Archives par mot-clé : ELK

Raspberry/ELK : Installation de Filebeat

Publié le par
Répondre

Logstach n’est pas vraiment stable ( Java & Mémoire ne font pas bon ménage )  sur le Raspberry, et j’ai du mal à savoir quel est le problème. Je vais donc le remplacer par Filebeat.
La première étape est l’installation de GO :

$ sudo apt-get update
$ sudo apt-get install golang
$ sudo apt-get install git
$ sudo mkdir /go/
$ sudo mkdir /go/src
$ sudo chown -R pi.pi /go/
$ export GOPATH=/go/src
$ export GOPATH=$HOME/go
$ export PATH=/usr/local/go/bin:$PATH:$GOPATH/bin
$ go get github.com/elastic/beats

Cela bloque …, je lance donc le plan B :

$ sudo apt-get install python-virtualenv
$ export GOPATH=$HOME/go
$ mkdir -p $GOPATH/src/github.com/elastic
$ cd $GOPATH/src/github.com/elastic
$ git clone https://github.com/elastic/beats.git
$ cd beats/
$ make
...
$ cd filebeat/
...
scripts/Makefile:308: recipe for target 'fields' failed
make[1]: *** [fields] Error 1
make[1]: Leaving directory '/home/pi/go/src/github.com/elastic/beats/libbeat'
Makefile:20: recipe for target 'testsuite' failed
make: *** [testsuite] Error 1
$ make
go build -i -ldflags "-X github.com/elastic/beats/libbeat/version.buildTime=2018-10-07T17:18:35Z -X github.com/elastic/beats/libbeat/version.commit=cff3e40cfedb9521d7249caaa569668de203dc59"
../vendor/github.com/elastic/go-txfile/file.go:23:2: cannot find package "math/bits" in any of:
	/home/pi/go/src/github.com/elastic/beats/vendor/math/bits (vendor tree)
	/usr/lib/go-1.7/src/math/bits (from $GOROOT)
	/home/pi/go/src/math/bits (from $GOPATH)
../libbeat/scripts/Makefile:99: recipe for target 'filebeat' failed
make: *** [filebeat] Error 1
...
$ git checkout v6.4.2
HEAD is now at e193f6d68... Set CFLAGS for Packetbeat arm64 cross-compile (#7809) (#8409)
$ GOARCH=arm go build
../vendor/github.com/elastic/go-txfile/file.go:23:2: cannot find package "math/bits" in any of:
/home/pi/go/src/github.com/elastic/beats/vendor/math/bits (vendor tree)
/usr/lib/go-1.7/src/math/bits (from $GOROOT)
/home/pi/go/src/math/bits (from $GOPATH)

Je passe donc au plan C :

$ wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.2-linux-x86.tar.gz
$ tar zxvf filebeat-6.4.2-linux-x86.tar.gz
$ sudo mv filebeat-6.4.2-linux-x86/ /opt/.

Plan D, je passe sur une version précédente (v5.6.3):

$ cd go/src/github.com/elastic/beats/
$ git checkout v5.6.3
Previous HEAD position was e193f6d68... Set CFLAGS for Packetbeat arm64 cross-compile (#7809) (#8409)
HEAD is now at c34337071... Bump version to 5.6.3 in the 5.6 branch
$ cd filebeat/
$ export GOPATH=$HOME/go
$ GOARCH=arm go build
$ sudo cp filebeat /sbin/.
$ cat filebeat.yml | grep -v "#" | grep -v "^$"
filebeat.prospectors:
- input_type: log
paths:
- /var/log/*.log
output.elasticsearch:
hosts: ["192.168.0.72:9200"]
$ ./filebeat -v

Enfin cela fonctionne !

Raspberry/ELK : Installation sur 3 Raspberry(s) .

Publié le par
Répondre

Pour faire suite à l’article : https://www.cyber-neurones.org/2018/10/raspberry-rsyslog-centralisation-des-logs/ .

(Pour l’instant c’est tombé en marche … le Java c’est pas mon truc).

Je vais donc installer ELK : E sur le Raspberry n°4 / L sur le Raspberry n°3 / K sur le Raspberry n°5. A noter que j’avais essayé de tout mettre sur le même : https://www.cyber-neurones.org/2018/09/osmc-raspberry-ajout-de-elk-elasticsearch-logstash-kibana-beats-nginx/ . Mais régulièrement il fallait relancer à cause de la consommation mémoire ….

RASP3 a020d3 ARMv7 Processor rev 4 (v7l) 949452 4.14.50-v7+ 192.168.0.71 Rsyslog Server / Logstash OK
RASP4 a020d3 ARMv7 Processor rev 4 (v7l) 949452 4.14.50-v7+ 192.168.0.72 Elasticsearch OK
RASP5 a020d3 ARMv7 Processor rev 4 (v7l) 949452 4.14.50-v7+ 192.168.0.73 Kibana OK

Sur le RASP n°4 : Installation de Elasticsearch :

Les commandes :

$ sudo apt-get install default-jre
$ sudo apt-get install openjdk-8-jdk
$ sudo apt-get install oracle-java8-jdk
$ sudo apt-get install -y wget apt-transport-https
$ sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.2.deb
$ sudo dpkg -i elasticsearch-5.5.2.deb
$ sudo mkdir /var/lib/elasticsearch/tmp
$ sudo chown elasticsearch.elasticsearch /var/lib/elasticsearch/tmp
$ sudo mkdir /usr/share/elasticsearch/tmp
$ sudo chown elasticsearch.elasticsearch /usr/share/elasticsearch/tmp
$ sudo apt-get install libjna-java
$ sudo find / -name libjnidispatch.so
-> Vide !
$ mkdir /tmp/jna-4.1.0
$ cd /tmp/jna-4.1.0
$ wget https://maven.java.net/content/repositories/releases/net/java/dev/jna/jna/4.1.0/jna-4.1.0.jar
$ wget https://maven.java.net/content/repositories/releases/net/java/dev/jna/jna-platform/4.1.0/jna-platform-4.1.0.jar
$ jar xf jna-4.1.0.jar
$ sudo cp jna-4.1.0.jar  jna-platform-4.1.0.jar /usr/share/java/.
$ sudo cp jna-4.1.0.jar jna.jar /usr/share/elasticsearch/lib/.
$ sudo mkdir /usr/lib/jni
$ cd /usr/lib/jni
$ sudo cp -p /tmp/jna-4.1.0/com/sun/jna/linux-arm/libjnidispatch.so libjnidispatch_4.1.0.so
$ sudo ln -s libjnidispatch_4.1.0.so /usr/lib/arm-linux-gnueabihf/libjnidispatch.so
$ sudo ln -s libjnidispatch_4.1.0.so libjnidispatch.so
$ sudo ln -s /usr/lib/arm-linux-gnueabihf/jni/libjnidispatch.system.so /usr/lib/arm-linux-gnueabihf/jni/libjnidispatch.so
$ sudo cp jna-4.1.0.jar  jna-platform-4.1.0.jar /usr/share/java/.
$ sudo mv /usr/share/java/jna-4.2.2.jar /usr/share/java/jna-4.2.2.jar.orig

