% Log Management Part 2: Using rsyslog and ELK Stack % % Network Monitoring & Management # Notes * Commands preceded with "$" imply that you should execute the command as a general user - not as root. * Commands preceded with "#" imply that you should be working as root. * Commands with more specific command lines (e.g. "R1X>") imply that you are executing commands on remote equipment, or within another program. # Exercise ##Formatting the Log Data to JSON: $ sudo vi /etc/rsyslog.d/01-json-template.conf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... and add the following lines (carefully COPY and PASTE): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ template(name="json-template" type="list") { constant(value="{") constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",\"@version\":\"1") constant(value="\",\"message\":\"") property(name="msg" format="json") constant(value="\",\"sysloghost\":\"") property(name="hostname") constant(value="\",\"severity\":\"") property(name="syslogseverity-text") constant(value="\",\"facility\":\"") property(name="syslogfacility-text") constant(value="\",\"programname\":\"") property(name="programname") constant(value="\",\"procid\":\"") property(name="procid") constant(value="\"}\n") ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ##Configure the Centralized Server to Send to Logstash: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ sudo vi /etc/rsyslog.d/60-output.conf: # This line sends all lines to defined IP address at port 10514, # using the "json-template" format template *.* @private_ip_logstash:10514;json-template ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ##Configure Logstash to Receive JSON Messages: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ sudo cp /etc/logstash/conf.d/logstash.conf /etc/logstash/conf.d/logstash.conf.orig $ sudo vi /etc/logstash/conf.d/logstash.conf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... and add the following lines (carefully COPY and PASTE): ... replace "logstash_private_ip" with the ip of the rsyslog server ... a port less than 1024 requires logstash to run as root; insecure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # This input block will listen on port 10514 for logs to come in. # host should be an IP on the Logstash server. # codec => "json" indicates that we expect the lines we're receiving to be in JSON format # type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline. input { tcp { host => "logstash_private_ip" port => 10514 codec => "json" type => "rsyslog" } } # This is an empty filter block. You can later add other filters here to further process # your log lines filter { } # This output block will send all events of type "rsyslog" to Elasticsearch at the configured # host and port into daily indices of the pattern, "rsyslog-YYYY.MM.DD" output { if [type] == "rsyslog" { elasticsearch { hosts => [ "elasticsearch_private_ip:9200" ] } } } ##Test Logstash Configuration Changes: $ sudo service logstash configtest ##Start the Logstash Instance: $ sudo service logstash start ##Troubleshoot Logstash Instance $ sudo service logstash stop $ /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --verbose ##Restart rsyslog $ sudo service rsyslog restart ##To verify that Logstash is listening on port 10514: netstat -na | grep 10514 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Output of netstat tcp 0 0 10.128.33.68:10514 :::* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ##Verifying Elasticsearch Input: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...on rsyslog-client, execute the following command: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ sudo tail /var/log/auth.log ... May 2 16:43:15 rsyslog-client sudo: sammy : TTY=pts/0 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log May 2 16:43:15 rsyslog-client sudo: pam_unix(sudo:session): session opened for user root by sammy(uid=0) ... $ curl -XGET 'http://elasticsearch_ip:9200/_all/_search?q=*&pretty'