ELK#
ELK Elasticsearch Logstash Kibana.
Resources#
Installing#
First pull the docker image and run it:
download and run the docker image
docker pull sebp/elk
.....
Digest: sha256:8e250160ac22d339e57ba20768137dbeca2187c94082959220569a9318f85134
Status: Downloaded newer image for sebp/elk:latest
metskem@athena:~$ docker run -p 5601:5601 -p 9200:9200 -p 5000:5000 -it --name elk sebp/elk
* Starting Elasticsearch Server sysctl: setting key "vm.max_map_count": Read-only file system
[ OK ]
logstash started.
waiting for Elasticsearch to be up (1/30)
waiting for Elasticsearch to be up (2/30)
waiting for Elasticsearch to be up (3/30)
waiting for Elasticsearch to be up (4/30)
waiting for Elasticsearch to be up (5/30)
waiting for Elasticsearch to be up (6/30)
waiting for Elasticsearch to be up (7/30)
waiting for Elasticsearch to be up (8/30)
* Starting Kibana4 [ OK ]
[2015-11-14 14:42:40,076][INFO ][node ] [Ardroman] initialized
[2015-11-14 14:42:40,077][INFO ][node ] [Ardroman] starting ...
[2015-11-14 14:42:40,141][WARN ][common.network ] [Ardroman] publish address: {0.0.0.0} is a wildcard address, falling back to first non-loopback: {172.17.1.56}
[2015-11-14 14:42:40,141][INFO ][transport ] [Ardroman] publish_address {172.17.1.56:9300}, bound_addresses {[::]:9300}
[2015-11-14 14:42:40,197][INFO ][discovery ] [Ardroman] elasticsearch/SGBOqCisRoK5aXakkplosQ
[2015-11-14 14:42:43,259][INFO ][cluster.service ] [Ardroman] new_master {Ardroman}{SGBOqCisRoK5aXakkplosQ}{172.17.1.56}{172.17.1.56:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)
[2015-11-14 14:42:43,335][WARN ][common.network ] [Ardroman] publish address: {0.0.0.0} is a wildcard address, falling back to first non-loopback: {172.17.1.56}
[2015-11-14 14:42:43,336][INFO ][http ] [Ardroman] publish_address {172.17.1.56:9200}, bound_addresses {[::]:9200}
[2015-11-14 14:42:43,336][INFO ][node ] [Ardroman] started
[2015-11-14 14:42:43,337][INFO ][gateway ] [Ardroman] recovered [0] indices into cluster_state
[2015-11-14 14:42:55,965][INFO ][cluster.metadata ] [Ardroman] [.kibana] creating index, cause [api], templates [], shards [1]/[1], mappings [config]
[2015-11-14 14:45:40,093][INFO ][cluster.metadata ] [Ardroman] [logstash-2015.11.14] creating index, cause [auto(bulk api)], templates [logstash], shards [5]/[1], mappings [logs, _default_]
[2015-11-14 14:45:40,357][INFO ][cluster.metadata ] [Ardroman] [logstash-2015.11.14] update_mapping [logs]
[2015-11-14 14:46:53,017][INFO ][cluster.metadata ] [Ardroman] [.kibana] create_mapping [index-pattern]
[2015-11-14 14:47:42,004][INFO ][cluster.metadata ] [Ardroman] [.kibana] update_mapping [config]
[2015-11-14 14:48:50,680][INFO ][cluster.metadata ] [Ardroman] [.kibana] create_mapping [dashboard]
Then install filebeat of an active (web)server to get some real logdate to process:
download and install filebeat
root@apollo:~# curl -L -O https://download.elastic.co/beats/filebeat/filebeat_1.0.0-rc1_i386.deb
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3390k 100 3390k 0 0 1443k 0 0:00:02 0:00:02 --:--:-- 1443k
root@apollo:~# dpkg -i filebeat_1.0.0-rc1_i386.deb
Selecting previously unselected package filebeat.
(Reading database ... 190915 files and directories currently installed.)
Preparing to unpack filebeat_1.0.0-rc1_i386.deb ...
Unpacking filebeat (1.0.0~rc1) ...
Setting up filebeat (1.0.0~rc1) ...
Processing triggers for ureadahead (0.100.0-16) ...
root@apollo:~# dpkg --listfiles filebeat
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/filebeat
/usr/share/doc/filebeat/changelog.Debian.gz
/usr/bin
/usr/bin/filebeat-god
/usr/bin/filebeat
/etc
/etc/filebeat
/etc/filebeat/filebeat.template.json
/etc/filebeat/filebeat.yml
/etc/init.d
/etc/init.d/filebeat
root@apollo:~#
