Hi,

I have to install and configure filebeat and logstash in CentOS7 OS for an assingment.

Filebeat will be on one server and logstash will be on another server i.e both will be on different server.

I am planning to use following steps to install and configure filebeat and logstash .
Please suggest me whether i am using right steps or not

Install Java

1.Download Java 8 JDK with the wget command.
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http:%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u77-b02/jdk-8u77-linux-x64.rpm"
2.Then install it with this rpm command;
rpm -ivh jdk-8u77-linux-x64.rpm
3.Finally, check java JDK version to ensure that it is working properly.
java -version

=========================================
Install and Configure Logstash

1.Download Logstash and install it with rpm.
wget https://artifacts.elastic.co/downloads/logstash/logstash-5.1.1.rpm rpm -ivh logstash-5.1.1.rpm
2.Generate a new SSL certificate
3.Go to the tls directory and edit the openssl.cnf file.
cd /etc/pki/tls
vim openssl.cnf
4.Add a new line in the '[ v3_ca ]' section for the server identification.
v3_ca ]

     # Server IP Address
       subjectAltName = IP: logstash_server_ip

5.Save and exit.
6.Generate the certificate file with the openssl command.
openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt

7.The certificate files can be found in the '/etc/pki/tls/certs/' and '/etc/pki/tls/private/' directories.

========================================
Install and configure filebeat

1.Login to the filebeat server.
ssh root@client1IP

2.Copy the certificate file with the scp command.
scp root@elk-serverIP:~/logstash-forwarder.crt . TYPE elk-server password

3.Create a new directory and move certificate file to that directory.
sudo mkdir -p /etc/pki/tls/certs/ mv ~/logstash-forwarder.crt /etc/pki/tls/certs/

4.Download Filebeat and install it with rpm.
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.1-x86_64.rpm rpm -ivh filebeat-5.1.1-x86_64.rpm

5.Filebeat has been installed, go to the configuration directory and edit the file 'filebeat.yml'.

 cd /etc/filebeat/
  vim filebeat.yml
  
   paths: Log file Path
   
Add a new configuration on line 26 to define the syslog type files.
  document-type: mylog
  
6.output.logstash:
  # The Logstash hosts
   hosts: ["10.0.15.10:5443"]
   bulk_max_size: 1024
   ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
   template.name: "filebeat"
   template.path: "filebeat.template.json"
   template.overwrite: false  
  
7.Save the file and exit vim.
8.Add Filebeat to start at boot time and start it.
   sudo systemctl enable filebeat
   sudo systemctl start filebeat  

Please advice whether these steps are correct or not.
What is the purpose of ssl certificate and i have to copy the logstash certificate to filebeat??

Thanks

Those steps seem reasonable (I don't see where Logstash is actually configured). You can review the Filebeat Getting Started to compare with our recommended installation steps. And there is a separate guide about securing the communication between Filebeat and Logstash.

The purpose of copying the CA certification is to enable Filebeat to trust the certificate presented by the LS server.

If not using X-pack , how to generate logstash ca certificate for filebeat agents ?
Can someone guide on this ?

You can also comment tls certificate if dont want to secure where your infra is secured, check do you really need template or go with default one. Rest steps are fine.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.