Attention si on n’installe pas la libjna-java on a l’erreur suivante :

[o.e.b.Natives            ] unable to load JNA native support library, native methods will be disabled.
...
java.lang.UnsatisfiedLinkError: Native library (com/sun/jna/linux-arm/libjnidispatch.so) not found in resource path ....

Pour faire un test il suffit due faire :

$ cd /usr/share/java/
$ java -jar jna-4.2.2.jar 
Exception in thread "main" java.lang.UnsatisfiedLinkError: Native library (com/sun/jna/linux-arm/libjnidispatch.so) not found in resource path ([file:/usr/share/java/jna-4.2.2.jar])
	at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:893)
	at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:853)
	at com.sun.jna.Native.(Native.java:140)

Alors qu’il faut:

$ cd /usr/share/java/
$ java -jar jna-4.1.0.jar 
Java Native Access (JNA) API Version 4
Version: 4.1.0 (b4)
 Native: 4.0.0 (1a6047467b59e8748f975e03016ce3d9)
 Prefix: linux-arm

Modification du fichier de configuration : /etc/elasticsearch/elasticsearch.yml

...
# Set the bind address to a specific IP (IPv4 or IPv6):
#
#network.host: 192.168.0.72
#
# Set a custom port for HTTP:
#
http.port: 9200
...

Le premier lancement nous rappelle qu’il faut de la mémoire, misère :

$ sudo service elasticsearch status
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2018-10-05 21:56:12 UTC; 18s ago
     Docs: http://www.elastic.co
  Process: 19316 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet -Edefault.path.logs=${LOG_DIR} -Edefault.path.data=${DA
  Process: 19313 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 19316 (code=exited, status=1/FAILURE)

Oct 05 21:56:12 raspberrypi systemd[1]: Starting Elasticsearch...
Oct 05 21:56:12 raspberrypi systemd[1]: Started Elasticsearch.
Oct 05 21:56:12 raspberrypi elasticsearch[19316]: Error occurred during initialization of VM
Oct 05 21:56:12 raspberrypi elasticsearch[19316]: Could not reserve enough space for 2097152KB object heap
Oct 05 21:56:12 raspberrypi systemd[1]: elasticsearch.service: Main process exited, code=exited, status=1/FAILURE
Oct 05 21:56:12 raspberrypi systemd[1]: elasticsearch.service: Unit entered failed state.
Oct 05 21:56:12 raspberrypi systemd[1]: elasticsearch.service: Failed with result 'exit-code'.

Modification du fichier : /etc/elasticsearch/jvm.options

...
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms500m
-Xmx800m
...

Pour information voici la mémoire avant la mise en place 200 Mo utilisé sur 1000 Mo:

Et on relance :

$ sudo service elasticsearch start
$ sudo service elasticsearch status
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-10-05 21:59:00 UTC; 3s ago
     Docs: http://www.elastic.co
  Process: 19472 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 19475 (java)
   CGroup: /system.slice/elasticsearch.service
           └─19475 /usr/bin/java -Xms500m -Xmx800m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTou

Oct 05 21:59:00 raspberrypi systemd[1]: Starting Elasticsearch...
Oct 05 21:59:00 raspberrypi systemd[1]: Started Elasticsearch.

Sur le RASP n°3 : Installation de Logstach :

Les commandes :

$ sudo apt-get install oracle-java8-jdk
$ sudo apt-get install -y wget apt-transport-https
$ sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-5.5.2.deb
$ sudo dpkg -i logstash-5.5.2.deb
$ sudo service logstash status 
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-10-06 10:23:58 UTC; 4s ago
 Main PID: 25708 (java)
   CGroup: /system.slice/logstash.service
           └─25708 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccup

Oct 06 10:23:58 raspberrypi systemd[1]: Started logstash.

On ajoute deux fichiers de configuration :

$ cat /etc/logstash/conf.d/10-syslog.conf 
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

$ cat /etc/logstash/conf.d/30-elasticsearch-output.conf 
output {
elasticsearch {
hosts => ["192.168.0.72:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
$ sudo service logstash restart

Sur le RASP n°5 : Installation de Kibana :

Les commandes :

$ sudo apt-get install oracle-java8-jdk
$ sudo apt-get install -y wget apt-transport-https
$ sudo wget https://artifacts.elastic.co/downloads/kibana/kibana-5.5.2-linux-x86.tar.gz
$ sudo tar xvzf kibana-5.5.2-linux-x86.tar.gz
$ sudo mv kibana-5.5.2-linux-x86 /opt/.
$ sudo wget https://nodejs.org/download/release/v6.10.2/node-v6.10.2-linux-armv6l.tar.gz
$ tar xzf node-v6.10.2-linux-armv6l.tar.gz
$ sudo cp node-v6.10.2-linux-armv6l/bin/node /usr/local/bin/node
$ sudo cp node-v6.10.2-linux-armv6l/bin/npm /usr/local/bin/npm
$ sudo mv /opt/kibana-5.5.2-linux-x86/node/bin/node  /opt/kibana-5.5.2-linux-x86/node/bin/node.orig
$ sudo mv /opt/kibana-5.5.2-linux-x86/node/bin/npm  /opt/kibana-5.5.2-linux-x86/node/bin/npm.orig
$ sudo ln -s /usr/local/bin/node /opt/kibana-5.5.2-linux-x86/node/bin/node
$ sudo ln -s /usr/local/bin/npm /opt/kibana-5.5.2-linux-x86/node/bin/npm

