Hi,
I have to install and configure filebeat and logstash in CentOS7 OS for an assingment.
Filebeat will be on one server and logstash will be on another server i.e both will be on different server.
I am planning to use following steps to install and configure filebeat and logstash .
Please suggest me whether i am using right steps or not
Install Java
1.Download Java 8 JDK with the wget command.
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http:%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u77-b02/jdk-8u77-linux-x64.rpm"
2.Then install it with this rpm command;
rpm -ivh jdk-8u77-linux-x64.rpm
3.Finally, check java JDK version to ensure that it is working properly.
java -version
=========================================
Install and Configure Logstash
1.Download Logstash and install it with rpm.
wget https://artifacts.elastic.co/downloads/logstash/logstash-5.1.1.rpm rpm -ivh logstash-5.1.1.rpm
2.Generate a new SSL certificate
3.Go to the tls directory and edit the openssl.cnf file.
cd /etc/pki/tls
vim openssl.cnf
4.Add a new line in the '[ v3_ca ]' section for the server identification.
v3_ca ]
# Server IP Address
subjectAltName = IP: logstash_server_ip
5.Save and exit.
6.Generate the certificate file with the openssl command.
openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt
7.The certificate files can be found in the '/etc/pki/tls/certs/' and '/etc/pki/tls/private/' directories.
========================================
Install and configure filebeat
1.Login to the filebeat server.
ssh root@client1IP
2.Copy the certificate file with the scp command.
scp root@elk-serverIP:~/logstash-forwarder.crt . TYPE elk-server password
3.Create a new directory and move certificate file to that directory.
sudo mkdir -p /etc/pki/tls/certs/ mv ~/logstash-forwarder.crt /etc/pki/tls/certs/
4.Download Filebeat and install it with rpm.
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.1-x86_64.rpm rpm -ivh filebeat-5.1.1-x86_64.rpm
5.Filebeat has been installed, go to the configuration directory and edit the file 'filebeat.yml'.
cd /etc/filebeat/
vim filebeat.yml
paths: Log file Path
Add a new configuration on line 26 to define the syslog type files.
document-type: mylog
6.output.logstash:
# The Logstash hosts
hosts: ["10.0.15.10:5443"]
bulk_max_size: 1024
ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
template.name: "filebeat"
template.path: "filebeat.template.json"
template.overwrite: false
7.Save the file and exit vim.
8.Add Filebeat to start at boot time and start it.
sudo systemctl enable filebeat
sudo systemctl start filebeat
Please advice whether these steps are correct or not.
What is the purpose of ssl certificate and i have to copy the logstash certificate to filebeat??
Thanks