Elastic Stack Setup for Multiple Server


(w0lf) #1

Dear All,
I have 10 servers with different application and different clients. I want to setup ELK Stack server for all of them in one place. The server will be sending following logs to my ELK Box

  1. Apache Access & Error logs
  2. SSH access and Failed logs
  3. Mail Logs (Postfix / Exim)
  4. Mysql Logs / Slow query
  5. System Logs ( CPU / RAM /DISK / LOAD AVERAGE)
  6. Firewall Logs
  7. IDS logs
  8. clam av logs
  9. Maldet logs
  10. Aide logs
    Now my questions are
  11. How to differentiate the logs by host ?
  12. For 1 single server I will put the filters in the say server1.conf file and parse them will it work ?
  13. How to see the data on Kibana dashboard for each server is it like creating different dashboards and visualization ?
    Please help

(w0lf) #2

can someone please help ?


(David Pilato) #3

Read this and specifically the "Also be patient" part.

It's fine to answer on your own thread after 2 or 3 days (not including weekends) if you don't have an answer.


(w0lf) #4

got it


(w0lf) #5

any pointers folks ?


(w0lf) #6

is this a stupid question ? or is it something no one can answer? Wondering if the people in forum cant answer the stuff then who else can ?


(David Pilato) #7

How to differentiate the logs by host ?

It depends on what you are using to ship the logs. If you are using filebeat, there is a field which has that value by default.

For 1 single server I will put the filters in the say server1.conf file and parse them will it work ?

I don't understand the question.

How to see the data on Kibana dashboard for each server is it like creating different dashboards and visualization ?

Filebeat comes with some default dashboards but anyway, if the server is part of the document indexed in elasticsearch, then it's easy to add a filter on whatever server in Kibana.


(w0lf) #8

For 1 single server I will put the filters in the say server1.conf file and parse them will it work ?
So for example I have srv1.example.com and I want to parse logs from that server

  1. Apache Logs
  2. Firewall Logs
  3. SSH auth logs
  4. System Logs - CPU / MEMORY etc
    and I create a file with the hostname srv1.example.conf and put the filters in one file for all of the above
    will it work ?

(David Pilato) #9

I don't know. I still don't understand. May be an example would help?

Or may be someone else understands what you are looking for...


(w0lf) #10

ok sure Let me create a diagram and an example , thank you for your reply and help.


(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.