1st - thank you for nice tutorial. Unfortunately, Nginx frontend doesn’t work for me:

Error: Bad Request at respond (http://x.x.x.x/index.js?_b=5930:81566:15) at checkRespForFailure (http://x.x.x.x/index.js?_b=5930:81534:7) at http://x.x.x.x/index.js?_b=5930:80203:7 at wrappedErrback (http://x.x.x.x/index.js?_b=5930:20882:78) at wrappedErrback (http://x.x.x.x/index.js?_b=5930:20882:78) at wrappedErrback (http://x.x.x.x/index.js?_b=5930:20882:78) at http://x.x.x.x/index.js?_b=5930:21015:76 at Scope.$eval (http://x.x.x.x/index.js?_b=5930:22002:28) at Scope.$digest (http://x.x.x.x/index.js?_b=5930:21814:31) at Scope.$apply (http://x.x.x.x/index.js?_b=5930:22106:24)

any idea? TIA, Vitaly

Great tutorial, thank you. I get an error on the kibana page prompting “Configure an index pattern” and iget stuck there it says "Unable to fetch mapping. Do you have indices matching the pattern? Any ideas? TIA

I used your previous tutorial and it worked nice. Thanks!!! Just one last little problem.

My Grok filter for LogStash:

filter {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
}

It is perfect for my Linux logins logs:

Mar  9 14:18:20 ServerName sshd[14160]: pam_unix(sshd:session): session opened for user root by (uid=0)
{
             "message" => "Mar  9 14:18:20 ServerName sshd[14160]: pam_unix(sshd:session): session opened for user root by (uid=0)",
            "@version" => "1",
          "@timestamp" => "2015-03-09T15:08:39.189Z",
                "host" => "elasticsearchservername",
    "syslog_timestamp" => "Mar  9 14:18:20",
     "syslog_hostname" => "ServerName",
      "syslog_program" => "sshd",
          "syslog_pid" => "14160",
      "syslog_message" => "pam_unix(sshd:session): session opened for user root by (uid=0)"
}

The problem are the windows logs (little sintax differences), so I can’t get the syslog_pid:

Mar  3 08:58:57 ServerName2 Security-Auditing: 4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad: 
{
             "message" => "Mar  3 08:58:57 ServerName2 Security-Auditing: 4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:",
            "@version" => "1",
          "@timestamp" => "2015-03-09T15:22:50.351Z",
                "host" => "elasticsearchservername",
    "syslog_timestamp" => "Mar  3 08:58:57",
     "syslog_hostname" => "ServerName2 ",
      "syslog_program" => "Security-Auditing",
      "syslog_message" => "4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:"
}

How can I change the grok filter for both logs (windows and linux) and get the two syslog_pid?

Thanks in advance and sorry for my English 0:-)

Thank you for these tutorials they are a life saver. Run into a bit of a snag with nginx. It states 502 Bad Gateway when trying to access Kibana. Direct access works fine so Kibana is okay. Nginx error log states the following:

2015/03/12 14:46:17 [crit] 8741#0: *1 connect() to 127.0.0.1:5601 failed (13: Permission denied) while connecting to upstream, client: xxx.xxx.xxx.xxx, server: log.server.com, request: “GET / HTTP/1.1”, upstream: “http://127.0.0.1:5601/”, host: “log.server.com”

2015/03/12 14:46:17 [error] 8741#0: *1 no live upstreams while connecting to upstream, client: xxx.xxx.xxx.xxx, server: log.server.com, request: “GET /favicon.ico HTTP/1.1”, upstream: “http://localhost/favicon.ico”, host: “log.server.com”

What permission is denied?

Hi,

Thanks for your tutorial. Is there a way to setup a default page on kibana dahsboard, for example one of the dashboard I created as default page?

OK, I have finished. I configured the Windows Servers to send the logs to 5000 port, and the Linux to the 5001 port. My succesfully finish logstash.conf is:

input {
  tcp {
    port => 5000
    type => windowslog
  }
  udp {
    port => 5000
    type => windowslog
  }
  tcp {
    port => 5001
    type => linuxlog
  }
  udp {
    port => 5001
    type => linuxlog
  }
}
filter {
  if [type] == "linuxlog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }
  if [type] == "windowslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}?: %{POSINT:syslog_pid}?: %{GREEDYDATA:syslog_message}" }
    }
  }
}
output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}

It works!!! I can see in my Kibana the logins/logouts… I am happy!!! Thanks for the help, Mitchell, great blog.

Hey Mitchell,

Thanks for another amazing post. Let me just say that your tutorials are of the best quality out there and are invaluable to those of us who read them.

I have one final problem Mitchell.

I don’t have the year in my incoming logs (so do you), so when I get the “syslog_timestamp” it is: Mar 17 15:09:17 (like in your Kibana logs)

If I go to “Settings” in Kibana, it says that “syslog_timestamp” is a string field (not a date), so i can’t order by “syslog_timestamp”, only by @timestamp.

How can I resolve this? Adding the year to the “syslog_timestamp”? Changing the field type in ElasticSearch?

Thanks again in advance…

If you want to run logstash and listen on :5514 for incoming syslog messages and have rsyslog forward messages to you then you will either need to disable SELinux (setenforce 0; systemctl restart rsyslog) or you’ll need to extend your SELinux policy and include :5514 as a port rsyslog can connect to.

logstash can’t listen on :514 because it is a privileged port so it listens on :5514.

However, the SELinux for syslog forbids rsyslog from connecting to any port other than :514.

This bug/errata has more details: https://bugzilla.redhat.com/show_bug.cgi?id=728591

You’ll need to run the following command (as root) in order to permit rsyslog to connect to :5514 (logstash): semanage port -a -t syslogdportt -p tcp 5514

Thank you for the tutorial, I followed it up to installing nginx, I’m installing this on my webserver and want to use it to manage my logs including my apache logs, I don’t want to install nginx as well as the already present apache. Is there a way to continue the tutorial but using apache instead?

Hi Mitchell,

Thank you for the tutorial. I would like to create a elasticsearch cluster on single host, could you guide me on how to do that? I installed elasticsearch 1.5.0 and it is running as a service right now.

HI David,

 I'm getting certificate signed by unknown authority error !!. Any suggestions ?

HI Manicas,

I want to Index it by Source hostname. Can you suggest me how to do it ?

regards,

Hemanath

First, a great thank for this tutotial that helped me to start with ELK. Now, I am well on my POC but I’ve problem of industrialization “data security”. Of course, Shield exists but we don’t want a paid tool. My question is : In real life, nginx would be enough to secure exchanges between final customer and Kibana? How can compartmentalize different customers (of course with different indices)?

Thanks

Hi Mitchel, these are great tutorials. I have tried installing on Centos and Ubuntu but I had not luck getting the indices to work. I only see the logstash-* , but I dont see a drop down box to select @timestamp, or the create button, the only message that it shows is “unable to fetch mapping, Do you have indices matching the pattern?” I been wanting to use Kibana as a syslog for cisco Switches, routers, nexus and other.

Hi Mitchell,

I am newbie to ELK setup. :)

I have followed same steps. Installed elasticsearch on one machine, logstash on other machine. All installations done by root only. These are new Linux boxes which I got for installations. Then I started logstash by following command: sudo service logstash start But after 2-3 minutes when I check status of logstash, it shows that it’s not running like:

[root@rwc-host1 conf.d]# sudo service logstash status
logstash is not running

I checked logstash.err file it gives below:

[root@rwc-host193 ~]# tail -100f /var/log/logstash/logstash.err
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (org.apache.http.conn.HttpHostConnectException) caught when processing request to {}->http://ELASTICSEARCH_IP:9200: Connect to ELASTICSEARCH_IP:9200 [/ELASTICSEARCH_IP] failed: Connection refused
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->http://ELASTICSEARCH_IP:9200
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (org.apache.http.conn.HttpHostConnectException) caught when processing request to {}->http://ELASTICSEARCH_IP:9200: Connect to ELASTICSEARCH_IP:9200 [/ELASTICSEARCH_IP] failed: Connection refused
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->http://ELASTICSEARCH_IP:9200
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (org.apache.http.conn.HttpHostConnectException) caught when processing request to {}->http://ELASTICSEARCH_IP:9200: Connect to ELASTICSEARCH_IP:9200 [/ELASTICSEARCH_IP] failed: Connection refused
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->http://ELASTICSEARCH_IP:9200

and logstash.log file shows below:

{:timestamp=>"2015-05-13T09:07:04.670000-0400", :message=>"Failed to install template: Connection refused", :level=>:error}

My trial.conf file is like this:

input {
stdin { }
}
output {
elasticsearch { host => <ELASTICSEARCH_IP> port => "9200" protocol => "http" }
  stdout { codec => rubydebug }
}

Can you please help me here as what might have gone wrong?

