ELK Stack for Parsing your Logs

Reading Time : ~ .

In This Tutorial we will look into parsing your Syslog files and store and display it in an intractable website. We will be using ELK Stack for this purpose before Jumping Into ELK Stack Let's see what each means

E - Elasticsearch: open source search and analytics engine, which stores data and relies on Apache Lucene for searching.

L - LogStash: Logstash is an open source data collection engine with real-time pipelining capabilities. Logstash can dynamically unify data from different sources and normalize the data into destinations of your choice.

K- Kibana: Analytics and visualization platform designed to work with Elasticsearch.which can be used to  search, view, and interact with data stored in Elasticsearch indices.

 Let's setup Nodes to send and receive Log Files

Installing Elasticsearch:

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get -y install oracle-java8-installer
wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.5.2.deb
sudo dpkg -i elasticsearch-1.5.2.deb
sudo update-rc.d elasticsearch defaults 95 10

Installing Logstash:

wget http://download.elastic.co/logstash/logstash/packages/debian/logstash_1.5.0-1_all.deb
sudo dpkg -i logstash_1.5.0-1_all.deb
sudo update-rc.d logstash defaults 98 2


Configuring log stash:

sudo mkdir -p /etc/pki/tls/certs
sudo mkdir /etc/pki/tls/private
sudo vi /etc/ssl/openssl.cnf

Find the [ v3_ca ] section in the file, and add this line under it:
subjectAltName = IP: logstash_server_ip

cd /etc/pki/tls
sudo openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

This creates cert and key for log stash and log stash forwarder 

Configuration File:
Create a log stash Configuration file in 
sudo nano /etc/logstash/conf.d/<configfile name>

input {
  lumberjack {
    host => "<logstash_server_ip>"
    port => 5090
    type => "logs"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}
filter{
 if [type] == "syslog" {
    grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
}
}
output {
  elasticsearch {   host => "127.0.0.1" }
}

Save and Restart the lost stash. The Receiving Node should be able to parse Syslog messages and store them in ElasticSearch. In Next Tutorial, we will configure sending node to push Syslog  files to our EL Server and also setup Kibana to View Data graphically. For More information on Logstash configurations visit this post.

    By Posted On
SENIOR DEVELOPER at MICROPYRAMID

Need any Help in your Project?Let's Talk

Latest Comments
Related Articles
Celery With Supervisor Siva Chittamuru

Celery is a task queue with focus on real-time processing, while also supports task scheduling. Task queues are used as mechanisms to distribute work across ...

Continue Reading...
Daemonizing any command with SUPERVISOR Ashwin Kumar

Daemonizing a command means to make it run as a background process.

so when we have a command that we want to daemonize there are ...

Continue Reading...
php7 hosting on Ubuntu Server with Nginx(LEMP stack) Ashwin Kumar

PHP7 is the latest version with lot of performance improvements and every one want to update their servers and code to it. Lets see how ...

Continue Reading...

Subscribe To our news letter

Subscribe to our news letter to receive latest blog posts into your inbox. Please fill your email address in the below form.
*We don't provide your email contact details to any third parties