Sync with ELK 7.x

Warning

Be sure you are running ELK (elasticsearch, filebeat and kibana) with version >7.3.2

As usual, please keep in contact if there is any clarification or help needed.

This process will allow you to connect your OwlH environment directly to ELK.

You will do:

  • install filebeat on OwlH Nodes
  • install OwlH-Filebeat module
  • import OwlH-Kibana objects in Kibana
  • load OwlH template in Elasticsearch
  • modify Filebeat main configuration to include OwlH module

Note

Please, check URLs and paths to ensure you use the right commands and that you adapt command lines as needed.

Install Filebeat in your OwlH Nodes

  1. Import the GPG key:

    # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

  2. Add the repository:

    # cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

  3. Install Filebeat

    # yum install filebeat

Download and configure

# cd /tmp
# mkdir /tmp/owlhfilebeat
# cd /tmp/owlhfilebeat
# wget repo.owlh.net/fbit/owlh-module.tar.gz
# tar -C /tmp/owlhfilebeat -xf owlh-module.tar.gz

Install OwlH module

# tar -C /usr/share/filebeat/module/ -xf /tmp/owlhfilebeat/owlh-filebeat-7.9.x.tar.gz

Modify filebeat

Modify Filebeat configuration

# cp /tmp/owlhfilebeat/filebeat.yml /etc/filebeat/filebeat.yml

Attention

be sure to update properly your filebeat.yml file to point to your elasticsearch server.

Restart Filebeat

You should be done. check your kibana to see the OwlH dashboards in dashboards section, and indices in discovery section.

Restart Filebeat

# systemctl restart filebeat

Check Filebeat output

# journalctl -f -u filebeat

From your web browser, check kibana->discovery for owlh indices.