Logs agents' configuration

Prerequisites

The following flows are required:

  • 5044/TCP between each EverTrust OCSP node and the Logstash machine;

  • 5000/UDP between each EverTrust OCSP node and the Logstash machine.

All steps described below has to be performed on each EverTrust OCSP node you are willing to monitor.

Installation of the Elastic yum repository

Step 1: Access the EverTrust OCSP server through SSH with an account with administrative privileges;

Step 2: Download and install the Elastic public signing key using the following command:

# sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Step 3: Create a file with a '.repo' extension (for example, elastic.repo) in your '/etc/yum.repos.d/' directory and add the following lines:

[elastic-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Metricbeat installation and configuration

Additional information about Metricbeat installation and operation is available here.

Step 1: Access the EverTrust OCSP server through SSH with an account with administrative privileges;

Step 2: Install the Metricbeat agent using the following command:

# yum install metricbeat

Step 3: Enable the automatic Metricbeat boot at system start using the following command:

# systemctl enable metricbeat

Step 4: Modify the configuration of Metricbeat in the following file '/etc/metricbeat/metricbeat.yml' to send logs to 5044/TCP port of Logstash instead of Elasticsearch:

[...]
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: [""]
[...]
output.logstash:
  # The Logstash hosts
  hosts: ["LOGTASH_HOSTNAME:5044"]

Step 5: Start the Metricbeat configuration with the following command:

# /etc/init.d/metricbeat start
Metricbeat configuration file is an YAML file. It is indentation sensitive.

Filebeat installation and configuration

Additional information about Filebeat installation and operation is available here.

Step 1: Access the EverTrust OCSP server through SSH with an account with administrative privileges;

Step 2: Install the Filebeat agent using the following command:

# yum install filebeat

Step 3: Enable the automatic Filebeat boot at system start using the following command:

# systemctl enable filebeat

Step 4: Modify the configuration of Filebeat in the following file '/etc/filebeat/filebeat.yml' to setup NGINX logs directory:

filebeat.inputs:
[...]
- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/nginx/http-access.log
  exclude_files: ['\.gz$']
  fields:
    log_source: nginx

Step 5: Modify the configuration of Filebeat in the following file '/etc/filebeat/filebeat.yml' to send logs to 5044/TCP port to Logstash instead of Elasticsearch:

[...]
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: [""]
[...]
output.logstash:
  # The Logstash hosts
  hosts: ["LOGTASH_HOSTNAME:5044"]

Step 6: Start the Filebeat configuration with the following command:

# /etc/init.d/filebeat start
Filebeat configuration file is an YAML file. It is indentation sensitive.

Syslog configuration

Please refer to Key 'Performance Indicator(s)' part of the 'EverTrust OCSP Installation Guide'.

Step 1: Access the EverTrust OCSP server through SSH with an account with administrative privileges;

Step 2: Modify the 'ocspd.conf' syslog configuration file in '/etc/rsyslog.d' with the following content to send syslog events to 5000/UPD port of Logstash:

local6.*                                                @LOGTASH_HOSTNAME:5000

Step 3: Restart the Rsyslog service with the following command:

# systemctl start rsyslog