Eagerly waiting for your response.

Thanks and Regards, amitsg

Hello Mod,

What should i do if i configure Rsyslog + Elasticsearch + Kibana? How the Rsyslog configuration file look like? Otherwise, When i start Elasticsearch it’s error:

./elasticsearch start Failed to configure logging… org.elasticsearch.ElasticsearchException: Failed to load logging configuration at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:139) at org.elasticsearch.common.logging.log4j.LogConfigurator.configure(LogConfigurator.java:89) at org.elasticsearch.bootstrap.Bootstrap.setupLogging(Bootstrap.java:100) at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:184) at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32) Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55) at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144) at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:97) at java.nio.file.Files.readAttributes(Files.java:1686) at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:109) at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:69) at java.nio.file.Files.walkFileTree(Files.java:2602) at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:123) … 4 more log4j:WARN No appenders could be found for logger (node). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

Any one can tell me which the file configuration that make me wrong? P/S: System: Centos6.6 Rsyslog: v8 Elasticsearch: 1.5.2

Thanks a lot

If I change network.host from localhost to IP address in elasticsearch.yml then Kibana 4stops working, I try trying to write to elasticsearch directly.

ErrorAbstract@http://10.64.1.141/index.js?_b=5930:80255:19 Generic@http://10.64.1.141/index.js?_b=5930:80287:3 respond@http://10.64.1.141/index.js?_b=5930:81568:1 checkRespForFailure@http://10.64.1.141/index.js?_b=5930:81534:7 [198]</AngularConnector.prototype.request/<@http://10.64.1.141/index.js?_b=5930:80203:7 qFactory/defer/deferred.promise.then/wrappedErrback@http://10.64.1.141/index.js?_b=5930:20882:31 qFactory/defer/deferred.promise.then/wrappedErrback@http://10.64.1.141/index.js?_b=5930:20882:31 qFactory/defer/deferred.promise.then/wrappedErrback@http://10.64.1.141/index.js?_b=5930:20882:31 qFactory/createInternalRejectedPromise/<.then/<@http://10.64.1.141/index.js?_b=5930:21015:29 $RootScopeProvider/this.$get</Scope.prototype.$eval@http://10.64.1.141/index.js?_b=5930:22002:16 $RootScopeProvider/this.$get</Scope.prototype.$digest@http://10.64.1.141/index.js?_b=5930:21814:15 $RootScopeProvider/this.$get</Scope.prototype.$apply@http://10.64.1.141/index.js?_b=5930:22106:13 done@http://10.64.1.141/index.js?_b=5930:17641:34 completeRequest@http://10.64.1.141/index.js?_b=5930:17855:7 createHttpBackend/</xhr.onreadystatechange@http://10.64.1.141/index.js?_b=5930:17794:1

Cheers

hi, anyone has make filters to sugarcrm logs?

i did filters to apache logs:

filter { if [type] == “http-access” { grok { match => { “message” => “%{IPORHOST:clientip} %{USER:ident} %{USER:auth} %{USER:LoadTime} [%{HTTPDATE:timestamphttp}] (?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest}) %{NUMBER:response} (?:%{NUMBER:bytes}|-)” } } date { match => [ “timestamphttp”, “dd/MMM/yyyy:HH:mm:ss Z” ] } } }

filter { if [type] == “http-error” { grok { match => { “message” => “[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}] [%{WORD:severity}] [client %{IP:clientip}] %{GREEDYDATA:message}” } } } }

Sorry, i am not good in english

Hi Mitchell,

Thank you for the tutorial. I would like to create a elasticsearch cluster on single host, could you guide me on how to do that? I installed elasticsearch 1.5.0 and it is running as a service right now.

HI David,

 I'm getting certificate signed by unknown authority error !!. Any suggestions ?

HI Manicas,

I want to Index it by Source hostname. Can you suggest me how to do it ?

regards,

Hemanath

First, a great thank for this tutotial that helped me to start with ELK. Now, I am well on my POC but I’ve problem of industrialization “data security”. Of course, Shield exists but we don’t want a paid tool. My question is : In real life, nginx would be enough to secure exchanges between final customer and Kibana? How can compartmentalize different customers (of course with different indices)?

Thanks

Hi Mitchel, these are great tutorials. I have tried installing on Centos and Ubuntu but I had not luck getting the indices to work. I only see the logstash-* , but I dont see a drop down box to select @timestamp, or the create button, the only message that it shows is “unable to fetch mapping, Do you have indices matching the pattern?” I been wanting to use Kibana as a syslog for cisco Switches, routers, nexus and other.

Hi Mitchell,

I am newbie to ELK setup. :)

I have followed same steps. Installed elasticsearch on one machine, logstash on other machine. All installations done by root only. These are new Linux boxes which I got for installations. Then I started logstash by following command: sudo service logstash start But after 2-3 minutes when I check status of logstash, it shows that it’s not running like:

[root@rwc-host1 conf.d]# sudo service logstash status
logstash is not running

I checked logstash.err file it gives below:

[root@rwc-host193 ~]# tail -100f /var/log/logstash/logstash.err
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (org.apache.http.conn.HttpHostConnectException) caught when processing request to {}->http://ELASTICSEARCH_IP:9200: Connect to ELASTICSEARCH_IP:9200 [/ELASTICSEARCH_IP] failed: Connection refused
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->http://ELASTICSEARCH_IP:9200
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (org.apache.http.conn.HttpHostConnectException) caught when processing request to {}->http://ELASTICSEARCH_IP:9200: Connect to ELASTICSEARCH_IP:9200 [/ELASTICSEARCH_IP] failed: Connection refused
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->http://ELASTICSEARCH_IP:9200
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (org.apache.http.conn.HttpHostConnectException) caught when processing request to {}->http://ELASTICSEARCH_IP:9200: Connect to ELASTICSEARCH_IP:9200 [/ELASTICSEARCH_IP] failed: Connection refused
May 13, 2015 9:07:04 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->http://ELASTICSEARCH_IP:9200

and logstash.log file shows below:

{:timestamp=>"2015-05-13T09:07:04.670000-0400", :message=>"Failed to install template: Connection refused", :level=>:error}

My trial.conf file is like this:

input {
stdin { }
}
output {
elasticsearch { host => <ELASTICSEARCH_IP> port => "9200" protocol => "http" }
  stdout { codec => rubydebug }
}

Can you please help me here as what might have gone wrong?

Eagerly waiting for your response.

Thanks and Regards, amitsg

Hello Mod,

What should i do if i configure Rsyslog + Elasticsearch + Kibana? How the Rsyslog configuration file look like? Otherwise, When i start Elasticsearch it’s error:

./elasticsearch start Failed to configure logging… org.elasticsearch.ElasticsearchException: Failed to load logging configuration at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:139) at org.elasticsearch.common.logging.log4j.LogConfigurator.configure(LogConfigurator.java:89) at org.elasticsearch.bootstrap.Bootstrap.setupLogging(Bootstrap.java:100) at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:184) at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32) Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55) at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144) at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:97) at java.nio.file.Files.readAttributes(Files.java:1686) at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:109) at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:69) at java.nio.file.Files.walkFileTree(Files.java:2602) at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:123) … 4 more log4j:WARN No appenders could be found for logger (node). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

Any one can tell me which the file configuration that make me wrong? P/S: System: Centos6.6 Rsyslog: v8 Elasticsearch: 1.5.2

Thanks a lot

If I change network.host from localhost to IP address in elasticsearch.yml then Kibana 4stops working, I try trying to write to elasticsearch directly.

