Skip to content

Instantly share code, notes, and snippets.

@kaspergrubbe

kaspergrubbe/elk_stack.sh

Created May 15, 2015 13:53
Show Gist options
  • Save kaspergrubbe/9d9514a6503c361ea721 to your computer and use it in GitHub Desktop.
Save kaspergrubbe/9d9514a6503c361ea721 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
elk_stack.sh
set -eux
set -o pipefail
# ! #<Blocks::Base::Builder:0x007f8b2d2f3ef0> -------------------------------------
if [ ! -f /root/system_setup_complete ]; then
apt-get update
apt-get -y install aptitude
aptitude -y full-upgrade
fi
echo "wilmut.example.com" > /etc/hostname
hostname -F /etc/hostname
sed -i "/#---LOCALHOST-START/,/#---LOCALHOST-END/d" /etc/hosts
cat >> /etc/hosts << EOF
#---LOCALHOST-START
127.0.0.1 wilmut.example.com wilmut.example.com.local
#---LOCALHOST-END
EOF
OLD="#PasswordAuthentication yes"
NEW="PasswordAuthentication no"
sed -i "s/${OLD}/${NEW}/g" /etc/ssh/sshd_config
# / #<Blocks::Base::Builder:0x007f8b2d2f3ef0> -------------------------------------
# ! #<Blocks::User::Builder:0x007f8b2d2f3e00> -------------------------------------
if ! id -u root >/dev/null 2>&1; then
adduser root --disabled-password --gecos ""
fi
sudo -u root mkdir -p /root/.ssh
touch /root/combined_keys
wget https://github.com/kaspergrubbe.keys -O - >> /root/combined_keys
echo "" >> /root/combined_keys
mv /root/combined_keys /root/.ssh/authorized_keys
chown root /root/.ssh/authorized_keys
chmod 644 /root/.ssh/authorized_keys
sed -i "/#---GENTOOLIKE-START/,/#---GENTOOLIKE-END/d" /root/.bashrc
cat >> /root/.bashrc << EOF
#---GENTOOLIKE-START
if [[ \${EUID} == 0 ]] ; then
PS1='\[\033[01;31m\]\H\[\033[01;34m\] \W \$\[\033[00m\] '
else
PS1='\[\033[01;32m\]\u@\H\[\033[01;34m\] \w \$\[\033[00m\] '
fi
#---GENTOOLIKE-END
EOF
OLD="#force_color_prompt=yes"
NEW="force_color_prompt=yes"
sed -i "s/${OLD}/${NEW}/g" /root/.bashrc
# / #<Blocks::User::Builder:0x007f8b2d2f3e00> -------------------------------------
# ! #<Blocks::Elasticsearch::Builder:0x007f8b2d2f3d88> -------------------------------------
apt-get -y install lsof curl coreutils
apt-get -y install openjdk-8-jre-headless
wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add -
if [ ! -f /etc/elasticsearch/elasticsearch.yml ]; then
echo 'deb http://packages.elasticsearch.org/elasticsearch/1.5/debian stable main' | tee /etc/apt/sources.list.d/elasticsearch.list
apt-get update
apt-get -y install elasticsearch=1.5.0
fi
OLD="#network.host: 192.168.0.1"
NEW="network.host: localhost"
sed -i "s/${OLD}/${NEW}/g" /etc/elasticsearch/elasticsearch.yml
service elasticsearch restart
# / #<Blocks::Elasticsearch::Builder:0x007f8b2d2f3d88> -------------------------------------
# ! #<Blocks::LogstashEncryptionKeys::Builder:0x007f8b2d2f3d10> -------------------------------------
mkdir -p /etc/pki
touch /etc/pki/logstash-forwarder.key
chmod 644 /etc/pki/logstash-forwarder.key
cat > /etc/pki/logstash-forwarder.key << EOF
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
EOF
touch /etc/pki/logstash-forwarder.crt
chmod 644 /etc/pki/logstash-forwarder.crt
cat > /etc/pki/logstash-forwarder.crt << EOF
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
EOF
# / #<Blocks::LogstashEncryptionKeys::Builder:0x007f8b2d2f3d10> -------------------------------------
# ! #<Blocks::Logstash::Builder:0x007f8b2d2f3ce8> -------------------------------------
if [ ! -d "/etc/logstash" ]; then
wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add -
echo 'deb http://packages.elasticsearch.org/logstash/1.5/debian stable main' | tee /etc/apt/sources.list.d/logstash.list
apt-get update
apt-get -y install logstash
fi
curl -o /etc/logstash/geo_lite_city.dat.gz -O 'http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz'
gunzip -f /etc/logstash/geo_lite_city.dat.gz
chmod 644 /etc/logstash/geo_lite_city.dat
touch /etc/logstash/conf.d/01-lumberjack-input.conf
