Central Log Service (CLS) for Linux Servers


Introduction

  • These instructions are specific to our environment
  • Note: Journalbeat has been absorbed into Filebeat. See "Configuring CLS for Linux Endpoints" for systems that do NOT require journald
  • Follow the APT or YUM installation below as appropriate to your OS
  • Prerequisites: Terminal, vi, administrative access
  • There are modules and processors available that are not covered here. Contact CLS if this might be useful for you.

Instructions

Linux Filebeat APT repo install

  1. Download and install the Public Signing Key:
  2. You may need to install the apt-transport-https package on Debian before proceeding:
    • sudo apt-get install apt-transport-https
  3. Save the repository definition to /etc/apt/sources.list.d/elastic-8.x.list with this command:
  4. Update the repo and install Filebeat:
    • sudo apt-get update && sudo apt-get install filebeat
  5. Make the directory for certificates:
    • sudo mkdir /etc/filebeat/certs/
  6. Using a web browser, download this certificate:
  7. Copy the certificate into /etc/filebeat/certs/
  8. Use the configuration instructions below to configure, start and test Filebeat

Linux Filebeat YUM repo install

  1. Download and install the Public Signing Key:
  2. Create an elastic.repo file in your /etc/yum.repos.d/ directory. Add the following 8 lines, save and close the file:
    [elastic-8.x]
    name=Elastic repository for 8.x packages
    baseurl=https://artifacts.elastic.co/packages/8.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
  3. Your repository is ready to use
  4. Install Filebeat by running:
    • sudo yum install filebeat
  5. Make the directory for certificates:
    • sudo mkdir /etc/filebeat/certs/
  6. Using a web browser, download this certificate:
  7. Copy the certificate into /etc/filebeat/certs/
  8. Use the configuration instructions below to configure, start and test Filebeat

Configure Filebeat

  1. Download this custom filebeat.yml file and copy it to /etc/filebeat/, replacing the existing one
  2. It is already configured to send var/log/messages to our servers
  3. Open the custom filebeat.yml file you copied to /etc/filebeat/ with vi or other plain text editor. You will need to sudo to edit.
  4. In the "Filebeat inputs Fields" section, edit the following:
    1. id: "my-journald-id" - replace "my-journal-id" with a unique id of your choice for this input 
    2. tier: "tier" - replace with tier: "prod", tier: "dev", tier: "pprd" or tier: "endpoint" as appropriate
    3. name: "server journald" - replace "server journald" with a name of your choice that describes what the device does, such as "firewall journald" or "Apache journald"
  5. In the "General" section, edit the following. These values will be overridden by any values you specify for inputs 
    1. name: "service_name" - replace with the service name of your choice
    2. service_id: "edu.vt.org.service.name" - replace with an id of your choice that describes your service, such as service_id: "edu.vt.hokies.webserver" or "edu.vt.hokies.workstation" 
    3. host: "host-name" - replace "host-name" with a name of your choice that identifies the sending device
    4. index: "vt_logstash" - replace "vt_logstash" with the index name that was created in your consultation with CLS
  6. Save and close filebeat.yml

Test Filebeat

  1. Open Terminal 
  2. Check the configuration file is syntactically correct with this command:
    • sudo filebeat -c filebeat.yml test config
  3. Terminal should return "Config OK." Otherwise, correct errors and test again
  4. Test output with this command:
    • sudo filebeat test output
  5. Terminal should return a series of "OK" responses. Otherwise, correct errors and test again

Start Filebeat

  1. Open a terminal and enable Filebeat to run at startup with this command:
    • sudo systemctl enable filebeat
  2. Start Filebeat:
    • sudo systemctl start filebeat
  3. You should be sending logs now. See Splunk Search Best Practices for information on how to see and search your logs.

Next steps

Contact

  • If you have questions or would like to schedule an introduction to Splunk via Zoom, please open a ticket mentioning CLS and we'd be glad to help
  • You can also reach us on #central_monitoring and #central_log on VT Slack