ErrorAbstract@http://10.64.1.141/index.js?_b=5930:80255:19 Generic@http://10.64.1.141/index.js?_b=5930:80287:3 respond@http://10.64.1.141/index.js?_b=5930:81568:1 checkRespForFailure@http://10.64.1.141/index.js?_b=5930:81534:7 [198]</AngularConnector.prototype.request/<@http://10.64.1.141/index.js?_b=5930:80203:7 qFactory/defer/deferred.promise.then/wrappedErrback@http://10.64.1.141/index.js?_b=5930:20882:31 qFactory/defer/deferred.promise.then/wrappedErrback@http://10.64.1.141/index.js?_b=5930:20882:31 qFactory/defer/deferred.promise.then/wrappedErrback@http://10.64.1.141/index.js?_b=5930:20882:31 qFactory/createInternalRejectedPromise/<.then/<@http://10.64.1.141/index.js?_b=5930:21015:29 $RootScopeProvider/this.$get</Scope.prototype.$eval@http://10.64.1.141/index.js?_b=5930:22002:16 $RootScopeProvider/this.$get</Scope.prototype.$digest@http://10.64.1.141/index.js?_b=5930:21814:15 $RootScopeProvider/this.$get</Scope.prototype.$apply@http://10.64.1.141/index.js?_b=5930:22106:13 done@http://10.64.1.141/index.js?_b=5930:17641:34 completeRequest@http://10.64.1.141/index.js?_b=5930:17855:7 createHttpBackend/</xhr.onreadystatechange@http://10.64.1.141/index.js?_b=5930:17794:1

Cheers

hi, anyone has make filters to sugarcrm logs?

i did filters to apache logs:

filter { if [type] == “http-access” { grok { match => { “message” => “%{IPORHOST:clientip} %{USER:ident} %{USER:auth} %{USER:LoadTime} [%{HTTPDATE:timestamphttp}] (?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest}) %{NUMBER:response} (?:%{NUMBER:bytes}|-)” } } date { match => [ “timestamphttp”, “dd/MMM/yyyy:HH:mm:ss Z” ] } } }

filter { if [type] == “http-error” { grok { match => { “message” => “[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}] [%{WORD:severity}] [client %{IP:clientip}] %{GREEDYDATA:message}” } } } }

Sorry, i am not good in english

Quick comment, but not a complaint: this process appears to leave one’s elasticsearch install in such a state that one cannot easily manage it from the web-based _plugins facility.

That is, I can curl to localhost:9200/_plugin but I cannot, of course, browse to it from my desktop computer.

This isn’t so much a problem but it does make using web-based frontends for ES more difficult to use.

First off, this is such a great tutorial. I have followed it to the ‘T’ and when I try to connect to Kibana using the FQDN/server IP, I get 502 Bad Gateway in /var/log/nginx/error.log. What gives? I get “no live upstream while connecting to upstream, client: x, server: logstash.domain” Thanks in advance!

Hello,

First I want to thank the Tutorial … Very good …

I did all the above processes successfully, however when connecting to Kibana, at the stage of “configure an index pattern” is not available the “create” button, gets the message "Unable to fetch mapping. Do you have indices matching the pattern? "

And in the left corner superir a message: “Index Patterns:. Warning No default index pattern You must select or create one to continue.”

By analyzing the customer logs I copied the key “logstash-forwarder.crt”

Log: /var/log/logstash-forwarder/logstash-forwarder.err

06/12/2015 10: 10: 54.026115 Waiting for two prospectors to initialise 06/12/2015 10: 10: 54.026286 Launching harvester on new file: / var / log / messages 06/12/2015 10: 10: 54.026331 Launching harvester on new file: / var / log / secure 06/12/2015 10: 10: 54.026488 Launching harvester on new file: /var/log/boot.log 06/12/2015 10: 10: 54.026531 Launching harvester on new file: /var/log/yum.log 06/12/2015 10: 10: 54.026765 harvest: “/ var / log / messages” (offset snapshot: 0) 06/12/2015 10: 10: 54.027392 harvest: “/ var / log / secure” (offset snapshot: 0) 06/12/2015 10: 10: 54.027513 harvest, “/var/log/boot.log” (offset snapshot: 0) 06/12/2015 10: 10: 54.027609 harvest, “/var/log/yum.log” (offset snapshot: 0) 06/12/2015 10: 10: 54.027642 All prospectors initialised with 0 states to persist 06/12/2015 10: 10: 54.027932 Setting trusted CA from file: /etc/pki/tls/certs/logstash-forwarder.crt 06/12/2015 10: 11: 16.406232 Connecting to [xxxx65]: 5000 (xxxx) 06/12/2015 10: 11: 16.406517 Failure connecting to xxxx: xxxx dial tcp: 5000: connection refused

No longer analyze what … Suspeiro that the key has not been generated corretamenta with said command in the tutorial, it’s my last suspicion.

Can anyone help me?

I’m getting these errors:

{:timestamp=>“2015-06-14T12:38:56.651000+0300”, :message=>“retrying failed action with response code: 503”, :level=>:warn}

and also

{:timestamp=>“2015-06-14T12:42:04.361000+0300”, :message=>"too many attempts at sending event. dropping: 2015-06-14T00:18:45.000Z

In Kibana, no results are found.

Please help.

Very helpful tutorial. I have Centos 6.x with ELK (old first tutorial) server. I have lots of log files. How to migrate from old server to new (this tutorial) while preserving old log files?

I am a new beginner on ELK. My linux machine is a centos7 minima version OS on vm . My ELK server IP is 10.82.136.52. I get 2 troubleshootings : 1/i can’t see the kibana web site with ngnix config : error 502 bad gateway and locally on the server : wget http://localhost:5601 => failed connection refused 2/ for openssl generation, I get theses errors : no such file bss_file.c and DEF_LOAD conf_def.c . Would you please helping me to solve these problems. Best regards.

Manicas, can you post your openssl.conf file. Should I re-install openssl on my ‘centos7 minima’ version ?

I am a new beginner on ELK. My linux machine is a centos7 minima version OS on vm . My ELK server IP is 10.82.136.52. i can’t see the kibana web site with ngnix config : error 502 bad gateway and locally on the logstash server : wget http://localhost:5601 => failed connection refused Would you please helping me to solve these problems. Best regards.

My ELK server IP is 10.82.136.52. I this case the logstatsh server private IP adress is the same as public IP adress you write in the tutorial, isn’it ?

Thank a lot for this tutorial as beginner. I am on centos7 minima version on a vm virtualbox, @IP=10.82.136.52 in local network. I have no public IP 192.168.xxx, no FQDN. I instal all ELK on this server with default config but not ngnix,

• elasticsearch wget http://localhost:9200 => connection refused
• kibana wget http://localhost:5601 => connection refused
• logstash : not started. how to get log files and put debug mode Would you please helping me to solve these issues. Best regards.

Quick comment, but not a complaint: this process appears to leave one’s elasticsearch install in such a state that one cannot easily manage it from the web-based _plugins facility.

That is, I can curl to localhost:9200/_plugin but I cannot, of course, browse to it from my desktop computer.

This isn’t so much a problem but it does make using web-based frontends for ES more difficult to use.

First off, this is such a great tutorial. I have followed it to the ‘T’ and when I try to connect to Kibana using the FQDN/server IP, I get 502 Bad Gateway in /var/log/nginx/error.log. What gives? I get “no live upstream while connecting to upstream, client: x, server: logstash.domain” Thanks in advance!

Hello,

First I want to thank the Tutorial … Very good …

I did all the above processes successfully, however when connecting to Kibana, at the stage of “configure an index pattern” is not available the “create” button, gets the message "Unable to fetch mapping. Do you have indices matching the pattern? "

And in the left corner superir a message: “Index Patterns:. Warning No default index pattern You must select or create one to continue.”

