Install Elasticsearch, Logstash, Kibana and Filebeat
curl -fsSL artifacts.elas... | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg
echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] artifacts.elas... stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install elasticsearch
vim /etc/elasticsearch/elasticsearch.yml
Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: localhost
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
curl -X GET "localhost:9200"
sudo apt install kibana
Sudo systemctl enable kibana
systemctl start kibana
Sudo apt install logstash
sudo nano /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port = 5044
}
}
sudo nano /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
if [@metadata][pipeline] {
elasticsearch {
hosts = ["localhost:9200"]
manage_template = false
index = "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline = "%{[@metadata][pipeline]}"
}
} else {
elasticsearch {
hosts = ["localhost:9200"]
manage_template = false
index = "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
sudo systemctl start logstash
sudo systemctl enable logstash
sudo apt install filebeat
sudo vim /etc/filebeat/filebeat.yml
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
sudo filebeat modules enable system
sudo filebeat modules list
sudo filebeat setup --pipelines --modules system
sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
sudo filebeat setup -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601
Sudo filebeat modules enable system
sudo systemctl enable filebeat
curl -XGET 'localhost:9200/filebeat-*/_search?pretty'