(?<pkgrec>.+) TTL=(?<pkgttl>.+) ID=(?<ipid>.+) \w{0,2}\s?PROTO=(?<pkgproto>.+)( SPT=(?<srcport>.+) DPT=(?<dstport>.+) LEN=(.*))?$/
   time_format %b %d %H:%M:%S
   tag iptables.parsed

 # write to file
 #<match iptables.parsed>
 #  type file
 #  path /var/log/td-agent/iptables.log

 # Write to elasticsearch
 <match *.**>
     type elasticsearch
     host localhost
     port 9200
     include_tag_key true
     tag_key _key
     logstash_format true
     flush_interval 10s

 # Log to stdout for debugging
 #<match *.**>
 #    type stdout
  • Last but not least configure your systlog to send messages to fluentd
*.* @
  • Start fluentd in foreground for testing purpose
fluentd -c /etc/fluent/fluent.conf -vv

Kibana Web Frontend