Modification du fichier : /opt/kibana-5.5.2-linux-x86/config/kibana.yml :

$ cat /opt/kibana-5.5.2-linux-x86/config/kibana.yml | grep -v '^#' | grep -v '^$'
server.port: 5601
server.host: "localhost"
elasticsearch.url: "http://192.168.0.72:9200"

Création du fichier : /etc/systemd/system/kibana.service

$ cat /etc/systemd/system/kibana.service 
[Unit]
Description=Kibana

[Service]
ExecStart=/opt/kibana-5.5.2-linux-x86/bin/kibana
StandardOutput=null

[Install]
WantedBy=multi-user.target

Lancement :

$ sudo service kibana start
$ sudo service kibana status
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-10-06 13:23:13 UTC; 4s ago
 Main PID: 26297 (node)
   CGroup: /system.slice/kibana.service
           └─26297 /opt/kibana-5.5.2-linux-x86/bin/../node/bin/node --no-warnings /opt/kibana-5.5.2-linux-x86/bin/../src/cli

Oct 06 13:23:13 raspberrypi systemd[1]: Started Kibana.

Installation de Ngnix:
$ sudo apt-get install nginx

Note sur l’erreur, quand on a ce type d’erreur il faut faire un apt-get update :

$ sudo apt-get install apache2-utils
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libapr1 libaprutil1
The following NEW packages will be installed:
  apache2-utils libapr1 libaprutil1
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 218 kB/374 kB of archives.
After this operation, 814 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf apache2-utils armhf 2.4.25-3+deb9u4
  404  Not Found [IP: 93.93.128.193 80]
E: Failed to fetch http://raspbian.raspberrypi.org/raspbian/pool/main/a/apache2/apache2-utils_2.4.25-3+deb9u4_armhf.deb  404  Not Found [IP: 93.93.128.193 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
$ sudo apt update

$ sudo apt-get install apache2-utils
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libapr1 libaprutil1
The following NEW packages will be installed:
  apache2-utils libapr1 libaprutil1
0 upgraded, 3 newly installed, 0 to remove and 48 not upgraded.
Need to get 219 kB/374 kB of archives.
After this operation, 814 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://ftp.igh.cnrs.fr/pub/os/linux/raspbian/raspbian stretch/main armhf apache2-utils armhf 2.4.25-3+deb9u5 [219 kB]
Fetched 219 kB in 1s (204 kB/s)    
Selecting previously unselected package libapr1:armhf.
(Reading database ... 36061 files and directories currently installed.)
Preparing to unpack .../libapr1_1.5.2-5_armhf.deb ...
Unpacking libapr1:armhf (1.5.2-5) ...
Selecting previously unselected package libaprutil1:armhf.
Preparing to unpack .../libaprutil1_1.5.4-3_armhf.deb ...
Unpacking libaprutil1:armhf (1.5.4-3) ...
Selecting previously unselected package apache2-utils.
Preparing to unpack .../apache2-utils_2.4.25-3+deb9u5_armhf.deb ...
Unpacking apache2-utils (2.4.25-3+deb9u5) ...
Setting up libapr1:armhf (1.5.2-5) ...
Processing triggers for libc-bin (2.24-11+deb9u3) ...
Setting up libaprutil1:armhf (1.5.4-3) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up apache2-utils (2.4.25-3+deb9u5) ...
Processing triggers for libc-bin (2.24-11+deb9u3) ...

Modification de /etc/nginx/sites-available/default :

server {
        listen 80 default_server;
        listen [::]:80 default_server;

server_name _;

auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;

location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

Ajout d’un mot de passe :

$ sudo htpasswd -c /etc/nginx/htpasswd.users kibana_admin

Et lancement :

$ sudo systemctl enable nginx.service
Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nginx
$ sudo service nginx status

Sur tous les RAPS je modifie les noms, et j’active les services au démarrage :

Modification de /etc/hosts :

192.168.0.71    RASP3 
192.168.0.72    RASP4
192.168.0.73    RASP5

RASP4 :

$ sudo systemctl enable elasticsearch.service 
Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service.
$ cat /etc/hostname 
RASP4
$ sudo reboot

RASP3 :

$ sudo systemctl enable logstash.service 
Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /etc/systemd/system/logstash.service.
$ cat /etc/hostname 
RASP3
$ sudo reboot

RASP5 :

$ sudo systemctl enable kibana.service 
Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service → /etc/systemd/system/kibana.service.
$ cat /etc/hostname 
RASP5
$ sudo reboot

En résumé :

Pour l’instant c’est un échec à cause de elasticsearch :

[o.e.b.JNANatives         ] unable to install syscall filter: 
java.lang.UnsupportedOperationException: seccomp unavailable: 'arm' architecture unsupported

J’ai donc essayé de mettre une version plus récente : ( voir ici pour la dernière version : https://www.elastic.co/fr/downloads/elasticsearch )

$ sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.2.deb
$ sudo dpkg -i  elasticsearch-6.4.2.deb

Mais j’ai toujours l’erreur, avec un plantage :

$ sudo journalctl -u elasticsearch -f
-- Logs begin at Sat 2018-10-06 13:03:13 UTC. --
Oct 06 19:13:14 RASP4 elasticsearch[949]: 2018-10-06 19:13:13,991 main ERROR Null object returned for RollingFile in Appenders.
Oct 06 19:13:14 RASP4 elasticsearch[949]: 2018-10-06 19:13:13,992 main ERROR Null object returned for RollingFile in Appenders.
Oct 06 19:13:14 RASP4 elasticsearch[949]: 2018-10-06 19:13:13,994 main ERROR Unable to locate appender "rolling" for logger config "root"
Oct 06 19:13:14 RASP4 elasticsearch[949]: 2018-10-06 19:13:13,995 main ERROR Unable to locate appender "index_indexing_slowlog_rolling" for logger config "index.indexing.slowlog.index"
Oct 06 19:13:14 RASP4 elasticsearch[949]: 2018-10-06 19:13:13,997 main ERROR Unable to locate appender "audit_rolling" for logger config "org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail"
Oct 06 19:13:14 RASP4 elasticsearch[949]: 2018-10-06 19:13:13,998 main ERROR Unable to locate appender "index_search_slowlog_rolling" for logger config "index.search.slowlog"
Oct 06 19:13:14 RASP4 elasticsearch[949]: 2018-10-06 19:13:13,999 main ERROR Unable to locate appender "deprecation_rolling" for logger config "org.elasticsearch.deprecation"
Oct 06 19:13:14 RASP4 systemd[1]: elasticsearch.service: Main process exited, code=exited, status=1/FAILURE
Oct 06 19:13:14 RASP4 systemd[1]: elasticsearch.service: Unit entered failed state.
Oct 06 19:13:14 RASP4 systemd[1]: elasticsearch.service: Failed with result 'exit-code'.

