PART 2 INSTALL ELASTICSEARCH 6 CLUSTER FOR CENTRALIZED SYSLOG

PART 2 INSTALL ELASTICSEARCH 6 CLUSTER FOR CENTRALIZED SYSLOG

If you have not read the PART1 document, check below.

PART 1 INSTALL ELASTICSEARCH 6 CLUSTER FOR CENTRALIZED SYSLOG

Describes how to centralize syslog generated or received logs, especially those known as rsyslog. By centralizing this data, you can more easily track security audits, application behavior monitoring, and other important server information.

Setup rsyslog

Now, let’s configure rsyslog to collect data in syslog format.

sudo nano /etc/rsyslog.conf

Enable imudp

After saving the configuration file and restarting rsyslog again, you are ready to receive remote syslogs You can use netstat | grep 514 command to check network communication status.

If the firewall is enabled, please check the link below and open port udp 514.

https://asecurity.so/2017/12/ubuntu-firewall-setting-by-ufw/

sudo service rsyslog restart

Make logdata rsyslog json template

Elasticsearch should change the data collected in rsyslog to JSON because all documents must be received in JSON format.

To do this, first create a json template in rsyslog, and create a json template for the syslog format.

sudo nano /etc/rsyslog.d/01-json-template.conf

It is convenient to copy and use the following contents.

 

Forware to log data(json format) on elasticsearch

Now that you have created the template file, configure it to export the rsyslog data.

sudo nano /etc/rsyslog.d/60-output.conf

It is convenient to copy and use the following contents.

Install Logstash and configuration

Now the task of converting the syslog to json and sending it is complete. Now let’s proceed with a configuration that uses Logstash to send data from rsyslog to Elasticsearch.

First install Logstash.

sudo apt-get install logstash

Open and edit the default configuration file to receive Rsyslog messages.

sudo nano /etc/logstash/conf.d/logstash.conf

It is convenient to copy and use the following contents.

 

You are ready to create and send inputs and outputs to Elasticserch through the configuration.

You can check the environment configuration by using the configtest command.

sudo service logstash configtest

If you look display “Configuration OK” there are no syntax errors. Try to start logstash and rsyslog

sudo service logstash start

sudo service rsyslog restart

Now you can check with Elasticsearch using the curl command to see if the logs are collected properly.

curl -XGET http://elasticsearch_private_ip:9200/_all/_search

Facebook Comments

Leave A Reply

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다

This site uses Akismet to reduce spam. Learn how your comment data is processed.