Starting Clean - Kibana

scottalanmiller

@DustinB3403 said in Starting Clean - Kibana:

Well then what is wrong here, I'm about fed up with trying to figure this Kibana out..

Figure out Logstash and Filebeat, the rest will take care of itself. RIght now, Filebeat isn't running. Start there. Why isn't it starting. Look at the logs.

DustinB3403

Looking right so far?

scottalanmiller

Yup, it is up and running now. Now monitor the logs, it should tell you when log egress happens.

DustinB3403

So in a sidebar conversation with @scottalanmiller

I don't have any new logs in /var/log on XS6.5

So where else should I look for this?

(Same on the logging server)

Danp

@DustinB3403 Did you use XC to change the logging to a remote location?

DustinB3403

@Danp said in Starting Clean - Kibana:

@DustinB3403 Did you use XC to change the logging to a remote location?

Yes.

Danp

@DustinB3403 Then it stops writing to the local logs in some cases as described at the bottom of this article.

DustinB3403

OK I'm done with this trial......

I'm just going in circles and before I break something I need a breather...

Dashrender

Damn - I'm glad Dustin ran through this first I think I would have been pulling my hair out LONG before he did.

Dustin (and I) want NO local logging on our XS boxes. We would love to have this log information inside something like ELK where we can do easy searches and graphs on it.

If Filebeat forwards the local logs to the ELK server how do we get a situation where no local logs are stored on the XS boxes?

Do we seriously have to setup a syslog server in the middle that does nothing but collect logs and run Filebeat, which then forwards the syslog's logs to the ELK server?

Dashrender

Hopefully there is a way to send the logs to Logstash directly, instead of sending them via Filebeat.

scottalanmiller

@DustinB3403 said in Starting Clean - Kibana:

@Danp said in Starting Clean - Kibana:

@DustinB3403 Did you use XC to change the logging to a remote location?

Yes.

Check the logs there, then.

scottalanmiller

@Dashrender said in Starting Clean - Kibana:

Hopefully there is a way to send the logs to Logstash directly, instead of sending them via Filebeat.

Of course, syslog, which you are already running. But Filebeat makes Logstash ingest easier.

Dashrender

@scottalanmiller said in Starting Clean - Kibana:

@DustinB3403 said in Starting Clean - Kibana:

@Danp said in Starting Clean - Kibana:

@DustinB3403 Did you use XC to change the logging to a remote location?

Yes.

Check the logs there, then.

I'm guessing there is not there - because the 'there' that he is forwarding them to is the ELK server.

scottalanmiller

@Dashrender said in Starting Clean - Kibana:

@scottalanmiller said in Starting Clean - Kibana:

@DustinB3403 said in Starting Clean - Kibana:

@Danp said in Starting Clean - Kibana:

@DustinB3403 Did you use XC to change the logging to a remote location?

Yes.

Check the logs there, then.

I'm guessing there is not there - because the 'there' that he is forwarding them to is the ELK server.

You can't both forward to ELK and use Filebeat!!
Of course this isn't working.

scottalanmiller

@Dashrender said in Starting Clean - Kibana:

Hopefully there is a way to send the logs to Logstash directly, instead of sending them via Filebeat.

https://www.digitalocean.com/community/tutorials/how-to-centralize-logs-with-rsyslog-logstash-and-elasticsearch-on-ubuntu-14-04

DustinB3403

@scottalanmiller migth I ask you try doing this very same thing on an XS installation and outline exactly what you do so that others can replicate it.

As it is now, I'm beyond upset with just trying to get this going.

BRRABill

@Dashrender said

Dustin (and I) want NO local logging on our XS boxes.

The only way I ever got this to work was the "dirty little trick" that is mentioned in the comments of that article.

Because on mine, it kept writing locally REGARDLESS of what I did.

@scottalanmiller determined the best way was to move /var/logs

Dashrender

@scottalanmiller said in Starting Clean - Kibana:

@Dashrender said in Starting Clean - Kibana:

Hopefully there is a way to send the logs to Logstash directly, instead of sending them via Filebeat.

Of course, syslog, which you are already running. But Filebeat makes Logstash ingest easier.

You've lost me. you say of course, syslog, but Dustin took down the syslog server when he stood the ELK server up, because the assumption was/is that the ELK server replaced the syslog server.

scottalanmiller

@Dashrender said in Starting Clean - Kibana:

@scottalanmiller said in Starting Clean - Kibana:

@Dashrender said in Starting Clean - Kibana:

Hopefully there is a way to send the logs to Logstash directly, instead of sending them via Filebeat.

Of course, syslog, which you are already running. But Filebeat makes Logstash ingest easier.

You've lost me. you say of course, syslog, but Dustin took down the syslog server when he stood the ELK server up, because the assumption was/is that the ELK server replaced the syslog server.

Huh? If he turned off the syslogging server, then there ARE no logs to send on. So that explains everything. Syslog is the logging service. Without it, there are no logs to send anywhere.

scottalanmiller

Syslog is the process that writes the logs. Without it, logs don't exist. They don't get written locally, they don't get sent anywhere, Filebeat has nothing to read....