Je pense que le JNA par défaut n’est pas bon :

$ ls -l /usr/share/elasticsearch/lib/jna*
-rw-r--r-- 1 root root 914597 Oct  6 18:54 /usr/share/elasticsearch/lib/jna-4.1.0.jar
-rw-r--r-- 1 root root 885297 Sep 26 13:39 /usr/share/elasticsearch/lib/jna-4.5.1.jar
$ java -jar /usr/share/elasticsearch/lib/jna-4.1.0.jar 
Java Native Access (JNA) API Version 4
Version: 4.1.0 (b4)
 Native: 4.0.0 (1a6047467b59e8748f975e03016ce3d9)
 Prefix: linux-arm
$ java -jar  /usr/share/elasticsearch/lib/jna-4.5.1.jar
Exception in thread "main" java.lang.UnsatisfiedLinkError: Native library (com/sun/jna/linux-armel/libjnidispatch.so) not found in resource path ([file:/usr/share/elasticsearch/lib/jna-4.5.1.jar])
	at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:962)
	at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:922)
	at com.sun.jna.Native.(Native.java:190)
$ sudo rm /usr/share/elasticsearch/lib/jna-4.5.1.jar

Je pense que l’erreur « ERROR Null object returned for RollingFile in Appenders » est un problème de droit :

$ sudo chown -R elasticsearch.elasticsearch /usr/share/elasticsearch/

A noter que mon fichier de logs est vide alors que tout est en mode debug :

$ sudo grep level /etc/elasticsearch/log4j2.properties
logger.action.level = debug
rootLogger.level = debug
logger.deprecation.level = debug
logger.index_search_slowlog_rolling.level = debug
logger.index_indexing_slowlog.level = debug
logger.xpack_security_audit_logfile.level = debug
logger.xmlsig.level = debug
logger.samlxml_decrypt.level = debug
logger.saml2_decrypt.level = debug

Le reste fonctionne correctement :

Update : Nouvelle tentative de correction :

$ sudo mkdir /home/elasticsearch 
$ chown elasticsearch.elasticsearch /home/elasticsearch
$ sudo apt-get install locate

Je viens de voir que le fichier de logs était /usr/share/elasticsearch/logs/elasticsearch.log , alors qu’avant c’était /var/log/elasticsearch/elasticsearch.log.
L’erreur est donc :

X-Pack is not supported and Machine Learning is not available for [linux-arm]; you can use the other X-Pack features (unsupported) by setting xpack.ml.enabled: false in elasticsearch.yml

j’ai donc fait une modification dans le fichier de configuration /etc/elasticsearch/elasticsearch.yml :

network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: false
xpack.ml.enabled: false

Une erreur aussi avec :

transport.tcp.port: 9300
transport.host: 192.168.0.72

L’erreur est:

bound or publishing to a non-loopback address, enforcing bootstrap checks

Finalement cela a fonctionné avec le fichier suivant :

transport.host: localhost
transport.tcp.port: 9300
http.port: 9200
network.host: 0.0.0.0
xpack.security.enabled: false
xpack.ml.enabled: false

Mais maintenant il me faut faire une mise à jours de Kabana : « This version of Kibana requires Elasticsearch v5.5.2 on all nodes ».

$ sudo wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.2-linux-x86_64.tar.gz
$ tar zxvf kibana-6.4.2-linux-x86_64.tar.gz
$ sudo mv kibana-6.4.2-linux-x86_64/ /opt/. 
$ sudo mv /opt/kibana-6.4.2-linux-x86_64/node/bin/npm /opt/kibana-6.4.2-linux-x86_64/node/bin/npm.org
$ sudo mv /opt/kibana-6.4.2-linux-x86_64/node/bin/node /opt/kibana-6.4.2-linux-x86_64/node/bin/node.org
$ sudo ln -s /usr/local/bin/node /opt/kibana-6.4.2-linux-x86_64/node/bin/node
$ sudo ln -s /usr/local/bin/npm /opt/kibana-6.4.2-linux-x86_64/node/bin/npm
$ /opt/kibana-6.4.2-linux-x86_64/bin/kibana
Kibana does not support the current Node.js version v6.10.2. Please use Node.js v8.11.4.
$ sudo wget https://nodejs.org/download/release/v8.11.4/node-v8.11.4-linux-armv6l.tar.gz
$ tar zxvf node-v8.11.4-linux-armv6l.tar.gz
$ sudo cp node-v8.11.4-linux-armv6l/bin/node /usr/local/bin/node 
$ sudo cp node-v8.11.4-linux-armv6l/bin/npm /usr/local/bin/npm 
$ sudo cp node-v8.11.4-linux-armv6l/bin/npx /usr/local/bin/.
$ cp  /opt/kibana-5.5.2-linux-x86/config/kibana.yml /opt/kibana-6.4.2-linux-x86_64/config/kibana.yml

Modification du binaire :

$ sudo cat /etc/systemd/system/multi-user.target.wants/kibana.service 
[Unit]
Description=Kibana

[Service]
#ExecStart=/opt/kibana-5.5.2-linux-x86/bin/kibana
ExecStart=/opt/kibana-6.4.2-linux-x86_64/bin/kibana
StandardOutput=null

[Install]
WantedBy=multi-user.target
$ sudo systemctl status kibana.service 
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-10-06 21:11:09 UTC; 1min 21s ago
 Main PID: 19648 (node)
   CGroup: /system.slice/kibana.service
           └─19648 /opt/kibana-5.5.2-linux-x86/bin/../node/bin/node --no-warnings /opt/kibana-5.5.2-linux-x86/bin/../src/cli

Oct 06 21:11:09 RASP5 systemd[1]: Started Kibana.