By analyzing the customer logs I copied the key “logstash-forwarder.crt”

Log: /var/log/logstash-forwarder/logstash-forwarder.err

06/12/2015 10: 10: 54.026115 Waiting for two prospectors to initialise 06/12/2015 10: 10: 54.026286 Launching harvester on new file: / var / log / messages 06/12/2015 10: 10: 54.026331 Launching harvester on new file: / var / log / secure 06/12/2015 10: 10: 54.026488 Launching harvester on new file: /var/log/boot.log 06/12/2015 10: 10: 54.026531 Launching harvester on new file: /var/log/yum.log 06/12/2015 10: 10: 54.026765 harvest: “/ var / log / messages” (offset snapshot: 0) 06/12/2015 10: 10: 54.027392 harvest: “/ var / log / secure” (offset snapshot: 0) 06/12/2015 10: 10: 54.027513 harvest, “/var/log/boot.log” (offset snapshot: 0) 06/12/2015 10: 10: 54.027609 harvest, “/var/log/yum.log” (offset snapshot: 0) 06/12/2015 10: 10: 54.027642 All prospectors initialised with 0 states to persist 06/12/2015 10: 10: 54.027932 Setting trusted CA from file: /etc/pki/tls/certs/logstash-forwarder.crt 06/12/2015 10: 11: 16.406232 Connecting to [xxxx65]: 5000 (xxxx) 06/12/2015 10: 11: 16.406517 Failure connecting to xxxx: xxxx dial tcp: 5000: connection refused

No longer analyze what … Suspeiro that the key has not been generated corretamenta with said command in the tutorial, it’s my last suspicion.

Can anyone help me?

I’m getting these errors:

{:timestamp=>“2015-06-14T12:38:56.651000+0300”, :message=>“retrying failed action with response code: 503”, :level=>:warn}

and also

{:timestamp=>“2015-06-14T12:42:04.361000+0300”, :message=>"too many attempts at sending event. dropping: 2015-06-14T00:18:45.000Z

In Kibana, no results are found.

Please help.

Very helpful tutorial. I have Centos 6.x with ELK (old first tutorial) server. I have lots of log files. How to migrate from old server to new (this tutorial) while preserving old log files?

I am a new beginner on ELK. My linux machine is a centos7 minima version OS on vm . My ELK server IP is 10.82.136.52. I get 2 troubleshootings : 1/i can’t see the kibana web site with ngnix config : error 502 bad gateway and locally on the server : wget http://localhost:5601 => failed connection refused 2/ for openssl generation, I get theses errors : no such file bss_file.c and DEF_LOAD conf_def.c . Would you please helping me to solve these problems. Best regards.

Manicas, can you post your openssl.conf file. Should I re-install openssl on my ‘centos7 minima’ version ?

I am a new beginner on ELK. My linux machine is a centos7 minima version OS on vm . My ELK server IP is 10.82.136.52. i can’t see the kibana web site with ngnix config : error 502 bad gateway and locally on the logstash server : wget http://localhost:5601 => failed connection refused Would you please helping me to solve these problems. Best regards.

My ELK server IP is 10.82.136.52. I this case the logstatsh server private IP adress is the same as public IP adress you write in the tutorial, isn’it ?

Thank a lot for this tutorial as beginner. I am on centos7 minima version on a vm virtualbox, @IP=10.82.136.52 in local network. I have no public IP 192.168.xxx, no FQDN. I instal all ELK on this server with default config but not ngnix,

• elasticsearch wget http://localhost:9200 => connection refused
• kibana wget http://localhost:5601 => connection refused
• logstash : not started. how to get log files and put debug mode Would you please helping me to solve these issues. Best regards.

Thanks you for your help. I resume my troubleshooting : I follow the tutorial : https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-centos-7 I am on centos7 minima version on a vm virtualbox, @IP=10.82.136.52 in local network. I have no public IP 192.168.xxx, no FQDN. I instal all ELK on this server with default config but no ngnix, no firewall-cmd (not started)

• elasticsearch 1.4.4 : http://10.82.136.52:9200 => json output. log : zen-disco-join(elected as master) config = network.host=10.xxxxxx -logstash 1.5.1 : SERVICE_UNAVAILABLE no master log.err : INFO started
• kibana4 http://10.xxxxx:5601 => Settings/Indices config index pattern web page with NO DEFAULT INDEX PATTERN => KO conf= host : “0.0.0.0” elasticsearch_url:“http://10.xxxx:9200” log => html response= statuscode 404 GET /logstatsh-*/_mapping
• logstash-forwarder : connected 10.xxx:5000 Would you please helping me to solve these issues ? We are so near of the good results :-) Best regards.

Hello, thank you so much for this very complete tutorial.

But I’ve a problem with the syslog gathering. I try to collect logs from a Brocade switch. The switch is correctly configured, because I can see this with a “tcpdump” on my ELK server :

16:29:31.252738 IP xx.xx.xx.xx.cap > yyyyyyyyyyyyy.zzzzzzz.local: SYSLOG user.info, length: 182

I’ve created an input file (02-brocade-input.conf) in /etc/logstash/conf.d :

input {
udp {
port => "514"
type => "syslog"
tags => ["syslog"]
}
}

(I tried a lot of differents configurations of the input file, but it doesn’t work)

And also an output file :

output {
elasticsearch { host => "localhost" }
}

But I can’t see anything with Kibana :(. However Kibana works, because I can see the logs from one of my CentOS servers.

Can you help me please ?

Best regards.

Please am getting an error while starting Nginx:

nginx: [emerg] “server” directive is not allowed here in /etc/nginx/conf.d/kibana.conf:1

Any idea why this error is coming up?

Great tutorial, thank you.

At the end of the the ‘Configure Logstash’ section, it says ‘sudo service logstash restart’ Should that be ‘systemctl restart logstash’ (or sudo if you’re not root)?

Hello, How i can configure do NXLog send the logs to this logstash? I receive “CertFile” error.

I used this for create the filters: http://www.ragingcomputer.com/2014/02/logstash-elasticsearch-kibana-for-windows-event-logs

And this for NxLog http://www.ragingcomputer.com/2014/02/sending-windows-event-logs-to-logstash-elasticsearch-kibana-with-nxlog

But doesn’t work, because i need to complete with the CertFile, can you help-me? Thanks

Hi,

I’m unable to configure an index pattern.

It gives this error - “Unable to fetch mapping. Do you have indices that match the pattern?”

Error: Please specify a default index pattern
at http://10.16.32.122:81/index.js?_b=5930:44791:23
at wrappedCallback (http://10.16.32.122:81/index.js?_b=5930:20873:81)
at http://10.16.32.122:81/index.js?_b=5930:20959:26
at Scope.$eval (http://10.16.32.122:81/index.js?_b=5930:22002:28)
at Scope.$digest (http://10.16.32.122:81/index.js?_b=5930:21814:31)
at Scope.$apply (http://10.16.32.122:81/index.js?_b=5930:22106:24)
at HTMLDocument.<anonymous> (http://10.16.32.122:81/index.js?_b=5930:19104:24)
at HTMLDocument.jQuery.event.dispatch (http://10.16.32.122:81/index.js?_b=5930:4409:9)
at HTMLDocument.elemData.handle (http://10.16.32.122:81/index.js?_b=5930:4095:28)

I changed my logstash.conf server and client to listen at 5001. Could someone help me out with this?

I just wanted to thank you for this amazing guide incredible. Im just somewhat stuck at the part Copy SSL Certificate and Logstash Forwarder Package im trying to forward all my pfsense2.2.2(192.168.3.254) logs to my ELK(192.168.3.199) server when you say: scp /etc/pki/tls/certs/logstash-forwarder.crt user@server_private_IP:/tmp

would that be on my ELK server or on my pfsense command i need to run?

I tried running scp /etc/pki/tls/certs/logstash-forwarder.crt root@192.168.3.254:/tmp but it did not work says The authenticity of host ‘192.168.3.254 (192.168.3.254)’ can’t be established.

I was wondering if someone could help me out?

Also when you say:Paste the following code block into the file. Be sure to update the server_name to match your server’s name: would it be my ELK server or my pfsense firewall?

Thank you

**NVM, it works now. Must be intermittent connection issue. **

Yum error when installing logstash. CentOS Linux release 7.1.1503 (Core)

sudo yum -y install logstash

 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

failed to retrieve repodata/repomd.xml from centos-7-x86_64
error was [Errno 14] HTTP Error 404 - Not Found

After logged in to Kibana for first time. I did not see the dropdown menu with @timestamp, instead it says “Unable to fetch mapping. Do you have indices matching the pattern?”

Great tutorial Saved me TONS of time and scratching my head…

Now that I can get into kibana… it wants me to “Configure an index pattern” I get the concept… but have no idea where to do that. Some googling reveals that I might need to make a .kibana file with a default index type in it. Looking in my log files confirms that (to some degree) “POST /elasticsearch/.kibana/visualization/_search?size=100 HTTP/1.1”, upstream: “http://[::1]:5601/elasticsearch/.kibana/visualization/_search?size=100”, But I am not sure exactly which “elastisearch” directory I am supposed to put that in. I have over a dozen various paths with a directory named “elastisearch” in them.

