ELK in a jail

T

trumee

I would like to analyse my pfSense data using a Elasticsearch-Logstash-Kibana server. Has anybody tried setting up an ELK server in a FreeBSD jail?
 
Last edited by a moderator:
  • Thanks
Reactions: Oko
If you plan to use textproc/elasticsearch2 I found that would not start without a loopback device. So I switched my testing jail to a VIMAGE jail. There may be a configuration option that prevents the need for this if VIMAGE is an issue since it's not available by default. However, in my little testing jail I've found that Elasticsearch 2 is much slower searching for data via Kibana so I haven't touched my production ELK box on Elasticsearch 1.7 (textproc/elasticsearch).

It's a fairly simple setup however, install it:
pkg install logstash kibana41 elasticsearch
If you want to explore Elasticsearch 2:
pkg install logstash kibana43 elasticsearch2

In this case you'll just point Logstash to log to the Elasticsearch running locally. Just uncomment the line for it in /usr/local/etc/logstash/logstash.conf.
Code: 
  # This will use elasticsearch to store your logs.
  elasticsearch { hosts => [ "localhost:9200" ] }

Enable it:
sysrc elasticsearch_enable=YES logstash_enable=YES kibana_enable=YES

And go go go:
service elasticsearch start; service kibana start; service logstash start

You'll probably want to explore the ELK documentation further for adding input options. TCP and UDP 514 for syslog data are described here:
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-tcp.html
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-udp.html
 
You must log in or register to reply here.
Back
Top