Maintenant il me faut finaliser Elasticsearch :

$ sudo  /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip

Et aussi faire une mise à jours sur logstash :

$ sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.2.deb
$  sudo dpkg -i logstash-6.4.2.deb
...
Java HotSpot(TM) Client VM warning: INFO: os::commit_memory(0x37800000, 1006632960, 0) failed; error='Cannot allocate memory' (errno=12)
/usr/share/logstash/bin/system-install: line 88: #: command not found

$ sudo ln -s /etc/logstash/ /usr/share/logstash/config

Mauvaise idée ..

Misère.

Update : Je viens de regarder les logs du Logstach et c’est la misère.

$ grep "ERROR" /var/log/logstash/logstash-plain.log | grep  "java.lang.IllegalStateException: Logstash stopped processing because of an error" | wc -l
285

L’erreur complète est la suivante :

[ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (LoadError) Could not load FFI Provider: (NotImplementedError) FFI not available: java.lang.UnsatisfiedLinkError: /tmp/jffi1286084619674356675.so: /tmp/jffi1286084619674356675.so: cannot open shared object file: No such file or directory
...
See http://jira.codehaus.org/browse/JRUBY-4583

J’essaye de faire une modification sur /etc/logstash/jvm.options :

$ cat /etc/logstash/jvm.options | grep -v "^$" | grep -v "^#"
-Xms200m
-Xmx500m
-Djruby.native.verbose=true  
-Djava.io.tmpdir=/tmp/
-XX:+UseParNewGC
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
-Djava.awt.headless=true
-Dfile.encoding=UTF-8
-Djruby.compile.invokedynamic=true
-Djruby.jit.threshold=0
-XX:+HeapDumpOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom

 

MacOS High Sierra : Installation de ELK

Publié le par
Répondre

Voici le mac, en version 10.13.16 :

A noter qu’il y a 16 Go de RAM, avec ELK c’est minimum 6 Go …. donc si on a 8 Go, je pense que c’est pas la peine. Ensuite on peut toujours faire toujours via un Raspberry avec des configuration minimale, mais j’observe que quand il a moins de 6 Go il fonctionne nettement moins bien.

Etape n°1 : Installation de Homebrew :

#/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
==> This script will install:
/usr/local/bin/brew
/usr/local/share/doc/homebrew
/usr/local/share/man/man1/brew.1
/usr/local/share/zsh/site-functions/_brew
/usr/local/etc/bash_completion.d/brew
/usr/local/Homebrew
==> The following new directories will be created:
/usr/local/Caskroom

Press RETURN to continue or any other key to abort
....
==> Downloading and installing Homebrew...
remote: Enumerating objects: 3965, done.
remote: Counting objects: 100% (3965/3965), done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 13167 (delta 3945), reused 3960 (delta 3942), pack-reused 9202
Receiving objects: 100% (13167/13167), 2.93 MiB | 910.00 KiB/s, done.
Resolving deltas: 100% (10207/10207), completed with 870 local objects.
From https://github.com/Homebrew/brew
....
==> Renamed Formulae
cdiff -> ydiff                         geth -> ethereum                       php56 -> php@5.6                       php71 -> php@7.1                       saltstack -> salt
crystal-lang -> crystal                latexila -> gnome-latex                php70 -> php@7.0                       rebar@3 -> rebar3                      wpcli-completion -> wp-cli-completion
==> Deleted Formulae
arm                        boot2docker                ghc@8.0                    i3status                   mal4s                      nazghul                    submarine
artifactory-cli-go         boot2docker-completion     gnupg@2.0                  llvm@3.7                   mediatomb                  node@4                     ufoai
aws-cloudsearch            dirmngr                    gpg-agent                  llvm@3.8                   mimetic                    picolisp                   voltdb
bokken                     ecj                        i3                         luciddb                    monotone                   python3                    wry
==> Installation successful!

==> Homebrew has enabled anonymous aggregate formulae and cask analytics.
Read the analytics documentation (and how to opt-out) here:
  https://docs.brew.sh/Analytics.html

==> Homebrew is run entirely by unpaid volunteers. Please consider donating:
  https://github.com/Homebrew/brew#donations
==> Next steps:
- Run `brew help` to get started
- Further documentation: 
    https://docs.brew.sh


#brew update
Already up-to-date.

En résumé deux alertes de sécurité qu’il faut permettre :

Etape 2 : Installation de Java :

Normalement on tape la commande :

# java -version
No Java runtime present, requesting install.

Si on n’a pas java, la fenêtre suivante s’ouvre :
Il faut suivre le lien suivant pour faire l’installation : https://support.apple.com/kb/dl1572?locale=fr_FR ou alors https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html ( jdk-8u181-macosx-x64.dmg )

Etape 3 : Installation d’Elasticsearch

Les commandes :

# brew install elasticsearch && brew info elasticsearch
==> Downloading https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-6.4.1.tar.gz
...
==> Summary
?  /usr/local/Cellar/elasticsearch/6.4.1: 118 files, 36MB, built in 55 seconds
elasticsearch: stable 6.4.1, HEAD
Distributed search & analytics engine
https://www.elastic.co/products/elasticsearch
/usr/local/Cellar/elasticsearch/6.4.1 (118 files, 36MB) *
  Built from source on 2018-09-26 at 09:37:48
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/elasticsearch.rb
==> Requirements
Required: java = 1.8 ✔
==> Options
--HEAD
	Install HEAD version
...
==> Analytics
install: 8,330 (30d), 30,977 (90d), 152,516 (365d)
install_on_request: 7,623 (30d), 26,652 (90d), 117,574 (365d)
build_error: 10 (30d)

Démarrage de Elasticsearch :

# brew services start elasticsearch
==> Tapping homebrew/services
Cloning into '/usr/local/Homebrew/Library/Taps/homebrew/homebrew-services'...
remote: Enumerating objects: 14, done.
remote: Counting objects: 100% (14/14), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 14 (delta 0), reused 8 (delta 0), pack-reused 0
Unpacking objects: 100% (14/14), done.
Tapped 1 command (44 files, 58.9KB).
==> Successfully started `elasticsearch` (label: homebrew.mxcl.elasticsearch)

