CentOS 7.x install ELK

CentOS 7.x install ELK

The first time I heard about ELK, it was Sina's @ ARGV that introduced the internal use of ELK and the scenario. At that time, it was very touched. It was so convenient to collect logs and display them, with such a tool, you have no effect after doing bad things and deleting logs.

Many companies have shown that they are very concerned about security, but they have never read or followed the logs of their own servers. This is a bit ironic. Manage the logs first, and then let's discuss security in depth.

Mirantis's Fuel has introduced ELK as an OpenStack monitoring tool, so we also need to focus on learning ELK.

I just saw a video from a foreigner about how to install ELK in CentOS 7. At least I like it.

The video address is http://yunpan.cn/cd5febr4difdn?019a. I basically copied the video content completely.

Verify it by yourself and familiarize yourself with CentOS 7 for the first time. There are still problems with this document. Being improved. The latest software version is used. Kibana, it is estimated that a lot of effort is required to configure to achieve a good presentation.

Contents [hide]

• 1. Basic Introduction
• 2 Installation Process
  • 2.1 preparation
  • 2.2 install java
  • 2.3 Elasticsearch
  • 2.4 kibana
  • 2.5 Logstash
  • 2.6 Logstash Forwarder
• 3. Add nodes
• 4 references

Basic Introduction

The latest Elasticsearch version is 1.7.1,

The latest version of Logstash is 1.5.3.

The latest version of kibana is 4.1.1.

Logstash Forwarder. The latest version is 0.4.0.

Installation Process

Create a virtual machine CentOS7.1 and assign a public IP address for testing.

Preparation

View the operating system version

cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) 

View Selinux status

sestatusSELinux status:                 disabled

FQDN

There are two methods to set FQDN: http://www.opsers.org/base/linux-fqdn-set.html.

Remember: This is required when creating an SSL certificate.

 cat /etc/hostname#i-2053f7hjelk

# cat /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4::1         localhost localhost.localdomain localhost6 localhost6.localdomain6# hostname loopback address127.0.1.1       i-2053f7hj10.70.26.187    elk.chenshake.com       elk

Then run

hostname -F /etc/hostname

At this time, you can view your own FQDN name

# hostname -felk.chenshake.com# hostnameelk

Install Firewall

CentOS7 has a major change, replacing iptables with firewalld. Everyone is used to iptables. Therefore, the default image of qingcloud is iptables and firewalld is not installed.

yum install firewalld firewall-configsystemctl start firewalld.servicesystemctl enable firewalld.servicesystemctl status firewalld

Check whether it takes effect

firewall-cmd --state

Install java

yum install java-1.7.0-openjdk

Elasticsearch

wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.7.1.noarch.rpm

Install

yum localinstall elasticsearch-1.7.1.noarch.rpm 

Start Related Services

Follow the prompts.

systemctl daemon-reloadsystemctl enable elasticsearch.servicesystemctl start elasticsearchsystemctl status elasticsearch

View the Elasticsearch configuration file

# rpm -qc elasticsearch/etc/elasticsearch/elasticsearch.yml/etc/elasticsearch/logging.yml/etc/init.d/elasticsearch/etc/sysconfig/elasticsearch/usr/lib/sysctl.d/elasticsearch.conf/usr/lib/systemd/system/elasticsearch.service/usr/lib/tmpfiles.d/elasticsearch.conf

View port usage

# netstat -nltpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      606/sshd            tcp6       0      0 :::9200                 :::*                    LISTEN      3051/java           tcp6       0      0 :::9300                 :::*                    LISTEN      3051/java           tcp6       0      0 :::22                   :::*                    LISTEN      606/sshd  

When ports 9200 and 9300 are used, the Firewall opens the ports

firewall-cmd --permanent --add-port={9200/tcp,9300/tcp}firewall-cmd --reload

View firewall ports

# firewall-cmd --list-allpublic (default, active)  interfaces: eth0  sources:   services: dhcpv6-client ssh  ports: 9200/tcp 9300/tcp  masquerade: no  forward-ports:   icmp-blocks:   rich rules: 

Kibana

Download the tar package

wget https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz

Extract

tar zxf kibana-4.1.1-linux-x64.tar.gz -C /usr/local/cd /usr/local/mv kibana-4.1.1-linux-x64 kibana

Create a Startup File

Create a kibana. service file.

cat > /etc/systemd/system/kibana.service <<EOF[Service]ExecStart=/usr/local/kibana/bin/kibana[Install]WantedBy=multi-user.targetEOF

Start the kibana Service

systemctl enable kibanasystemctl start kibanasystemctl status kibana

View port

# netstat -nltpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      3830/node           tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      977/sshd            tcp6       0      0 :::9200                 :::*                    LISTEN      978/java            tcp6       0      0 :::9300                 :::*                    LISTEN      978/java            tcp6       0      0 :::22                   :::*                    LISTEN      977/sshd            

The procedure is basically the same. Open Port 5601.

