I'm trying to create a simple hello world for ELK and be able to see kibana reports via the internet. I've installed kibana, logstash, nginx and elastic search. Here's my /etc/logstash/conf.d/10-syslog.conf
:
input {
file {
path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ]
type => "syslog"
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
I'm able to access Kibana from the internet. However, I can see the reports because an error at Kibana when I'm clicking Dashboard, Visualize or Discover:
Index Patterns: Please specify a default index pattern
How exactly should I specify it? I just want to keep it simple for now.
Kibana uses "index patterns" to visualize the data stored in your elasticsearch indices.
You need to hit the elasticsearch restful endpoint and check what your indices are named by doing
This will list all the indices. Then, under kibana go to management -> index patterns -> create index patterns
Here you write a regular expression that matches one or more of your elasticsearch indices. For example if your indices look like mine:
you could write an index pattern called log* and it would show data from from both of those logstash indices
Just go to Kibana -> Management -> Advanced Settings and fill the "defaultIndex" field. Of course, it is necessary that this index exists at ES.