On peut faire un premier test : http://localhost:9200

ETAPE 4 : Installation de Logstash

Lancement de l’installation :

# brew install logstash
==> Downloading https://artifacts.elastic.co/downloads/logstash/logstash-oss-6.4.1.tar.gz
######################################################################## 100.0%
==> Caveats
Please read the getting started guide located at:
  https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html

To have launchd start logstash now and restart at login:
  brew services start logstash
Or, if you don't want/need a background service you can just run:
  logstash
==> Summary
?  /usr/local/Cellar/logstash/6.4.1: 12,009 files, 247.1MB, built in 4 minutes 12 seconds

Lancement du service :

# brew services start logstash
==> Successfully started `logstash` (label: homebrew.mxcl.logstash

ETAPE 5 : INSTALLATION DE KIBANA

Installation :

# brew install kibana
==> Downloading https://homebrew.bintray.com/bottles/kibana-6.4.1.high_sierra.bottle.tar.gz
...
==> Pouring kibana-6.4.1.high_sierra.bottle.tar.gz
==> Caveats
Config: /usr/local/etc/kibana/
If you wish to preserve your plugins upon upgrade, make a copy of
/usr/local/opt/kibana/plugins before upgrading, and copy it into the
new keg location after upgrading.

To have launchd start kibana now and restart at login:
  brew services start kibana
Or, if you don't want/need a background service you can just run:
  kibana
==> Summary
?  /usr/local/Cellar/kibana/6.4.1: 47,176 files, 256.3MB

Lancement :

# brew services start kibana
==> Successfully started `kibana` (label: homebrew.mxcl.kibana)

Vérification des services :

# brew services list
Name          Status  User      Plist
elasticsearch started .... /Users/..../Library/LaunchAgents/homebrew.mxcl.elasticsearch.plist
kibana        started .... /Users/..../Library/LaunchAgents/homebrew.mxcl.kibana.plist
logstash      started .... /Users/..../Library/LaunchAgents/homebrew.mxcl.logstash.plist

ETAPE 6 : CONFIGURATION DE KIBANA

Changement de la configuration de kibana.yml :

# sudo vi /usr/local/etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# The Kibana server's name.  This is used for display purposes.
server.name: "MacOSFred"

# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://localhost:9200"

On relance :

# brew services restart kibana
Stopping `kibana`... (might take a while)
==> Successfully stopped `kibana` (label: homebrew.mxcl.kibana)
==> Successfully started `kibana` (label: homebrew.mxcl.kibana)

Et on fait un test via l’URL : http://localhost:5601/status :

Maintenant on fait des ajouts …

ETAPE 6 : CONFIGURATION DE LOGSTACH :

Modification du fichier syslog.conf :

# sudo  mkdir -p /etc/logstash/conf.d/
# sudo vim /etc/logstash/conf.d/syslog.conf
# brew services restart logstash
Stopping `logstash`... (might take a while)
==> Successfully stopped `logstash` (label: homebrew.mxcl.logstash)
==> Successfully started `logstash` (label: homebrew.mxcl.logstash)

ETAPE 7 : INSTALLATION DE FILEBEAT :

# cd /usr/local/
# sudo bin/elasticsearch-plugin install ingest-geoip
-> Downloading ingest-geoip from elastic
[=================================================] 100%   
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.reflect.ReflectPermission suppressAccessChecks
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
-> Installed ingest-geoip

# brew services restart elasticsearch
Stopping `elasticsearch`... (might take a while)
==> Successfully stopped `elasticsearch` (label: homebrew.mxcl.elasticsearch)
==> Successfully started `elasticsearch` (label: homebrew.mxcl.elasticsearch)
# sudo curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.1-darwin-x86_64.tar.gz
...
# sudo tar xzvf filebeat-6.4.1-darwin-x86_64.tar.gz
# cd filebeat-6.4.1-darwin-x86_64/

# sudo mkdir -p /var/log/Filebeat/registry

Attention il faut permettre de sortir :

Modification de filebeat.yml :

# sudo vi filebeat.yml

# sudo cat filebeat.yml | grep -v "#" | grep -v "^$" 
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
setup.kibana:
  host: "127.0.0.1:5601"
output.elasticsearch:
  hosts: ["127.0.0.1:9200"]

# sudo ./filebeat modules enable system
Enabled system

# sudo ./filebeat setup
Loaded index template
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Loaded machine learning job configurations

Pour voir le runtime :

# sudo ./filebeat -e

A suivre.

A noter qu’ensuite le but est d’ajouter un maximum de logs, la commande suivante devrait vous permettre de trouver quelques fichiers de logs

$ lsof | grep "REG" | grep "\.log$"

OSMC/Raspberry : Ajout de ELK ( Elasticsearch / Logstash / Kibana / Beats / Nginx )

Publié le par
1

Le but est d’installer ELK sur un OSMC/Raspberry déjà fonctionnel … afin de ne pas acheter un nouveau Raspberry Pi …

Pour l’installation de OSMC voir : https://www.cyber-neurones.org/2016/09/installation-un-media-center-avec-osmc-sur-un-raspberry-pi-3-model-b/ . « Installation un media-center avec OSMC sur un Raspberry Pi 3 Model B » ( fait le

La première étape est d’ouvrir un console, puis faire un SSH : sur l’IP avec le login osmc et le mot de passe osmc ( si pas changé ) :

Quelques informations avant les installations 

# hostnamectl 
   Static hostname: osmc
         Icon name: computer
           Chassis: n/a
        Machine ID: 1671b5b617884fdf85a465a5ac731b8f
           Boot ID: aa6d496d3a6f4261bc752f881dec919b
  Operating System: Open Source Media Center
            Kernel: Linux 4.4.16-4-osmc
      Architecture: arm
# cat /proc/cpuinfo 
processor	: 0
model name	: ARMv7 Processor rev 4 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xd03
CPU revision	: 4

processor	: 1
model name	: ARMv7 Processor rev 4 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xd03
CPU revision	: 4

processor	: 2
model name	: ARMv7 Processor rev 4 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xd03
CPU revision	: 4

processor	: 3
model name	: ARMv7 Processor rev 4 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xd03
CPU revision	: 4