Any clues THANK YOU !

Any reason you haven’t used the Kibana repo?

[kibana-4.1]
name=Kibana repository for 4.1.x packages
baseurl=http://packages.elasticsearch.org/kibana/4.1/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1

Hey, on a vanilla ELK stack droplet, i am trying to install a new logstash plugin

root@metrics:/opt/logstash# bin/plugin install logstash-input-http
Validating logstash-input-http

…and that is it, the process hangs right there. The process list shows an idle logstash process, but after some minutes it just dies away, and the shell connection breaks with a broken pipe.

Any idea where to start looking?

Thanks

Hi, I am very impressed by this tutorial. Unfortunately I am getting the dreaded message: “Unable to fetch mapping. Do you have indices matching the pattern?” Googling did not help. The configuration on the client seems correct. The server side too looks good. [root@elk ~]# curl ‘localhost:9200/_cat/indices?v’ health status index pri rep docs.count docs.deleted store.size pri.store.size yellow open .kibana 1 1 1 0 2.5kb 2.5kb [root@elk ~]# Are there any log files you’d like me to tail and paste here.

I basically followed the tutorial.

This is from the nginx error log: tail -f /var/log/nginx/error.log

2015/09/24 04:54:26 [error] 2076#0: 33 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.14, server: elk.kartikv.com, request: "GET /elasticsearch/logstash-/_mapping/field/?ignore_unavailable=false&allow_no_indices=false&include_defaults=true HTTP/1.1", upstream: "http://[::1]:5601/elasticsearch/logstash-/_mapping/field/*?ignore_unavailable=false&allow_no_indices=false&include_defaults=true", host: “elk.kartikv.com”, referrer: “http://elk.kartikv.com/”

[root@elk ~]# netstat -anp | grep :5601 tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 682/node [root@elk ~]#

[root@sys1 ~]# telnet elk 5001 Trying 192.168.1.235… Connected to elk. Escape character is ‘^]’. ^CConnection closed by foreign host.

[root@elk logstash]# tail -f logstash.log <snip>

“Got error to send bulk of actions: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];”, :level=>:error} <snip>

rebooted, no more errors in logstash log, nothing awry in elasticsearch log or in nginx log

Sorry nginx error log [root@elk nginx]# tail -f error.log 2015/09/25 08:21:26 [error] 2080#0: *40 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.14, server: elk.kartikv.com, request: “GET /bower_components/font-awesome/fonts/fontawesome-webfont.woff?v=4.2.0 HTTP/1.1”, upstream: “http://[::1]:5601/bower_components/font-awesome/fonts/fontawesome-webfont.woff?v=4.2.0”, host: “elk.kartikv.com”, referrer: “http://elk.kartikv.com/#/settings/indices/?_g=()”

So it seems some indices have to be manually entered for it to all start… I followed the suggestion given here: https://github.com/elastic/kibana/issues/2055

and added an entry, the chose the one which says “The index settings can also be defined with JSON:”

and restarted elasticsearch and followed the rest of the tutorial(working with the GUI): https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-centos-7

It all works now. Thanks to everyone for their help.

It suddenly stopped working, this is the error message in /var/log/logstash/logstash.log: :timestamp=>“2015-09-26T07:29:26.148000-0400”, :message=>“Got error to send bulk of actions: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];”, :level=>:error} {:timestamp=>“2015-09-26T07:29:26.149000-0400”, :message=>“Failed to flush outgoing items”, :outgoing_count=>1, :exception=>“Java::OrgElasticsearchClusterBlock::ClusterBlockException”, :backtrace=>[“org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedException(org/elasticsearch/cluster/block/ClusterBlocks.java:151)”, “org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedRaiseException(org/elasticsearch/cluster/block/ClusterBlocks.java:141)”, “org.elasticsearch.action.bulk.TransportBulkAction.executeBulk(org/elasticsearch/action/bulk/TransportBulkAction.java:215)”, “org.elasticsearch.action.bulk.TransportBulkAction.access$000(org/elasticsearch/action/bulk/TransportBulkAction.java:67)”, “org.elasticsearch.action.bulk.TransportBulkAction$1.onFailure(org/elasticsearch/action/bulk/TransportBulkAction.java:153)”, “org.elasticsearch.action.support.TransportAction$ThreadedActionListener$2.run(org/elasticsearch/action/support/TransportAction.java:137)”, “java.util.concurrent.ThreadPoolExecutor.runWorker(java/util/concurrent/ThreadPoolExecutor.java:1142)”, “java.util.concurrent.ThreadPoolExecutor$Worker.run(java/util/concurrent/ThreadPoolExecutor.java:617)”, “java.lang.Thread.run(java/lang/Thread.java:745)”], :level=>:warn} {:timestamp=>“2015-09-26T07:30:27.152000-0400”, :message=>“Got error to send bulk of actions: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];”, :level=>:error} ^C

Yes, the only error I am now getting is in /var/log/logstash/logstash.log

{:timestamp=>“2015-09-26T08:02:59.293000-0400”, :message=>“Got error to send bulk of actions: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];”, :level=>:error}

Just when everything was working, I got this error in the logstash-forwarder systems. 2015/09/26 14:37:03.434672 Failed to tls handshake with 192.168.1.235 read tcp 192.168.1.235:5001: i/o timeout logstash-forwarder-0.4.0-1.x86_64

This issue has been resolved thanks to google. I googled and found that upgrading elasticsearch to the latest version alleviates the issue. I also increased the logstash-forwarder timeout to 5 minutes(from 15 seconds). I now have three logstash forwarders supplying logs to the logstash server. I am however keeping my fingers crossed.

How to rotate /var/log/logstash/logstash.log? It fills up the drive and then everything breaks. Simply doing a server# > /var/log/logstash/logstash.log does not work What I have done is downloaded “curator” https://github.com/elasticsearch/curator and I do this (NOT AT ALL the best approach):

/var/log/logstash/logstash.log curator delete indices --all-indices Create an index with: curl -XPUT ‘http://localhost:9200/twitter/’ -d ‘{ “settings” : { “index” : { “number_of_shards” : 3, “number_of_replicas” : 2 } } }’

Someone please advise me on best practices in this regard.

It’s possible to start Kibana using systemctl.

You may create file /etc/systemd/system/kibana4.service with the following contents:

[Service]
ExecStart=/opt/kibana/bin/kibana
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=kibana4
User=root
Group=root
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target

Then you can use the following commands:

systemctl start kibana4.service
systemctl enable kibana4.service

Excellent tutorial, thank you

As always, your tutorials are amazing! Thank you very much.

One thing though - Elastic has replaced logstash-forwarder with filebeat. Can you please update the tutorial?

SELinux was blocking the Nginx reverse proxy. Nginx showed me “502 Bad Gateway” when I browsed to the site and in the error.log I got: (13: Permission denied) The fix was:

# grep nginx /var/log/audit/audit.log | audit2allow -M nginx
# semodule -i nginx.pp

Thanks for a very informative and exhaustive document. The only thing I found missing was to enable the CentOS CR repository in order to install nginx on CentOS 7.

Hi , I follow this, and seems everything been started, but when I try to Connect to Kibana, what I got just the test page, could you please tell me any wrong with me? I just use the ELK private IP. Thanks in advance.

The installation steps for filebeat are not working any more, since the enabled: false option was removed from filebeat. So, in your tutorial, instead of adding enabled: false to filebeat.yml file, simply comment out the elasticsearch and it’s host lines, this will fix the problem when filebeat service is not sending reports to logstash server (or sends a small portion of logs data when it is restarted).

followed the above & installed ELK stack , but getting below error when starting FILEBEAT service

2016/01/10 15:36:02.224146 publish.go:230: INFO No outputs are defined. Please define one under the output section. Error Initialising publisher: No outputs are defined. Please define one under the output section. 2016/01/10 15:36:02.224147 beat.go:101: CRIT No outputs are defined. Please define one under the output section.

But outputs are configured as shown by you

@manicas Thank you for such a well-rounded tutorial. If you can please tell how to configure LOGSTASH in such a way that i can separate logs from different hosts and filter them with respect to time, logs type, and other filters while visualizing in KIBANA.

