enotspe
commented
4 years ago Hi @asrocha ,
You first have to deploy (or install) Elasticsearch (and Kibana). I use Elastic Cloud, so I didn´t have to install anythingh really. Then, you have to install Logstash. I normally install it on a Centos sever, it is pretty straighforward actually. You can follow this link for it. There are some recomendations I would suggest:
- Check firewall rules on your server. This is pretty basic but I can give you a hard time if you forget to open the ports you use for ingesting traffic.
- Configure your env variable in case you can your logstash hostname on your logs (I manage serveral logstash, so it comes in handy): add HOSTNAME="myhostname" to /etc/default/logstash when running logstash as a service
- Increase your heap: on jvm.options files inside /etc/logstash, you should change those values -Xms1g -Xmx1g If you use a dedicated server, you can assing 40% of RAM to your heap, considerar that heap could not go higher than 8GB. However I got a logstash where I haven´t tweaked this value and is performing great.
- Configure your logstash.yml. I manage my pipelines from Kibana, so basically here I just put all the pipelines.id I want my logstash to run. And I load all the pipelines in Kibana.
- Finally, in Kabana, load on saved objects the .ndjson. On index templates, load the templates.
That´s pretty much it. I will also remmend you suscribe to the Elastic slack channel. I have found great advise there as well. My knowledge is on Fortinet, not ES, so we are all learning on this ES journey.
I will be posting revised version of pipelines, templates and dashboards soon.
Hi, I m not a ELK, specialist ! I trying use it in my ELK, but I can t install. There is a help of where I put each file ?