Problems getting started ELK centos7


(eric hebert) #1

I am on centos7 minima version on a vm virtualbox, @IP=10.82.136.52 in local network. I have no public IP 192.168.xxx, no FQDN. I install all ELK on this server with default config but not ngnix,

  • elasticsearch wget http://localhost:9200 => connection refused
  • kibana wget http://localhost:5601 => connection refused
  • logstash : not started. how to get log files and put debug mode
    Would you please helping me to solve these issues. Best regards.

(eric hebert) #2

I follow this tutorial


(Magnus Bäck) #3

Are the processes actually running? Are they listening to the loopback interface? Is there any firewall that might be blocking the traffic?


(eric hebert) #4

nginx is not running, firewall-cmd is not running. And i define proxy config for all ressources : wget, bash-profile, .... I except use of proxy for : localhost, 127.0.0.1 and 10.82.136.52 my ip adress of my centos7 machine


(Vasiliy V.G.) #5

You can try my test ELK for example on VirtualBox Centos6.5:

eth0 inet addr:192.168.xxx.xxx - bridge for inet
eth1 inet addr:10.1.1.9 - virtual adapter for local

elasticsearch 1.6:
elasticsearch.yml
cluster.name: test
node.name: "elk"

Can see in Chrome via http://192.168.xxx.xxx:9200/ or curl -XGET '10.1.1.9:9200/'

Kibana4:
kibana.yml
port: 5601
host: "0.0.0.0"
elasticsearch_url: "http://10.1.1.9:9200"

Can see in Chrome via http://192.168.xxx.xxx:5601/ or curl -XGET '10.1.1.9:5601'

nginx.conf - add
log_format logstash '$remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
access_log /var/log/nginx/access2.log logstash;

logstash-nginx3.conf
input {
file {
path => "/var/log/nginx/access2.log"
type => syslog
}
}

filter {
mutate {
replace => { "type" => "nginx_access" }
}

grok {
match => [ "message", "%{IPORHOST:clientip} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:request_time:float}" ]
}

date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}

geoip {
source => "clientip"
}
}
elasticsearch {
cluster => "test"
protocol => "http"
host => "10.1.1.9"
port => "9200"
index => "logstash-%{+YYYY.MM.dd}"
workers => 5
}
stdout { codec => rubydebug }
}

interesting way for finding problem: try in shell /opt/logstash/bin/logstash -f ./logstash-nginx3.conf --debug


(eric hebert) #6

Thanks you for your help. I resume the situation : I follow the tutorial : https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-centos-7
I am on centos7 minima version on a vm virtualbox, @IP=10.82.136.52 in local network. I have no public IP 192.168.xxx, no FQDN. I instal all ELK on this server with default config but no ngnix, no firewall-cmd (not started)

  • elasticsearch 1.4.4 : http://10.82.136.52:9200 => json output. log : zen-disco-join(elected as master) config = network.host=10.xxxxxx
    -logstash : SERVICE_UNAVAILABLE no master log.err : INFO started
  • kibana http://10.xxxxx:5601 => Settings/Indices config index pattern page with NO DEFAULT INDEX PATTERN
    conf= host : "0.0.0.0" elasticsearch_url:"http://10.xxxx:9200"
    log => html response= statuscode 404 GET /logstatsh-*/_mapping
  • logstash-forwarder : connected 10.xxx:5000
    Would you please helping me to solve these issues ? We are so near of the good results :slight_smile: Best regards.

(Vasiliy V.G.) #7

no ideas.

Elasticsearch looks run ok in single node mode,
Check status in :9200/_cluster/health?human&pretty
and :9200/_cat/nodes?v&ts=0
If it you first and single Elasticsearch then change (if not comment on)

index.number_of_replicas: 1 

logstash - check exists and rights of /var/log/logstash.
1.4.x - can have got chroot problems in /etc/init/logstash, check in bash under root.

kibana - sea logs. May be index creating only in browsers)

"Unable to connect to elasticsearch"

must has been changing to

Found kibana index
Listening on 0.0.0.0:5601

check proxy, may be needed

unset http_proxy

(system) #8