Hardware	: BCM2709
Revision	: a22082
Serial		: 00000000bf2140a5
# uptime 
 17:36:15 up  1:42,  1 user,  load average: 0,04, 0,26, 0,22

Etape n°1 :  Installation de Java (personne n’est parfait )

# sudo apt-get install software-properties-common
# sudo add-apt-repository ppa:webupd8team/java
# sudo apt-get update
# sudo apt-get install oracle-java8-installer
-> Erreur : Impossible de trouver le paquet oracle-java8-installer
# sudo add-apt-repository ppa:openjdk-r/ppa
# sudo apt-get update
# sudo apt-get install openjdk-8-jdk
-> Erreur : Package 'openjdk-8-jdk' has no installation candidate
-->W: Impossible de récupérer http://ppa.launchpad.net/openjdk-r/ppa/ubuntu/dists/jessie/main/binary-armhf/Packages  404  Not Found
-->W: Impossible de récupérer http://ppa.launchpad.net/webupd8team/java/ubuntu/dists/jessie/main/binary-armhf/Packages  404  Not Found

Misère de Java …

# sudo -s
# echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" \
    | tee /etc/apt/sources.list.d/webupd8team-java.list
# echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" \
    | tee -a /etc/apt/sources.list.d/webupd8team-java.list
# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
# apt-get update
# apt-get install oracle-java8-installer
exit

J’ai horreur de Java … petit test :

# java -version
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) Client VM (build 25.181-b13, mixed mode)

Mais je pense que l’idéal aurait été de faire:

# sudo apt-get install default-jre
# java -version
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) Client VM (build 25.181-b13, mixed mode)

Avec cette commande on avait le JRE par défaut …

Etape n°2 : Installation des outils.

# apt-get install -y wget apt-transport-https

Etape n°3 : Installation de Elasticsearch

# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
# echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elk.list
# apt-get update
# apt-get install -y elasticsearch
--> Erreur : Impossible de trouver le paquet elasticsearch

On essaye de plan B :

# sudo mkdir /usr/share/elasticsearch
# cd /usr/share/elasticsearch
# wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
# apt-get update
# apt-get install elasticsearch
--> Erreur : Impossible de trouver le paquet elasticsearch

On essaye le plan C :

# echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
# sudo apt-get update && sudo apt-get install elasticsearch

On essaye de plan D :

# sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.2.deb
# sudo dpkg -i elasticsearch-5.5.2.deb

Modification du fichier /etc/elasticsearch/elasticsearch.yml :

# cat /etc/elasticsearch/elasticsearch.yml | grep -v "#"
network.host: 127.0.0.1
http.port: 9200

Lancement :

# sudo service elasticsearch start
# sudo service elasticsearch status
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled)
   Active: failed (Result: exit-code) since mer. 2018-09-19 18:07:39 UTC; 2s ago
     Docs: http://www.elastic.co
  Process: 5873 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet -Edefault.path.logs=${LOG_DIR} -Edefault.path.data=${DATA_DIR} -Edefault.path.conf=${CONF_DIR} (code=exited, status=1/FAILURE)
  Process: 5869 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 5873 (code=exited, status=1/FAILURE)

sept. 19 18:07:39 osmc elasticsearch[5873]: Error occurred during initialization of VM
sept. 19 18:07:39 osmc elasticsearch[5873]: Could not reserve enough space for 2097152KB object heap
sept. 19 18:07:39 osmc systemd[1]: elasticsearch.service: main process exited, code=exited, status=1/FAILURE
sept. 19 18:07:39 osmc systemd[1]: Unit elasticsearch.service entered failed state.

Misère … JAVA commence à me gonfler … Modification du fichier /etc/elasticsearch/jvm.options :

# cat /etc/elasticsearch/jvm.options  | grep Xm
## -Xms4g
## -Xmx4g
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
#-Xms2g
-Xms200m
#-Xmx2g
-Xmx500m

Nouveau test :

# sudo service elasticsearch start
# sudo service elasticsearch status
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled)
   Active: active (running) since mer. 2018-09-19 18:11:26 UTC; 3s ago
     Docs: http://www.elastic.co
  Process: 5940 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 5944 (java)
   CGroup: /system.slice/elasticsearch.service
           └─5944 /usr/bin/java -Xms200m -Xmx500m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava....

Etape n°4 : Installation de logstash :

# sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-5.5.2.deb
# sudo dpkg -i logstash-5.5.2.deb
Sélection du paquet logstash précédemment désélectionné.
(Lecture de la base de données... 26506 fichiers et répertoires déjà installés.)
Préparation du dépaquetage de logstash-5.5.2.deb ...
Dépaquetage de logstash (1:5.5.2-1) ...
Paramétrage de logstash (1:5.5.2-1) ...
Using provided startup.options file: /etc/logstash/startup.options
Java HotSpot(TM) Client VM warning: TieredCompilation is disabled in this release.
io/console on JRuby shells out to stty for most operations
/usr/share/logstash/vendor/bundle/jruby/1.9/gems/pleaserun-0.0.30/lib/pleaserun/installer.rb:46 warning: executable? does not in this environment and will return a dummy value
Successfully created system startup script for Logstash

Etape n°5 : Installation de JFFI :

# sudo apt-get install ant
# sudo apt-get install git
# sudo git clone https://github.com/jnr/jffi.git
# cd jffi
# sudo ant jar
# sudo ant jar
Buildfile: /root/jffi/build.xml

-pre-init:

-init-vars:
    [mkdir] Created dir: /root/jffi/build/jni

-post-init:

-init:

-pre-jar:

-pre-compile:

