Help with initial Logstash configuration


(Garrett S.) #1

Hi everyone,
I'm trying to spin up an ELK stack on a CentOS 7 server. I got everything installed correctly (as far as I know). However, when I go to my Kibana Dashboard, It won't let me declare an index pattern. I followed the tutorial at https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-centos-7
I have absolutely no experience with this, so I'm not sure what logs to post (or how to retrieve them), or how to diagnose the problem. I've been googling like crazy for the last few days, and I'm at my wit's end. I'll appreciate any help you guys can give me. It appears as though my logstash-forwarders aren't sending logs to the main server, but again, I'm not sure how to tell because I'm so new at this.

Looking forward to hearing from you,

Garrett


(Mark Walkom) #2

Have you pushed data into ES? Cause if not then this would be why.

Try curl ESHOST:9200/_cat/indices and see what is returned. If you don't see any logstash- indices then it's as I mentioned ^


(Garrett S.) #3

Mark,
Thanks for the response. I tried that, and I didn't see any output. I assume you were referring to running the command on the host from which I'm trying to forward logs? I ran the command curl localhost:9200/_cat/indices, and got nothing. I also tried the command curl forwardinghostIP:9200/_cat/indices from my logstash server and got a connection refused response. Again, I'm completely new to this, so I appreciate the help.


(Mark Walkom) #4

Yeah, you need to put the IP of your ES host in that command :smile:

If you are getting connection refused, do you have a firewall or something? You mention forwardinghostIP, what does that imply?


(Garrett S.) #5

OK so I ran the command curl 10.x.x.x (the IP address of the host which should be sending logs). This command was run from the server which should be receiving the logs to put into Kibana. There isn't a firewall that I know of. I checked iptables, and it's disabled, and I know there haven't been any others installed.


(Mark Walkom) #6

If it's still returning nothing then you need to check ES is running, use ps or similar.


(Garrett S.) #7

I still don't know if it's returning anything. I can't get it to get a connection. I think you were right about the firewall, but I have statements in iptables to allow all traffic to port 9200. I have no idea what I'm missing. I'm sure it's something that's right in front of me, but I don't have the Elasticsearch (or Linux) knowledge to find it


(Garrett S.) #8

UPDATE:
Running the command curl localhost:9200/_cat/indices from the Server which should be receiving the logs (the one with the entire ELK stack installed) I get the following data returned: yellow open .kibana 1 1 1 0 2.5kb 2.5kb
I don't know what that means, but it's something different... :stuck_out_tongue:

UPDATE #2:
Turns out, the config files may have issues. If I change the config in the receiving server's elasticsearch network.host declaration from localhost to the public IP of the server lets me curl the IP:9200. It returns {"error":"NullPointerException[null]","status":500}

However, it shows a fatal error on Kibana until I change it back.

Not sure what's going on. just to clarify the problem:
I have
1 CentOS 7 server that has Elasticsearch, Logstash, and Kibana.
1 CentOS 6 host which should forward logs to the CentOS 7 server using Logstash-Forwarder

I'm able to access the Kibana web interface, but it doesn't allow me to configure a default index. The box is grayed out and it says unable to fetch mapping.Do you have indices matching the pattern?


(Garrett S.) #9

FINAL UPDATE:
I'm an idiot. Nothing like a mistyped IP address to mess up your life...
Problem is solved
Thanks for all the help Mark. It's much appreciated by this ELK n00b


(system) #10