cat > /etc/logstash/conf.d/01-lumberjack-input.conf << EOF
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/logstash-forwarder.crt"
ssl_key => "/etc/pki/logstash-forwarder.key"
}
}
EOF
touch /etc/logstash/conf.d/10-syslog.conf
cat > /etc/logstash/conf.d/10-syslog.conf << EOF
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
EOF
touch /etc/logstash/conf.d/30-lumberjack-output.conf
cat > /etc/logstash/conf.d/30-lumberjack-output.conf << EOF
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
EOF
# / #<Blocks::Logstash::Builder:0x007f8b2d2f3ce8> -------------------------------------
# ! #<Blocks::Logstashforwarder::Builder:0x007f8b2d2f3c70> -------------------------------------
echo 'deb http://packages.elasticsearch.org/logstashforwarder/debian stable main' | tee /etc/apt/sources.list.d/logstashforwarder.list
wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add -
apt-get update
apt-get -y install logstash-forwarder
touch /etc/logstash-forwarder.conf
cat > /etc/logstash-forwarder.conf << EOF
{
# The network section covers network configuration :)
"network": {
# A list of downstream servers listening for our messages.
# logstash-forwarder will pick one at random and only switch if
# the selected one appears to be dead or unresponsive
"servers": [ "localhost:5000" ],
# The path to your client ssl certificate (optional)
#"ssl certificate": "./logstash-forwarder.crt",
# The path to your client ssl key (optional)
#"ssl key": "./logstash-forwarder.key",
# The path to your trusted ssl CA file. This is used
# to authenticate your downstream server.
"ssl ca": "/etc/pki/logstash-forwarder.crt",
# Network timeout in seconds. This is most important for
# logstash-forwarder determining whether to stop waiting for an
# acknowledgement from the downstream server. If an timeout is reached,
# logstash-forwarder will assume the connection or server is bad and
# will connect to a server chosen at random from the servers list.
"timeout": 15
},
# The list of files configurations
"files": [
# An array of hashes. Each hash tells what paths to watch and
# what fields to annotate on events from those paths.
{
"paths": [
"/var/log/syslog",
"/var/log/auth.log"
],
# A dictionary of fields to annotate on each event.
"fields": { "type": "syslog" }
}
#, {
# A path of "-" means stdin.
#"paths": [ "-" ],
#"fields": { "type": "stdin" }
#}, {
#"paths": [
#"/var/log/apache/httpd-*.log"
#],
#"fields": { "type": "apache" }
#}
]
}
EOF
# / #<Blocks::Logstashforwarder::Builder:0x007f8b2d2f3c70> -------------------------------------
# ! #<Blocks::Kibana::Builder:0x007f8b2d2f3bd0> -------------------------------------
apt-get -y install nginx
touch /etc/nginx/sites-available/default
cat > /etc/nginx/sites-available/default << EOF
server {
listen 80;
#server_name *;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host \$host;
proxy_cache_bypass \$http_upgrade;
}
}
EOF
cd ~; wget https://download.elasticsearch.org/kibana/kibana/kibana-4.0.2-linux-x64.tar.gz
tar xvf kibana-4.0.2-linux-x64.tar.gz
OLD="host: \"0.0.0.0\""
NEW="host: \"localhost\""
sed -i "s/${OLD}/${NEW}/g" /root/kibana-4.0.2-linux-x64/config/kibana.yml
mkdir -p /opt/kibana
cp -R /root/kibana-4.0.2-linux-x64/* /opt/kibana/
cd /etc/init.d && wget https://gist.githubusercontent.com/thisismitch/8b15ac909aed214ad04a/raw/bce61d85643c2dcdfbc2728c55a41dab444dca20/kibana4
chmod +x /etc/init.d/kibana4
update-rc.d kibana4 defaults 96 9
# / #<Blocks::Kibana::Builder:0x007f8b2d2f3bd0> -------------------------------------
service ssh restart
service elasticsearch restart
service logstash restart
service logstash-forwarder restart
service kibana4 restart
service nginx restart
if [ ! -f /root/system_setup_complete ]; then
echo $(date "+%Y.%m.%d-%H:%M:%S") > /root/system_setup_complete
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment