WEBVTT

00:00.480 --> 00:05.550
So that we have something more interesting to query through the elastic data source, the next two videos

00:05.550 --> 00:07.980
or so fall bait and metric bait collector.

00:08.010 --> 00:13.440
Those are the most common connectors that you'll find for ElasticSearch, so I'll quickly show you how

00:13.470 --> 00:14.340
to set those up.

00:14.380 --> 00:18.780
Also, this is not a course in ElasticSearch, but I'm just showing you enough to get started so we

00:18.780 --> 00:20.570
can install bait on any server.

00:20.580 --> 00:22.830
We like Linux, Windows or Mac.

00:22.860 --> 00:25.810
I'm going to install on one of the existing servers.

00:25.830 --> 00:33.230
I'll put it on my my SQL server and we'll collect stats about the module server involved.

00:33.230 --> 00:37.650
But it's good for reading log files, so consider the ElasticSearch file bait.

00:37.650 --> 00:43.370
The equivalent of Prob Tile is for Loki, so we'll set that up to rate the system date logs.

00:43.380 --> 00:43.920
I'm a mosque.

00:43.920 --> 00:47.370
Your server, OK, so I'm going to need to install fall bait.

00:47.550 --> 00:50.920
I'm going to install seven point sixteen, so I'm going to go to my mosque.

00:50.940 --> 00:54.540
Your server, among my mosques, your server, router, mosque, you're down there.

00:54.660 --> 00:58.610
You can get the download information for your operating system from this link here.

00:58.620 --> 00:59.930
Barberry prepared those commands.

00:59.940 --> 01:01.440
So first one kill.

01:02.470 --> 01:08.560
Downloading the Debian package, I'm now going to use the package manager to install it.

01:09.990 --> 01:11.430
OK, so that's the story.

01:11.490 --> 01:16.640
It shouldn't be running sudo service for its status.

01:16.990 --> 01:17.880
OK, so it's not running.

01:17.920 --> 01:18.390
Doesn't matter.

01:18.600 --> 01:19.800
We'll make some changes to it.

01:19.890 --> 01:24.450
Okay, so see into the file system 8C file, but that's where it was installed.

01:24.600 --> 01:27.180
OK, so Ellis LRH, so we can see what's there.

01:27.420 --> 01:30.930
OK, so now we need to enable a module for fall break to run.

01:30.980 --> 01:38.070
We can get a list of modules that it knows about so far eight modules list and it's got a whole bunch

01:38.070 --> 01:45.150
of configurations that we can enable such a system which will use that moment Radius Rabbit, MQ, Postgres

01:45.540 --> 01:46.860
many, many things.

01:46.980 --> 01:50.940
But if you scroll up, you'll see that they're all under the disabled heading there.

01:51.780 --> 01:56.580
We're going to enable system so far based modules enable system into.

01:57.850 --> 01:59.850
OK, enabled system, if we look at that again.

01:59.890 --> 02:06.490
Fobbit modules list, if I scroll up, it shows under enabled system we can enable several modules,

02:06.490 --> 02:12.820
but I'm only going to use the system one if we could list like again there and we go into that module

02:12.820 --> 02:13.710
state folder there.

02:13.720 --> 02:21.430
So CD modules D and then do lists that we can see a whole bunch of files or configuration files y.

02:21.970 --> 02:24.280
They will have the word disabled after them system.

02:24.280 --> 02:25.240
My email doesn't.

02:25.420 --> 02:29.780
We can inspect all of those different configuration files and see what they do if you want.

02:29.800 --> 02:35.240
For example, I can look at the system, one system, my email, and that's what it says.

02:35.260 --> 02:38.800
So if you want to know more about the details of ElasticSearch file beat, there's something to look

02:38.800 --> 02:39.190
at there.

02:39.310 --> 02:43.240
So I'm going backwards city dot dot lists again to see what we have.

02:43.330 --> 02:49.420
OK, I'm now going to change some settings and folbigg voicemail to tell it to send data to ElasticSearch

02:49.420 --> 02:52.870
server, so we don't need no file bait.

02:52.960 --> 02:55.240
Why eml OK for scroll down.

02:57.030 --> 03:00.120
You see, there's going to be searching the VAR log log folder there.

03:01.300 --> 03:01.910
OK.

03:02.230 --> 03:03.120
For bait.

03:04.190 --> 03:10.240
OK, this is a fall beats module S. You can see that it's searching the Modules Deep folder for everything

03:10.240 --> 03:12.490
startup y amount to find out what's enabled.

03:14.270 --> 03:20.120
I'm not going to be using Cabana Cabana is like a user interface with Agraféna, but for ElasticSearch.

03:21.610 --> 03:26.500
OK, I put plastic surgery, this is where we tell it the address of our ElasticSearch server.

03:28.130 --> 03:33.490
I'm using the VPC IP, so my ElasticSearch servers IP is 10 one three three zero six.

03:33.500 --> 03:38.890
So this fallback wearing my mask, your server will be sending to that address, calling nine 200.

03:38.900 --> 03:42.980
Now I have a firewall on my ElasticSearch server, so I won't be able to send those messages, but I'll

03:42.980 --> 03:43.820
enable that in a moment.

03:45.000 --> 03:45.570
OK.

03:46.650 --> 03:53.160
Right now, I don't need that that or that either, but you could leave those if you wanted to see what

03:53.160 --> 03:58.320
I do, they add a whole lot of extra items into the result set, which are unnecessary unless you're

03:58.320 --> 03:59.010
actually using them.

03:59.040 --> 04:04.710
So going further down right to the end, OK, good control x save.

