Install Elastiflow in Ubuntu 18.04

Install ubuntu 18.04 and do the latest dist-upgrade dance.

Install java..

sudo apt install openjdk-8-jre-headless

Install elastic stack

Elasticsearch

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

sudo apt update; sudo apt -y install elasticsearch

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service

sudo systemctl start elasticsearch.service

Kibana

sudo apt -y install kibana

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service

sudo systemctl start kibana.service

Logstash

sudo apt -y install logstash

Make elasticsearch listen on localhost

sudo sed -i 's|#network.host: 192.168.0.1|network.host: localhost|g' /etc/elasticsearch/elasticsearch.yml
sudo systemctl restart elasticsearch

Make kibana accesible from world (REMEMBER WORLD / NO AUTH!)

sudo sed -i 's|#server.host: "localhost"|server.host: "0.0.0.0"|g' /etc/kibana/kibana.yml
sudo systemctl restart kibana

Set jvm mem settings

sudo sed -i 's|-Xms1g|-Xms4g|g' /etc/logstash/jvm.options
sudo sed -i 's|-Xmx1g|-Xmx4g|g' /etc/logstash/jvm.options

Add req. plugins

sudo /usr/share/logstash/bin/logstash-plugin install logstash-codec-sflow
sudo /usr/share/logstash/bin/logstash-plugin update logstash-codec-netflow
sudo /usr/share/logstash/bin/logstash-plugin update logstash-input-udp
sudo /usr/share/logstash/bin/logstash-plugin update logstash-filter-dns

Clone elastiflow

cd /usr/local/src
sudo git clone https://github.com/robcowart/elastiflow.git

Copy the logstash config

sudo cp -arv elastiflow/logstash/elastiflow/. /etc/logstash/elastiflow/

Copy env files

sudo cp -arv elastiflow/logstash.service.d/. /etc/systemd/system/logstash.service.d/

This is really important that syntax is ok. Otherwise this will bork the whole funktion :)

sudo cp /etc/logstash/pipelines.yml /etc/logstash/pipelines.yml-DIST
sudo tee -a /etc/logstash/pipelines.yml << EOF

- pipeline.id: elastiflow
  path.config: "/etc/logstash/elastiflow/conf.d/*.conf"
EOF

if you want to check your yamlfile.

sudo apt install -y yamllint
yamllint /etc/logstash/pipelines.yml

sudo /usr/share/logstash/bin/system-install

sudo systemctl daemon-reload sudo systemctl start logstash

sudo tail /var/log/logstash/logstash-plain.log -f