For some reason my index is not auto refreshing and data is not getting reflected continously in Kibana? If i restart filebeat on the client machines, the index and kibana gets refreshed with updated data. Any thoughts?

Hi. Im new in elasticsearch and kibna , and in linux 2 :) , i try to install elasticsearch ,kibana, logstash, in one server and i try to gather syslogs from my local server , but when open Kibana (Configure an index pattern) Index Patterns Warning No default index pattern. You must select or create one to continue and i don’t know how and when i create mapping and index . so please how can i solve this i need solution plzzz

Thanks for a good tutorial, but please note that to get this working on two debian jessie systems, I had to turn off ipv6 on the elk server. It appears the logstash program opens an ipv6 port in preference to ipv4. netstat -a revealed this.

thank you for nice tutorial. But here is a problem bother me for a while.Here’s the problem,I put ELK and filebeat on the same Cent OS 6.5 server. I Generate SSL Certificates with the first way (Option 1: IP Address) .So I vi /etc/ssl/openssl.cnf and add subjectAltName = IP: 127.0.0.1 vi /etc/filebeat/filebeat.yml

host:[“127.0.0.1:5044”]

and then everything is based on your tutorial.When I started the filebeat client It says:

Starting filebeat: 2016/02/17 07:53:37.553210 transport.go:125: ERR SSL client failed to connect with: x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “serial:14099465705021883074”)

I tryied some way to add trusted root certificates to the server but didn’t work.

Then I change the 127.0.0.1 to my server’s real ip (10.139.110.135) and remake the crt.this time I started filebeat client it says:

Starting filebeat: 2016/02/17 06:34:47.724982 transport.go:125: ERR SSL client failed to connect with: x509: certificate is valid for , not localhost

Any idea？Hope for your reply.Thanks

Going through the tutorial and I’m on the “load the sample dashboards, visualizations and Beats index patterns into Elasticsearch” step. Running “./load.sh” returns:

Loading dashboards to http://localhost:9200 in .kibana Loading search Cache-transactions: curl: (7) Failed to connect to localhost:9200; Connection refused

Any help would be greatly appreciated

I got a problem that maybe caused by character set.Here’s the problem,there are some Chinese characters in my logs,and the character set of the server that store the log is zh_CN.GBK.And the character set of my ELKServer is en_US.UTF-8. Then the logs that contained Chinese characters showed in Kibana are some unrecognizable codes.So do you have any idea about this problem. Sorry about my poor English.Hope for your reply,thanks.

You can use the following script for installation and configuration of ELK stack Server as well as Clients:-

#!/bin/bash

# ==================== Configure_Repositories function ==============================
configure_repo() {
tput setaf 2; echo "Configuring Repositories..."; tput sgr 0
echo
# ---------------------------------------------------------------------
rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
# ---------------------------------------------------------------------
printf "[elasticsearch-2.x] \nname=Elasticsearch repository for 2.x packages \nbaseurl=http://packages.elastic.co/elasticsearch/2.x/centos \ngpgcheck=1 \ngpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch \nenabled=1 \n" > /etc/yum.repos.d/elasticsearch.repo
printf "[kibana-4.4] \nname=Kibana repository for 4.4.x packages \nbaseurl=http://packages.elastic.co/kibana/4.4/centos \ngpgcheck=1 \ngpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch \nenabled=1 \n" > /etc/yum.repos.d/kibana.repo
printf "[nginx] \nname=nginx repo \nbaseurl=http://nginx.org/packages/rhel/6/x86_64/ \ngpgcheck=0 \nenabled=1 \n" > /etc/yum.repos.d/nginx.repo
printf "[logstash-2.2] \nname=logstash repository for 2.2 packages \nbaseurl=http://packages.elasticsearch.org/logstash/2.2/centos \ngpgcheck=1 \ngpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch \nenabled=1 \n" > /etc/yum.repos.d/logstash.repo
# ---------------------------------------------------------------------
tput setaf 2; echo "Downloading prerequisites for ELK stack..."; tput sgr 0
cd $ELK_DOWNLOAD_FILES
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u65-b17/jdk-8u65-linux-x64.rpm"
curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip
curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json
}

# ==================== Installing Prerequisites function ==============================
install_components() {
tput setaf 2; echo "Installing required components for ELK stack..."; tput sgr 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config
yum clean all >>$INSTALL_LOG
cd $ELK_DOWNLOAD_FILES
yum install jdk-8u65-linux-x64.rpm -y 2>>$INSTALL_LOG >>$INSTALL_LOG

x=("elasticsearch" "kibana" "nginx" "httpd-tools" "logstash")
y=("elasticsearch-2.x" "kibana-4.4" "nginx" "null" "logstash-2.2")
for i in {0..4}
        do
                install_check
done

}

install_check() {
yum list installed ${x[$i]} 2>>$INSTALL_LOG >>$INSTALL_LOG

if [ "$?" = "0" ]; then
        tput setaf 2; echo "Application ${x[$i]} is already Installed...";tput sgr 0
else
        tput setaf 1; echo "Installing Application ${x[$i]} ...";tput sgr 0
        install_app
fi
}

install_app() {
if [ "$i" = "3" ] ; then
        yum install ${x[$i]} -y >>$INSTALL_LOG

else
        yum --enablerepo="${y[$i]}" install ${x[$i]} -y >>$INSTALL_LOG
fi

if [ "$?" = "0" ]; then
        tput setaf 2; echo "Application ${x[$i]} Installed successfully...";tput sgr 0
else
        error_exit
fi
}

# ==================== Configuring Components function ==============================
config_components() {
tput setaf 2; echo "Configuring ELK Components..."; tput sgr 0
config_elastic
config_kibana
config_nginx
config_ssl
config_logstash
load_kibana
load_filebeat
config_firewall
}

# ==================== Configure Elastic Search function ==============================
config_elastic() {
sed -i_bac 's/#.*network.host.*$/network.host: localhost/' /etc/elasticsearch/elasticsearch.yml
chkconfig --add elasticsearch
service elasticsearch start
tput setaf 2; echo "Configured ElasticSearch successfully..."; tput sgr 0
}

# ==================== Configure Kibana function ==============================
config_kibana() {
sed -i_bac 's/#.*server.host.*$/server.host: "localhost"/' /opt/kibana/config/kibana.yml
chkconfig --add kibana
service kibana start
tput setaf 2; echo "Configured Kibana successfully..."; tput sgr 0
}

# ==================== Configure Nginx function ==============================
config_nginx() {
tput setaf 2; echo "Enter a password for Kibana Administrator User (kibanaadmin):"; tput sgr 0
htpasswd -c /etc/nginx/htpasswd.users kibanaadmin
cp -p /etc/nginx/nginx.conf{,.bak}
printf "user  nginx; \n worker_processes  1; \n error_log  /var/log/nginx/error.log warn; \n pid        /var/run/nginx.pid; \n events { \n     worker_connections  1024; \n } \n http { \n     include       /etc/nginx/mime.types; \n     default_type  application/octet-stream; \n     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' \n                       '$status $body_bytes_sent "$http_referer" ' \n                       '"$http_user_agent" "$http_x_forwarded_for"'; \n     access_log  /var/log/nginx/access.log  main; \n     sendfile        on; \n     #tcp_nopush     on; \n     keepalive_timeout  65; \n     #gzip  on; \n     include /etc/nginx/conf.d/*.conf; \n } \n" > /etc/nginx/nginx.conf
echo -e "server {\n    listen 80;\n    server_name $SERVER_NAME;\n    auth_basic \"Restricted Access\";\n    auth_basic_user_file /etc/nginx/htpasswd.users;\n    location / {\n        proxy_pass http://localhost:5601;\n        proxy_http_version 1.1;\n        proxy_set_header Upgrade \$http_upgrade;\n        proxy_set_header Connection 'upgrade';\n        proxy_set_header Host \$host;\n        proxy_cache_bypass \$http_upgrade;        \n    }\n}\n" > /etc/nginx/conf.d/kibana.conf
chkconfig --add nginx
service nginx start
tput setaf 2; echo "Configured Nginx successfully..."; tput sgr 0
}

