{"id":2814,"date":"2015-12-23T00:46:57","date_gmt":"2015-12-23T00:46:57","guid":{"rendered":"http:\/\/www.garysieling.com\/blog\/?p=2814"},"modified":"2015-12-23T00:46:57","modified_gmt":"2015-12-23T00:46:57","slug":"monitoring-a-wordpress-site-with-filebeat","status":"publish","type":"post","link":"https:\/\/www.garysieling.com\/blog\/monitoring-a-wordpress-site-with-filebeat\/","title":{"rendered":"Monitoring a WordPress site with Filebeat"},"content":{"rendered":"

In a previous post, I discuss setting up the ELK stack on Azure<\/a>, which is a prerequisite for using Logbat.<\/p>\n

To pump logs from a linux server to , we can use a tool called Filebeat1<\/a><\/sup> (not sure where that fits in “ELK”?)<\/p>\n

On the server you want monitored, you’ll need to download the appropriate distribution2<\/a><\/sup> for your server version (Supports Windows or Linux)<\/p>\n

For instance, for me this was:<\/p>\n

\ncurl -L -O https:\/\/download.elastic.co\/beats\/filebeat\/filebeat_1.0.1_i386.deb\n\nsudo dpkg -i filebeat_1.0.1_i386.deb\n<\/pre>\n
Then, we need to change a couple settings in the filebeat configuration: the host name we’re shipping logs to, and the index name – depending on what you set the pattern to when you installed Kibana. For me, this meant adding this setting: ‘index: “logstash”‘<\/p>\n
\nsudo vi \/etc\/filebeat\/filebeat.yml\n<\/pre>\n
Then, you can start the service:<\/p>\n
\nsudo \/etc\/init.d\/filebeat start\n<\/pre>\n
If you want to see logs for this, by default they go to syslogd:<\/p>\n
\nsudo tail -f \/var\/log\/syslog\n<\/pre>\n
However, up to this point, Filebeat still can’t connect, because it writes directly to Elastic Search, so you’ll have to open up another port through the Azure firewall – lets make this 8080. The Azure UI lets you filter by CIDR ranges, but only down to a \/32- in other words, you can’t filter only to the specific IPs of your other servers (a \/256), which adds an additional problem we’ll solve below.<\/p>\n
Fronting these servers with Nginx seems to be quite popular, so we’ll do that, back on our Elastic Search Server:<\/p>\n
\napt-get install nginx\n<\/pre>\n
Edit the nginx config file:<\/p>\n
\nvi \/etc\/nginx\/nginx.conf\n<\/pre>\n
In the “http” block, add a proxy server:<\/p>\n
\nserver {\n  listen 8080;\n  allow 173.255.224.150;\n  location \/ {\n    proxy_pass http:\/\/localhost:9200;\n  }\n}\n<\/pre>\n
Obviously you should change the IP – this lets you restrict who can write logs. Filebeat also claims to support Basic Auth, although I haven’t tried it. I notice in the forums, that there is discussion about adding more robust security options (e.g. Kerberos), but for now, most people are using whatever Nginx offers.<\/p>\n
You should also set up SSL, but this is sufficient for testing purposes.<\/p>\n
From the remote server, you should be able to test connectivity:<\/p>\n
\ncurl http:\/\/elk-me3u257f.cloudapp.net:8080\n<\/pre>\n
Which will give you this:<\/p>\n
\n{\n  \"name\" : \"Phantom Eagle\",\n  \"cluster_name\" : \"elasticsearch\",\n  \"version\" : {\n    \"number\" : \"2.1.1\",\n    \"build_hash\" : \"40e2c53a6b6c2972b3d13846e450e66f4375bd71\",\n    \"build_timestamp\" : \"2015-12-15T13:05:55Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"5.3.1\"\n  },\n  \"tagline\" : \"You Know, for Search\"\n}\n<\/pre>\n
In order for Filebeat to continue, it will also need to upload some information about the structure of it’s logs in advance- run this from the server to be logged:<\/p>\n
\ncurl -XPUT 'http:\/\/elk-me3u257f.cloudapp.net:8080\/_template\/filebeat?pretty' \\\n  -d@\/etc\/filebeat\/filebeat.template.json\n<\/pre>\n
Which gives this:<\/p>\n
\n{\n  \"acknowledged\" : true\n}\n<\/pre>\n
Then restart logbeat, and everything should start working:<\/p>\n
\n\/etc\/init.d\/logbeat restart\n<\/pre>\n
  1. https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/current\/filebeat-getting-started.html [↩<\/a>]<\/span><\/li>
  2. https:\/\/www.elastic.co\/downloads\/beats\/filebeat [↩<\/a>]<\/span><\/li><\/ol>","protected":false},"excerpt":{"rendered":"
    In a previous post, I discuss setting up the ELK stack on Azure, which is a prerequisite for using Logbat. To pump logs from a linux server to , we can use a tool called Filebeat1 (not sure where that fits in “ELK”?) On the server you want monitored, you’ll need to download the appropriate … <\/p>\n
    Continue reading “Monitoring a WordPress site with Filebeat”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[22],"tags":[74,169,338,345,370,522],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/posts\/2814"}],"collection":[{"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/comments?post=2814"}],"version-history":[{"count":0,"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/posts\/2814\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/media?parent=2814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/categories?post=2814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.garysieling.com\/blog\/wp-json\/wp\/v2\/tags?post=2814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}