Firewall-cmd -- permanent -- add-port = 5601/tcp firewall-cmd -- reload firewall-cmd -- list-all

In this case, you can access the VM through http: // ip: 5601. For qingcloud systems, you need to open port 5601 on the firewall.

Firewalld is still very powerful, you can set forwarding

firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=5601firewall-cmd --reloadfirewall-cmd --list-all

Logstash

Download rpm package

wget https://download.elastic.co/logstash/logstash/packages/centos/logstash-1.5.3-1.noarch.rpm

Install

yum localinstall logstash-1.5.3-1.noarch.rpm 

Set ssl

This is the most error-prone place. You can create an SSL Certificate by using FQDN or IP address. I cannot create an SSL Certificate by IP address. The FQDN used here is named elk.chenshake.com,

cd /etc/pki/tlsopenssl req -subj '/CN=elk.chenshake.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

Create a file 01-logstash-initial.conf

cat > /etc/logstash/conf.d/01-logstash-initial.conf << EOFinput {  lumberjack {    port => 5000    type => "logs"    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"  }}filter {  if [type] == "syslog" {    grok {      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }      add_field => [ "received_at", "%{@timestamp}" ]      add_field => [ "received_from", "%{host}" ]    }    syslog_pri { }    date {      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]    }  }}output {  elasticsearch { host => localhost }  stdout { codec => rubydebug }}EOF

Start the logstash Service

systemctl start logstashsystemctl status logstash

Check the port. It takes 2 minutes to see that port 5000 is enabled.

# netstat -nltpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      3830/node           tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      977/sshd            tcp6       0      0 :::5000                 :::*                    LISTEN      20017/java          tcp6       0      0 :::9200                 :::*                    LISTEN      978/java            tcp6       0      0 :::9300                 :::*                    LISTEN      978/java            tcp6       0      0 :::9301                 :::*                    LISTEN      20017/java          tcp6       0      0 :::22                   :::*                    LISTEN      977/sshd         

Logstash listens on port 5000

firewall-cmd --permanent --add-port=5000/tcpfirewall-cmd --reloadfirewall-cmd --list-all

If there is a problem with startup, you can check the logstash log/var/log/logstash

Logstash Forwarder

ELK machines are also used as a client to collect logs.

wget https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder-0.4.0-1.x86_64.rpm

Log on to the client through ssh and install Logstash Forwarder

yum localinstall logstash-forwarder-0.4.0-1.x86_64.rpm

View the location of the logstash-forwarder configuration file

# rpm -qc logstash-forwarder/etc/logstash-forwarder.conf

Backup configuration file

cp /etc/logstash-forwarder.conf /etc/logstash-forwarder.conf.save

Edit/etc/logstash-forwarder.conf, servers, and you need to modify according to your situation.

cat > /etc/logstash-forwarder.conf << EOF{  "network": {    "servers": [ "elk.chenshake.com:5000" ],    "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt",    "timeout": 15  },  "files": [    {      "paths": [        "/var/log/messages",        "/var/log/secure"      ],      "fields": { "type": "syslog" }    }  ]}EOF

Start the service

systemctl enable logstash-forwardersystemctl start logstash-forwardersystemctl status logstash-forwarder

Check the log and confirm that the service is normal.

Kibana settings

Access the IP address to display the Kibana page.

Select create and click Discover

You can try to log out through ssh, and then log in through ssh to view your ssh logon events in the log.

Add Node

To install the client, you only need to install and configure Logstash Forwarder in the same way. What you need to do is

Copy the/etc/pki/tls/certs/logstash-forwarder.crt on the server to the same directory of the target node.

References

Https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-logs-on-centos-7

Https://media-glass.es/2015/04/19/installing-an-elk-stack-on-centos-7/

Https://gist.github.com/ashrithr/c5c03950ef631ac63c43