# ==================== SSL Configuration function ==============================
config_ssl() {
cp -p /etc/pki/tls/openssl.cnf{,.bak}
sed -i_bac "/^\[ v3_ca \]/a \subjectAltName = IP: $SERVER_IP" /etc/pki/tls/openssl.cnf
cd /etc/pki/tls
openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt >>$INSTALL_LOG
tput setaf 2; echo "Configured SSL successfully..."; tput sgr 0
}

# ==================== Logstash Configuration function ==============================
config_logstash() {
echo -e 'input { \n   beats { \n     port => 5044 \n     ssl => true \n     ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" \n     ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" \n   } \n } \n' > /etc/logstash/conf.d/02-beats-input.conf
echo -e 'filter {\n   if [type] == "syslog" {\n     grok {\n       match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }\n       add_field => [ "received_at", "%{@timestamp}" ]\n       add_field => [ "received_from", "%{host}" ]\n     }\n     syslog_pri { }\n     date {\n       match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]\n     }\n   }\n }\n' > /etc/logstash/conf.d/10-syslog-filter.conf
echo -e 'output {       \n   elasticsearch {    \n     hosts => ["localhost:9200"]      \n     sniffing => true \n     manage_template => false \n     index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"   \n     document_type => "%{[@metadata][type]}"    \n   }  \n }    \n' > /etc/logstash/conf.d/30-elasticsearch-output.conf
tput setaf 3; echo "Checking Configuration of Logstash..."; tput sgr 0
service logstash configtest
chkconfig --add logstash
service logstash start
tput setaf 2; echo "Configured Logstash successfully..."; tput sgr 0
}

# ==================== Load Kibana Dashboard function ==============================
load_kibana() {
tput setaf 3; echo "Load Kibana Dashboard..."; tput sgr 0
cd $ELK_DOWNLOAD_FILES
unzip beats-dashboards-*.zip >>$INSTALL_LOG
cd beats-dashboards-*
sh ./load.sh >>$INSTALL_LOG
tput setaf 3; echo "Kibana Dashboard loaded..."; tput sgr 0
}

# ==================== Load Filebeat function ==============================
load_filebeat() {
tput setaf 6; echo "Load File beat..."; tput sgr 0
cd $ELK_DOWNLOAD_FILES
curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json
tput setaf 6; echo "ELK Server is ready to receive Filebeat data, let's move onto setting up Filebeat on each client server."; tput sgr 0
tput setaf 6; tput bold; printf "Connect to Kibana DashBoard using link \"http://`uname -n`\"\nAfter entering the "kibanaadmin" credentials, you should see a page prompting you to configure a default index pattern.\n"; tput sgr 0
}

# ==================== Configure firewall function ==============================
config_firewall() {
tput setaf 1; echo "Configuring firewall on ELK Server..."; tput sgr 0
for p in 5044 9200 5601 80
        do
                iptables -I INPUT -j ACCEPT -p tcp --dport $p >>$INSTALL_LOG
                iptables -I INPUT -j ACCEPT -p udp --dport $p >>$INSTALL_LOG
                iptables -I OUTPUT -j ACCEPT -p tcp --dport $p >>$INSTALL_LOG
                iptables -I OUTPUT -j ACCEPT -p udp --dport $p >>$INSTALL_LOG
        done
/etc/init.d/iptables save
/etc/init.d/iptables restart
tput setaf 2; echo "Firewall is configured successfully..."; tput sgr 0
}

# ==================== Configure Client function ==============================
config_client()
{
tput setaf 2; read -rp "Enter Client Server Private IP: " CLIENT_IP ; tput sgr 0
ssh-keygen -t rsa -f /root/.ssh/id_rsa -q -P ""
tput setaf 2; echo "Enter credentials of Client Server:" ; tput sgr 0
ssh-copy-id $CLIENT_IP
echo "Installation log of Client Server $CLIENT_IP:" >> $INSTALL_LOG
scp /etc/pki/tls/certs/logstash-forwarder.crt root@$CLIENT_IP:/tmp >> $INSTALL_LOG
ssh $CLIENT_IP "mkdir -p /etc/pki/tls/certs; cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/"
tput setaf 2; echo "Copied SSL Certficate..."
echo "Installing Filebeat Package on Client Server..."; tput sgr 0
ssh $CLIENT_IP "rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch; echo -e '[beats]\nname=Elastic Beats Repository\nbaseurl=https://packages.elastic.co/beats/yum/el/\$basearch\nenabled=1\ngpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch\ngpgcheck=1\n' > /etc/yum.repos.d/elastic-beats.repo; yum -y install filebeat" >> $INSTALL_LOG

if [ "$?" = "0" ]; then
        echo -e '#!/bin/bash' > /tmp/t.sh
        echo -e "sed -i_bac -e '/- \/var/ s/^/#/' -e '/ paths:/a \        - /var/log/messages' -e '/ paths:/a \        - /var/log/secure' -e 's/#document_type:.*$/document_type: syslog/' -e '/elasticsearch:/,/# Logstash/ s/^/#/' -e 's/#logstash:/logstash:/' -e \"/logstash:/,+2 s/#hosts: \[\\\"localhost:/hosts: \[\\\"$SERVER_IP:/\" -e '/hosts.*5044/a \    bulk_max_size: 1024' -e '/logstash:/,+30 s/#tls:/tls:/' -e '/ tls:/,+5 s/#certificate_authorities:.*/certificate_authorities: \[\"\/etc\/pki\/tls\/certs\/logstash-forwarder.crt\"\]/' /etc/filebeat/filebeat.yml\nexit" >>/tmp/t.sh
        scp /tmp/t.sh $CLIENT_IP:/tmp >> $INSTALL_LOG
        ssh $CLIENT_IP "sh /tmp/t.sh; service filebeat start; chkconfig --add filebeat;"
        tput setaf 2 ; echo "Configured client successfully..."; tput sgr 0
else
        error_exit
fi

}

# ==================== Exit function ==============================
function error_exit()
{
        tput setaf 7; tput setab 1; echo "Unknown Error occured, check installation log located @ $INSTALL_LOG for more information";tput sgr 0
        exit 1
}

# ========================= BEGIN ==========================
# ========================================================
# ========================================================

# ========================= VARIABLES INITIALIZATION ==========================
mkdir /tmp/elk_downloads 2>/dev/null
ELK_DOWNLOAD_FILES=/tmp/elk_downloads
SERVER_NAME=$(uname -n)
touch /tmp/elk_downloads/install_log
INSTALL_LOG=/tmp/elk_downloads/install_log
tput setaf 2; read -rp "Enter ELK Server Private IP: " SERVER_IP; tput sgr 0
#read -rp "Enter Client Server Private IP: " CLIENT_IP

# ========================= FUNCTIONS INVOCATIONS ==========================
    
    BG_BLUE="$(tput setab 4)"
    BG_BLACK="$(tput setab 0)"
    FG_GREEN="$(tput setaf 2)"
    FG_WHITE="$(tput setaf 7)"

    # Screen size
    row=$(tput lines)
    col=$(tput cols)

    # Save screen
    tput smcup

    # Display menu until selection == 0
    while [[ $REPLY != 0 ]]; do
      echo -n ${BG_BLUE}${FG_WHITE}
      clear
      tput sc; tput cup $((row/3)) $((col/3)); tput setab 1; tput bold; tput setaf 7; printf "Improvisation: aljoantony@gmail.com\n"; tput rc
    cat<<EOF
    ==============================
      ELK Stack Installation Menu
    ------------------------------
    Please enter your choice:
    (1) Configure repo
    (2) Install Components
    (3) Configure Components
    (4) Configure Client
           (0)Quit
    ------------------------------
EOF
      read -p "Enter selection [0-4] > " selection

      # Clear area beneath menu
      tput cup 10 0
      echo -n ${BG_BLACK}${FG_GREEN}
      tput ed
      tput cup 11 0
      tput sc; tput cup $((row/3)) $((col/3)); tput setab 1; tput bold; tput setaf 7; printf "Improvisation: aljoantony@gmail.com\n"; tput rc
      # Act on selection
      case $selection in
        1)  configure_repo
            ;;
        2)  install_components
            ;;
        3)  config_components
            ;;
        4)  config_client
            ;;
        0)  break
            ;;
        *)  echo "Invalid entry."
            ;;
      esac
      printf "\n\nPress any key to continue."
      read -n 1
    done

    # Restore screen
    tput rmcup

# ========================= END ==========================
# =======================================================
# =======================================================

Elasticsearch is up and running, responds to API
executing a query directly on Elasticsearch like http://elasticserver.com:9200/applogs/_search?q=* returns lots of results (see below on how a single found record looks like)
Kibana is up and running, even finds the applogs index exposed by Elasticsearch
Kibana also shows the correct properties and data type of the filebeat documents
"Discover" tab doesn't show any results...even when setting the time period to a couple of years...

