5

I'm trying to create a simple hello world for ELK and be able to see kibana reports via the internet. I've installed kibana, logstash, nginx and elastic search. Here's my /etc/logstash/conf.d/10-syslog.conf:

input {
  file {
    path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ]
    type => "syslog"
  }
}

output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

I'm able to access Kibana from the internet. However, I can see the reports because an error at Kibana when I'm clicking Dashboard, Visualize or Discover:

Index Patterns: Please specify a default index pattern

How exactly should I specify it? I just want to keep it simple for now.

Dett
  • 53
  • 1
  • 4

2 Answers2

1

Kibana uses "index patterns" to visualize the data stored in your elasticsearch indices.

You need to hit the elasticsearch restful endpoint and check what your indices are named by doing

curl -X GET <elasticsearchIP>:<elasticsearchport>/_cat/indices?v

This will list all the indices. Then, under kibana go to management -> index patterns -> create index patterns

Here you write a regular expression that matches one or more of your elasticsearch indices. For example if your indices look like mine:

logstash-2018.10.29 
logstash-2018.11.14 

you could write an index pattern called log* and it would show data from from both of those logstash indices

Esoteric Eric
  • 71
  • 1
  • 4
  • Is there a way to establish the default index using curl, either to the elasticsearch REST API URL or to the kibana REST API URL? – Jesse Chisholm Apr 23 '20 at 00:42
0

Just go to Kibana -> Management -> Advanced Settings and fill the "defaultIndex" field. Of course, it is necessary that this index exists at ES.

adel-s
  • 11
  • 4