random

- collection of un-sorted bollocks
git clone git://git.acid.vegas/random.git
Log | Files | Refs | Archive

elkstack.md (3954B)

      1 # ELK Stack
      2 > Elasticsearch, Logstash, & Kibana
      3 
      4 This is just a little write-up on my research in deploying the ELK stack.
      5 
      6 ## Prerequisites
      7 ```shell
      8 sudo apt-get install -y gpg apt-transport-https`
      9 wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
     10 echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
     11 sudo apt-get update && sudo apt-get install elasticsearch kibana logstash
     12 sudo certbot certonly --standalone --preferred-challenges http -d elastic.domain.org
     13 ```
     14 
     15 ## Setup Elasticsearch
     16 * Copy your certificates to `/etc/elasticsearch/certs`:
     17 ```shell
     18 mkdir -p /etc/elasticsearch/certs/
     19 sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/elasticsearch/certs/fullchain.pem
     20 sudo cp /etc/letsencrypt/live/elastic.domain.org/privkey.pem   /etc/elasticsearch/certs/privkey.pem
     21 sudo chmod -R 777 /etc/elasticsearch/certs/
     22 ```
     23 
     24 * Edit your `/etc/elasticsearch/elasticsearch.yml` and change the follow options:
     25 ```yaml
     26 cluster.name: BeeHive
     27 node.name: gibson
     28 network.host: 0.0.0.0    
     29 bootstrap.memory_lock: true
     30 xpack.security.audit.enabled: true
     31 xpack.security.http.ssl:
     32   enabled: true
     33   key: /etc/elasticsearch/ssl/privkey.pem
     34   certificate: /etc/elasticsearch/ssl/fullchain.pem
     35 ```
     36 
     37 * System changes:
     38 ```shell
     39 sudo su  
     40 	ulimit -n 65535
     41 	ulimit -u 4096
     42 
     43 echo "elasticsearch  -  nofile  65535" > /etc/security/limits.conf
     44 mkdir -p /etc/systemd/system/elasticsearch.service.d/
     45 echo "[Service]\nLimitMEMLOCK=infinity" > /etc/systemd/system/elasticsearch.service.d/override.conf
     46 sudo swapoff -a
     47 sudo sysctl -w vm.swappiness=1         # Add these
     48 sudo sysctl -w vm.max_map_count=262144 # to /etc/systctl.conf
     49 sudo sysctl -w net.ipv4.tcp_retries2=5 # 
     50 ```
     51 
     52 * Set the password for Kibana:
     53 `./usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system`
     54 `./usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana # Save this for when we access Kibana the first time`
     55 `./usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node # enrollment token for a new node`
     56 
     57 ## Setup Kibana
     58 * Copy your certificates to `/etc/kibana/certs`:
     59 ```shell
     60 mkdir -p /etc/kibana/certs/
     61 sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/kibana/certs/fullchain.pem
     62 sudo cp /etc/letsencrypt/live/elastic.domain.org/privkey.pem   /etc/kibana/certs/privkey.pem
     63 ```
     64 
     65 * Edit your `/etc/kibana/kibana.yml` and change the follow options:
     66 ```yaml
     67 server.host: "0.0.0.0"
     68 server.publicBaseUrl: "https://elastic.domain.org"
     69 server.ssl.enabled: true 
     70 server.ssl.certificate: /etc/kibana/certs/fullchain.pem
     71 server.ssl.key: /etc/kibana/certs/privkey.pem
     72 elasticsearch.hosts: ["https://elastic.domain.org:9200"]
     73 elasticsearch.username: "kibana_system"
     74 elasticsearch.password: "changeme" # Use the password from the reset command we did earlier
     75 ```
     76 
     77 ## Setup Logstash
     78 * Copy your certificates to `/etc/logstash/certs`:
     79 ```shell
     80 mkdir -p /etc/logstash/certs/
     81 sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/logstash/certs/cacert.pem
     82 ```
     83 
     84 * Edit your `/etc/logstash/logstash.yml` and change the follow options:
     85 ```yaml
     86 input {
     87   beats {
     88     port => 5044
     89   }
     90 }
     91 output {
     92   elasticsearch {
     93     hosts => ["https://elastic.domain.org:9200"]
     94     index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
     95     user => "elastic"
     96     password => "changeme"
     97     cacert => "/etc/logstash/cacert.pem"
     98   }
     99 }
    100 ```
    101 
    102 * `logstash-plugin install logstash-input-irc`
    103 
    104 ## Start the ELK stack:
    105 ```shell
    106 sudo systemctl daemon-reload
    107 sudo systemctl enable elasticsearch.service && sudo systemctl start elasticsearch.service
    108 sudo systemctl enable kibana.service        && sudo systemctl start kibana.service
    109 sudo systemctl enable logstash.service      && sudo systemctl start logstash.service
    110 ```