Any ideas??

I want to parse log query dns. i use grok filter. But i dont know how to run logstash with filter. my log dns: 16-Mar-2016 16:48:00.086 queries: info: client 192.168.1.3#53345: query: kenh14.vn IN A + (192.168.1.2) filter { if [type] == “dns-queries” { grok { match => {“message” => “%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:timestamp} queries: info: client %{IPV4:dns_client_ip}#%{NONNEGINT:dns_uuid}?.query: %{HOSTNAME:dns_dest} %{WORD:dns_type} %{WORD:dns_record}?.%{IPV4:dns_server}” } } } }

It not work. it can’t parse log . can you help me ?

Mitchell, first of all thanks for this awesome tutorial - for wring and keep updating it! Second, i’ve used a CentOS 7 VM for the ELK stack (with Elasticsearch, Kibana, Nginx & Logstash) and another VM with Filebeat. I’m using the latest versions of these tools, per the repos you gave and the OS is fully updated. SELinux and Firewall are disabled, and the 2 VMs are on the same network. The issue is that I don’t have Filebeat-YYYY.MM.DD or Filebeat-@timestamp options in the indexes\indices patterns. I’m getting the “Unable to fetch mapping. Do you have indices matching the pattern?” message. I can access the Kibana, via Nginx without issues. I CAN SEE logs from the client VM, grabbed via Filebeat when choosing “filebeat-*” index pattern When typing in the open text-box of index pattern, “filebeat-@timestamp” (which also auto-complete it self when writing “filebeat-” I’m getting a fatal error message with the error: null is not an object (evaluating ‘index.timeField.name’).

What am I doing wrong? When looking on similar comments in the past I saw some replies about Logstash-forwarder, is it something replaced by Filebeat? as I don’t see anything related to it (besides the CERT & KEY file names) in the whole ELK Stack VM system.

Thanks in advance

@citrusr2d2 please I have the same problem as you. how you solve the problem

I have 3 files under /conf.d

30-elasticsearch-output.conf

output { elasticsearch { hosts => [“localhost:9200”] sniffing => true manage_template => false index => “%{[@metadata][beat]}-%{+YYYY.MM.dd}” document_type => “%{[@metadata][type]}” } }

10-syslog-filter.conf

filter { if [type] == “syslog” { grok { match => { “message” => “%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}” } add_field => [ “received_at”, “%{@timestamp}” ] add_field => [ “received_from”, “%{host}” ] } syslog_pri { } date { match => [ “syslog_timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ] } } }

02-beats-input.conf input { beats { port => 5044 ssl => true ssl_certificate => “/etc/pki/tls/certs/logstash-forwarder.crt” ssl_key => “/etc/pki/tls/private/logstash-forwarder.key” } }

and i want to config logstash to get cisco asa logs i have this tuto to help http://ict.renevdmark.nl/2015/10/22/cisco-asa-alerts-and-kibana/

and i’m lost how to put this config all together right plz some one help

Is this ELK stack using the rsyslog at all? I found another tutorial that I wanted to use for my firewall but they use syslog-ng. I dont want to break my ELK stack from your tutorial. Wondering if trying to run syslog-ng instead will break it.

I install complete ELK on CentOS 7. But when i send log from CentOS 6 Client. It very slow to recives log or no recives log. how can i check log send from Client to ELK realtime. And may be i don’t use certificate like tutorial ? Sorrry because my english :(

I am getting the following errors. It indicates that a kibana process is running but that the error logs indicate a fatal error happened (that the port is already being used). Indeed it is because the process is still running.

[root@startup-elk ~]# tail -f /var/log/kibana/kibana.stderr /var/log/kibana/kibana.stdout

{“type”:“log”,“@timestamp”:“2016-06-15T12:04:00+00:00”,“tags”:[“fatal”],“pid”:2384,“level”:“fatal”,“message”:“listen EADDRINUSE 127.0.0.1:5601”,“error”:{“message”:“listen EADDRINUSE 127.0.0.1:5601”,“name”:“Error”,“stack”:“Error: listen EADDRINUSE 127.0.0.1:5601\n at Object.exports._errnoException (util.js:870:11)\n at exports._exceptionWithHostPort (util.js:893:20)\n at Server._listen2 (net.js:1236:14)\n at listen (net.js:1272:10)\n at net.js:1381:9\n at GetAddrInfoReqWrap.asyncCallback [as callback] (dns.js:63:16)\n at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:82:10)”,“code”:“EADDRINUSE”}}

==> /var/log/kibana/kibana.stderr <== FATAL { [Error: listen EADDRINUSE 127.0.0.1:5601] cause: { [Error: listen EADDRINUSE 127.0.0.1:5601] code: ‘EADDRINUSE’, errno: ‘EADDRINUSE’, syscall: ‘listen’, address: ‘127.0.0.1’, port: 5601 }, isOperational: true, code: ‘EADDRINUSE’, errno: ‘EADDRINUSE’, syscall: ‘listen’, address: ‘127.0.0.1’, port: 5601 }

[root@startup-elk ~]# service kibana status kibana is not running

[root@startup-elk ~]# netstat -apln | grep 5601 tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 2243/node

[root@startup-elk ~]# ps -eaf | grep kiba kibana 2243 1 1 07:56 ? 00:00:06 /opt/kibana/bin/…/node/bin/node /opt/kibana/bin/…/src/cli

Hello, after passing full tutorial i have some issues i cant fix last 3 days. Server and client are Centos 7 Elasticsearch, kibana , logstash, nginx working.

I can ping from server to client machine and reverse.

Issue i get on Client side : after installing filebeat and copying certificate i cant get logs in my kibana.

CLI-Log /usr/bin/filebeat[41833]: transport.go:125: SSL client failed to connect with: dial tcp x.x.x.x:5044: getsockopt: no route to host

My config files are same as in tutorial. So basically i cant conect client with server, i have static ip on both.

I’m trying to read my elk stack’s local logs, including /var/log/messages. In my case I haven’t started using filebeat yet. Kibana keeps prompting me to “Configure an index pattern”, because logstash was forwarding data to elasticsearch. I checked the logstash logs and found that it’s a files permissions issue. I fixed this by running the following on my elk server:

chmod -R /var/log

Or better yet, run:

setfacl -R -m user:logstash:rwX /var/log

Hi…I am very new to Openstack. Your tutorial is really good and helped me a lot. However I am stuck at the last part of the tutorial. below is the output that I am getting. curl -XGET ‘http://<Ip of ELK server>:9200/filebeat-*/_search?pretty’ { “took” : 1, “timed_out” : false, “_shards” : { “total” : 0, “successful” : 0, “failed” : 0 }, “hits” : { “total” : 0, “max_score” : 0.0, “hits” : [ ] } }

And the kibana gui result gives me plugin:elasticsearch Unable to connect to Elasticsearch at http://localhost:9200 I am not using localhost as such. I have a controller and a compute node on Openstack where I am trying ELK. Can you help me?

Why was is necessary to install NGINX? Can’t this step be missed out?

filebeat failed to send logs and its status on ubuntu 16.04:

transport.go:125: SSL client failed to connect with: x509: cannot validate certificat

I configured with DNS method for tls and able to ping FQDN from client and server.

Mitchell, Like many others… thanks for a great tutorial. And again, like some others I’ve ran into a problem :)

I was able to go through your steps successfully until the configuring Filebeat on the client. I got it installed however my Elk server is not receiving any logs.

curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'

returns:

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 0,
    "successful" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : 0.0,
    "hits" : [ ]
  }
}

I’ve checked and rechecked my Filebeat.yml file and it’s correct. I did check teh Elk server and according to netstat port 5044 is not listening. Even though the 02-beats-input.conf file is setup like yours with 5044 used.

Any help would be greatly appreciated.

Great tutorial. Clear, concise, and it works!

Great tutorial! It works for me. Look forward to your advanaced solutions for elasticsearchcluster setup and store log in database, i.g. redis. :-)