04:04.710 --> 04:05.220
Yes.

04:05.580 --> 04:12.720
And so now let's start Fobbit sudo service Volbeat start status.

04:13.230 --> 04:14.010
Very, very good.

04:14.190 --> 04:15.320
OK, so now it's running.

04:15.330 --> 04:17.610
It's trying to send data to the ElasticSearch server.

04:17.640 --> 04:20.010
ElasticSearch server has the firewall blocked?

04:20.070 --> 04:23.850
I can verify that by trying to do a kill request to it from the command line.

04:23.850 --> 04:26.670
So it's just going to timeout, eventually control.

04:26.690 --> 04:27.240
See that?

04:27.390 --> 04:32.730
OK, so now I'm going to go into my firewall settings from ElasticSearch server and allow my mosque

04:32.730 --> 04:35.700
email server to make requests on Port nine to 100.

04:35.850 --> 04:39.660
So my master your server's IP is 10 one three three zero four.

04:39.690 --> 04:46.830
So copying that firewall ElasticSearch firewall, OK, I'm going to also allow you to edit that rule,

04:46.860 --> 04:52.440
going to allow that IP address as well so that zero three, that's mega-fauna server making queries

04:52.440 --> 04:54.630
to port ninety one and this zero four is my mosque.

04:54.630 --> 04:57.740
Your server sending data to not to save?

04:57.990 --> 05:00.510
Excellent going back on here and store that kill request again.

05:00.810 --> 05:01.150
OK.

05:01.170 --> 05:01.810
Got a response!

05:01.830 --> 05:06.810
OK, so that's a default response from my ElasticSearch server named Node one with a cluster name.

05:06.810 --> 05:07.560
My application.

05:07.770 --> 05:10.350
Now, Volbeat has created its own index.

05:10.380 --> 05:15.480
So in the video before I credited an index called Index one manually and added some data to fall is

05:15.480 --> 05:19.590
doing essentially the same thing, but it's creating its own index and adding its own data.

05:19.590 --> 05:26.130
We can find out what the index name is using on the school indices there, and that new index is called

05:26.130 --> 05:28.930
Volbeat 7:16, plus today's date.

05:28.950 --> 05:33.630
So I'm going to set up a new data source in Gravano looking at that index.

05:33.750 --> 05:36.150
OK, go to data sources now.

05:36.150 --> 05:41.460
I could edit my existing ElasticSearch data source because I don't need the index one, really, but

05:41.460 --> 05:46.870
instead I'm going to create a data source ElasticSearch and I'm going to call this ElasticSearch.

05:46.890 --> 05:48.630
I'll be the address.

05:49.170 --> 05:51.030
I'm using my BBC IP address column.

05:51.030 --> 05:52.260
Nine 9200 server.

05:52.260 --> 05:53.160
OK, very good.

05:53.640 --> 05:54.810
My index name.

05:54.810 --> 06:00.420
If I look here when I queried indices, it says Volbeat and all those numbers, actually, we can use

06:00.420 --> 06:01.950
Volbeat and a wildcard.

06:01.950 --> 06:06.420
So I'm the fallback 7:16 and Dot star.

06:06.450 --> 06:13.200
I could cite seven star or fall star power to say that Dot star now, if I could set up followed by

06:13.200 --> 06:16.620
another service, they'll all have a very similar index name.

06:16.620 --> 06:23.220
So this data source I'm setting up here names that will actually read all of the indexes starting with

06:23.220 --> 06:23.490
that.

06:23.640 --> 06:24.940
OK, so that's good.

06:24.960 --> 06:26.810
I'm also using seven 10 plus.

06:26.820 --> 06:27.750
That's important.

06:27.960 --> 06:30.930
OK, save and test index.

06:30.930 --> 06:31.770
OK, excellent.

06:31.890 --> 06:38.580
Let's go to the Explore tab or select ElasticSearch Volbeat and we can see some data.

06:38.610 --> 06:40.740
So there's a lot of information coming through already.

06:41.340 --> 06:47.400
If we look at the logs row there and I'll just make that query smaller.

06:47.430 --> 06:50.480
Five minutes, we can see lots of data coming through.

06:50.490 --> 06:54.990
We can expand each of these rows and see a whole lot of information.

06:55.290 --> 06:58.650
OK, so a hostname that's coming through is Moscow.

06:58.680 --> 07:06.570
If I had lots of fall bits running or pushing to the ElasticSearch server and using a index prefixed

07:06.570 --> 07:11.910
with 716, I would say all of those as well, and I'll be able to filter by hostname.

07:11.940 --> 07:15.120
So, for example, hosts not name.

07:16.190 --> 07:22.640
My ask will shift into and not only get the results for my school, but I only store on my school,

07:22.640 --> 07:24.080
so I'm getting the same results anyway.

07:24.110 --> 07:26.980
But anyway, that's just a quick introduction to fall bait.

07:26.990 --> 07:29.880
We could start crying dashboards from that, but I'm not going to do that yet.

07:29.900 --> 07:33.900
I'm just demonstrating how to get some useful ElasticSearch data into a farm case.

07:33.920 --> 07:35.000
This is what we have for.

07:35.270 --> 07:37.700
I've installed that on my MySchool server.

07:37.700 --> 07:40.280
I could install that in all my servers if I wanted to.

07:40.310 --> 07:41.130
You can do the same.

07:41.150 --> 07:42.140
I'm not going to do that just yet.

07:42.140 --> 07:46.760
In the next video, I'm going to install metric based on another server and demonstrate carrying that

07:46.760 --> 07:48.800
through ElasticSearch data source as well.

07:48.830 --> 07:49.340
Excellent.