Package installation

Install java jre 8 : sudo apt-get install openjdk-8-jre
Add elastic key : wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Install apt-transport-https : sudo apt-get install apt-transport-https
Add elastic apt source : echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.lis
Install ELK packages : sudo apt-get update && sudo apt-get install elasticsearch kibana logstash

Configuration files

Elasticsearch : sudo vim /etc/elasticsearch/elasticsearch.yml
- Change network.host to the ip you want to listen
- Change http.port if you want to elasticsearch to listen in different properties, 9200 is the default port
Kibana : sudo vim /etc/kibana/kibana.yml
- Change server.host to the ip you want to listen
- Change server.port if you want to elasticsearch to listen in different properties, 5601 is the defaut port
- Change elasticsearch.url to your elasticsearch server
Logstash :
- Apache2 access parser example sudo vim /etc/logstash/conf.d/apache2.conf:

input {
  file {
    path => "/path/to/access.log"
    start_position => "beginning"
  }
}
filter {
  if [path] =~ "access" {
    mutate { replace => { "type" => "apache_access" } }
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
  stdout { codec => rubydebug }
}

Nginx access parser example `sudo vim /etc/logstash/conf.d/nginx.conf

input {
  file {
    path => "/path/to/access.log"
    start_position => "beginning"
  }
}
filter {
    grok {
    match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
    overwrite => [ "message" ]
  }
  mutate {
    convert => ["response", "integer"]
    convert => ["bytes", "integer"]
    convert => ["responsetime", "float"]
  }
  geoip {
    source => "clientip"
    target => "geoip"
    add_tag => [ "nginx-geoip" ]
  }
  date {
    convert => ["bytes", "integer"]
    convert => ["responsetime", "float"]
  }
  geoip {
    source => "clientip"
    target => "geoip"
    add_tag => [ "nginx-geoip" ]
  }
  date {
    match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
    remove_field => [ "timestamp" ]
  }
  useragent {
    source => "agent"
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
  stdout { codec => rubydebug }
}

Start service

1 2	sudo service elasticsearch start sudo service kibana start

Test

To test lesticsearch installation execute this command curl localhost:9200, if elesticsearch is already started you see this result :

{
  "name" : "zC7k6v2",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "P7XaxSNcR5yYaqdLOOpHWQ",
  "version" : {
    "number" : "5.5.2",
    "build_hash" : "b2f0c09",
    "build_date" : "2017-08-14T12:33:14.154Z",
    "build_snapshot" : false,
    "lucene_version" : "6.6.0"
  },
  "tagline" : "You Know, for Search"
}

To test kibana installation go to this url in your browser : http://localhost:5601

Get data from elasticsearch

List all indexes : curl "localhost:9200/_cat/indices?v"
List all data from the index .kibana : curl "localhost:9200/.kibana/_search?pretty=true&q=*:*"

Install elk on debian 9

Package installation

Configuration files

Start service

Test

Get data from elasticsearch

Sources