Loghost

Provides centralized logging infrastructure inside a project including remote rsyslog and ELK (Elasticsearch, Logstash, Kibana).

Please refer to chapter Logging for configuration examples and hints on using the ELK stack.

Components

• rsyslog (srv interface, port UDP 514)

• Elasticsearch (srv interface, ports TCP 9200 and 9300)

• elasticsearch-curator

• Logstash

  • syslog input (localhost, ports UDP 5000 and TCP 5000)

  • Lumberjack input (srv interface, port TCP 5043)

• logstash-forwarder

• Kibana

Default setup

• Elasticsearch, Logstash and Kibana are installed on the loghost.

• logstash creates elasticsearch indices of the pattern logstash-YYYY.MM.DD.

• elasticsearch-curator deletes indices older than 90 days.

• logstash-forwarder ships locally generated logs from all machines to the loghost.

• rsyslog forwards all syslog entries to the loghost.

Configuration

Below is a list of your configuration entry points for the involved components.

Warning

All configuration needs to be performed as a service user.

• rsyslog: /etc/rsyslog.d/SNIPPET.conf

• logstash-forwarder: /etc/logstash-forwarder/conf.d/SNIPPET.conf

• logstash: /etc/logstash/conf.d/SNIPPET.conf

Interaction

• rsyslog: sudo /etc/init.d/rsyslog restart for restarts after configuration changes

  Note

  rsyslog ignores invalid configuration statements, so be sure to check /var/log/messages for errors after a restart.

• logstash-forwarder: sudo /etc/init.d/logstash-forwarder restart for restarts after configuration changes

• Logstash: sudo /etc/init.d/logstash restart for restarts after configuration changes

• Kibana: refer to our Logging section for how to interact with Kibana

Monitoring

We monitor for:

• running processes

• reachable ports

• correctly written log files

• correctly pruned Elasticsearch indices