ELK And Reverse Proxy Through Nginx Setup On RHEL Based System (ON SEPARATE MACHINE) → PART 2

The refined goal statement:

1. Set up a monitoring system for an application running on four machines: Elasticsearch, Logstash, Kibana, and the application server.
2. Install and configure Filebeat on the application server to send logs to Logstash.
3. Deploy the react application on the application server using an Nginx reverse proxy.
4. Configure Logstash to receive logs from Filebeat and forward them to Elasticsearch for indexing.
5. Install and configure Kibana on the Kibana server, and set up an Nginx reverse proxy for Kibana.
6. Establish the necessary connections between Logstash, Elasticsearch, and Kibana to enable log visualization.
7. Create a graph in Kibana that displays the response codes (200, 502, 304) over time, using the indexed logs from Elasticsearch.

By achieving these goals, you will have a fully functioning monitoring setup that collects logs, indexes them, and provides visualizations in Kibana, including a graph showing the distribution of response codes over time.

Create four instances and configure security groups to define inbound and outbound traffic rules, allowing only authorized connections.

Securely SSH into the Application server to access the machine remotely.

Update the system

sudo yum update

Install Filebeat:

Download the Filebeat RPM package:

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.15.0-x86_64.rpm

Install the RPM package:

sudo rpm -ivh filebeat-7.15.0-x86_64.rpm

Configure Filebeat: Edit the Filebeat configuration:

sudo nano /etc/filebeat/filebeat.yml

#------Logstash Output------
output.logstash:
  hosts: ["172.31.91.110:5044"]

Start and enable Filebeat service:

sudo systemctl start filebeat 
sudo systemctl enable filebeat

You can use “https://github.com/Piykmr/TextUtils.git” github repo to clone.

To get started with this repository, follow these steps:

1. Clone the repository to your local machine.

2. Once the cloning process is complete, navigate to the “TextUtils” folder.

3. Open a terminal or command prompt within the “TextUtils” folder.

4. Run the command npm install in the terminal. This will install all the necessary dependencies for the project.

5. After the installation is finished, run the command npm start.

6. The website will be launched and can be accessed by opening your preferred web browser and entering your IP address followed by port 3000.

Install Nginx:

Install Nginx:

sudo yum install nginx

Configure Nginx as a reverse proxy:

sudo nano /etc/nginx/nginx.conf

server {
    listen 80;
      server_name _;
      location / {
        proxy_pass http://localhost:3000;
      }
}

we have to enable some module in filebeat so logs can be generated for specific module

sudo filebeat modules enable nginx

Now, Use filebeat setup -e command to initialize and set up Filebeat with the predefined configurations. As, It creates the necessary index templates, dashboards, and other configurations in Elasticsearch and Kibana.

Here’s a breakdown of the command:

• filebeat: This is the command used to execute Filebeat.
• setup: This subcommand initializes the setup process.
• -e: This flag stands for "enrollment" and is used to enable the Elasticsearch output and start the setup process immediately.

Securely SSH into the Logstash server to access the machine remotely.

Update the system

sudo yum update

If Java is not installed, install it using the following command

sudo yum install java-1.8.0-openjdk

Install Logstash:

Download the Logstash RPM package:

wget https://artifacts.elastic.co/downloads/logstash/logstash-7.15.0-x86_64.rpm

Install the RPM package:

sudo rpm -ivh logstash-7.15.0-x86_64.rpm

Configure Logstash: Create Logstash configuration file:

Below Logstash configuration is written to receive data from Beats (specifically the Beats input plugin) on port 5044 and send that data to Elasticsearch (using the Elasticsearch output plugin).

sudo nano /etc/logstash/conf.d/nginx.conf

input {
  beats {
    port => 5044
  }
}

filter {
  grok {
    match => { "message" => '%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] "%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} "%{DATA:[nginx][access][referrer]}" "%{DATA:[nginx][access][user_agent]}"' }
    remove_field => "message"
  }
}

output {
  elasticsearch {
    hosts => ["http://172.31.22.74:9200"]
    index => "nginx-logs-%{+YYYY.MM.dd}"
  }
}

Start and enable Logstash service:

sudo systemctl start logstash 
sudo systemctl enable logstash

Securely SSH into the Elasticsearch server to access the machine remotely.

Update the system

sudo yum update

If Java is not installed, install it using the following command

sudo yum install java-1.8.0-openjdk

Install Elasticsearch

Download the Elasticsearch RPM package

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.15.0-x86_64.rpm

Install the RPM package

sudo rpm -ivh elasticsearch-7.15.0-x86_64.rpm

Configure Elasticsearch: Edit the Elasticsearch configuration file

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

#network
network.host: 172.31.22.74 
http.port: 9200

#discovery
discovery.type: single-node

Start and enable Elasticsearch service

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Securely SSH into the Kibana server to access the machine remotely.

Install Kibana:

Download the Kibana RPM package:

wget https://artifacts.elastic.co/downloads/kibana/kibana-7.15.0-x86_64.rpm

Install the RPM package:

sudo rpm -ivh kibana-7.15.0-x86_64.rpm

Configure Kibana: Edit the Kibana configuration file:

sudo nano /etc/kibana/kibana.yml

server.port: 5601

server.host: "localhost"

elasticsearch.hosts: ["http://172.31.22.74:9200"]

Start and enable Kibana service:

sudo systemctl start kibana 
sudo systemctl enable kibana

Install Nginx:

sudo yum install nginx

Configure Nginx as a reverse proxy:

sudo nano /etc/nginx/nginx.conf

Add the following configuration:

server {
    listen 80;
      server_name _;
      location / {
        proxy_pass http://localhost:5601;
      }
}

Test the Nginx configuration:

sudo nginx -t

Start and enable Nginx service:

sudo systemctl start nginx 
sudo systemctl enable nginx

For rhel based systems: By default SeLinux is enabled (Enforcing) on all rhel based systems which will block all the traffic coming to it so in order to get the kibana accessible via nginx we can disable SeLinux.

Open the SELinux configuration file using a text editor such as vi:

sudo vi /etc/selinux/config

Locate the SELINUX directive in the file. It will have one of the following values: enforcing, permissive, or disabled.

Change the value of SELINUX to permissive:

SELINUX=permissive

Save the changes and exit the text editor.

Again verify if value is set properly or not by below command

getenforce

If it is showing whatever you set then OK otherwise you can use below command

sudo setenforce 0

That’s it! You have now installed and configured the ELK stack (Elasticsearch, Logstash, Kibana) on Red Hat Enterprise Linux (RHEL) along with Filebeat and Nginx as a reverse proxy for secure access. You can access Kibana by visiting http://your_domain_or_ip in a web browser.

In this setup, we observe that Logstash successfully forwards logs to Elasticsearch after receiving them from Filebeat. The log data is indexed in Elasticsearch using the specified index name mentioned in the Logstash configuration file located at /etc/logstash/conf.d/nginx.conf.

The graph displays response codes using different colors: red represents response code 200, green represents 304, and blue represents 502. Additionally, the graph includes a count of records and visualizes the response codes using a vertical bar graph to depict how many times each response code was hit within specific time intervals.