-do-compile:
    [mkdir] Created dir: /root/jffi/build/classes
    [javac] Compiling 42 source files to /root/jffi/build/classes
    [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.6
    [javac] /root/jffi/src/main/java/com/kenai/jffi/MemoryIO.java:847: warning: Unsafe is internal proprietary API and may be removed in a future release
    [javac]         protected static sun.misc.Unsafe unsafe = sun.misc.Unsafe.class.cast(getUnsafe());
    [javac]                                  ^
    [javac] /root/jffi/src/main/java/com/kenai/jffi/MemoryIO.java:847: warning: Unsafe is internal proprietary API and may be removed in a future release
    [javac]         protected static sun.misc.Unsafe unsafe = sun.misc.Unsafe.class.cast(getUnsafe());
    [javac]                                                           ^
    [javac] Note: /root/jffi/src/main/java/com/kenai/jffi/ClosureMagazine.java uses or overrides a deprecated API.
    [javac] Note: Recompile with -Xlint:deprecation for details.
    [javac] Note: Some input files use unchecked or unsafe operations.
    [javac] Note: Recompile with -Xlint:unchecked for details.
    [javac] 3 warnings

-generate-version-source:
     [echo] Generating Version.java
    [mkdir] Created dir: /root/jffi/build/java/com/kenai/jffi

-generate-version:
    [javac] Compiling 1 source file to /root/jffi/build/classes
    [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.6
    [javac] 1 warning

-compile-java:

-generate-native-headers:

-build-native-library:

BUILD FAILED
/root/jffi/build.xml:344: Execute failed: java.io.IOException: Cannot run program "make": error=2, Aucun fichier ou dossier de ce type
	at java.lang.ProcessBuilder.start(ProcessBuilder.java:1048)
	at java.lang.Runtime.exec(Runtime.java:620)
	at org.apache.tools.ant.taskdefs.launcher.Java13CommandLauncher.exec(Java13CommandLauncher.java:58)
	at org.apache.tools.ant.taskdefs.Execute.launch(Execute.java:428)
	at org.apache.tools.ant.taskdefs.Execute.execute(Execute.java:442)
	at org.apache.tools.ant.taskdefs.ExecTask.runExecute(ExecTask.java:628)
	at org.apache.tools.ant.taskdefs.ExecTask.runExec(ExecTask.java:669)
	at org.apache.tools.ant.taskdefs.ExecTask.execute(ExecTask.java:495)
	at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
	at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
	at org.apache.tools.ant.Task.perform(Task.java:348)
	at org.apache.tools.ant.Target.execute(Target.java:435)
	at org.apache.tools.ant.Target.performTasks(Target.java:456)
	at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
	at org.apache.tools.ant.Project.executeTarget(Project.java:1364)
	at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
	at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
	at org.apache.tools.ant.Main.runBuild(Main.java:851)
	at org.apache.tools.ant.Main.startAnt(Main.java:235)
	at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280)
	at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109)
Caused by: java.io.IOException: error=2, Aucun fichier ou dossier de ce type
	at java.lang.UNIXProcess.forkAndExec(Native Method)
	at java.lang.UNIXProcess.(UNIXProcess.java:247)
	at java.lang.ProcessImpl.start(ProcessImpl.java:134)
	at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)
	... 23 more

Total time: 11 seconds

On va essayer un plan B :

# sudo apt-get install zip
# cd /usr/share/logstash/vendor/jruby/lib
sudo zip -g jruby.jar jni/arm-Linux/libjffi-1.2.so
updating: jni/arm-Linux/libjffi-1.2.so
	zip warning: Local Entry CRC does not match CD: jni/arm-Linux/libjffi-1.2.so
 (deflated 63%)

Je croise les doigts … lancement :

# sudo service logstash start
# sudo service logstash status
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; disabled)
   Active: active (running) since mer. 2018-09-19 18:33:29 UTC; 9s ago
 Main PID: 6431 (java)
   CGroup: /system.slice/logstash.service
           └─6431 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=...

Etape n°5 : Installation de Kibana :

# sudo wget https://artifacts.elastic.co/downloads/kibana/kibana-5.5.2-linux-x86.tar.gz
# sudo tar –xzf kibana-5.5.2-linux-x86.tar.gz
# sudo mkdir /opt/kibana/
# sudo mv kibana-5.5.2-linux-x86/ /opt/kibana/
# sudo wget https://nodejs.org/download/release/v6.10.2/node-v6.10.2-linux-armv6l.tar.gz
# tar -xzf node-v6.10.2-linux-armv6l.tar.gz
# sudo cp node-v6.10.2-linux-armv6l/bin/node /usr/local/bin/node
# sudo cp node-v6.10.2-linux-armv6l/bin/npm /usr/local/bin/npm
# apt-get install tree
# sudo mv /opt/kibana/kibana-5.5.2-linux-x86/node/bin/node  /opt/kibana/kibana-5.5.2-linux-x86/node/bin/node.orig
# sudo mv /opt/kibana/kibana-5.5.2-linux-x86/node/bin/npm  /opt/kibana/kibana-5.5.2-linux-x86/node/bin/npm.orig
# sudo ln -s /usr/local/bin/node /opt/kibana/kibana-5.5.2-linux-x86/node/bin/node
# sudo ln -s /usr/local/bin/npm /opt/kibana/kibana-5.5.2-linux-x86/node/bin/npm

Modification de la configuration /opt/kibana/kibana-5.5.2-linux-x86/config/kibana.yml & /etc/systemd/system/kibana.service :

# cat /opt/kibana/kibana-5.5.2-linux-x86/config/kibana.yml | grep -v '^#' | grep -v '^$'
server.port: 5601
server.host: "127.0.0.1"
elasticsearch.url: "http://127.0.0.1:9200"
# cat /etc/systemd/system/kibana.service
[Unit]
Description=Kibana

[Service]
ExecStart=/opt/kibana/kibana-5.5.2-linux-x86/bin/kibana
StandardOutput=null

[Install]
WantedBy=multi-user.target

Lancement du service :

# sudo service kibana start
# sudo service kibana status
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; disabled)
   Active: active (running) since mer. 2018-09-19 18:50:09 UTC; 2s ago
 Main PID: 7396 (node)
   CGroup: /system.slice/kibana.service
           └─7396 /opt/kibana/kibana-5.5.2-linux-x86/bin/../node/bin/node --no-warnings /opt/kibana/kibana-5.5.2-linux-x86/bin/../src/cli

Etape n°6 : Installation de NGinx :

# sudo apt-get install nginx apache2-utils
# sudo htpasswd -c /etc/nginx/htpasswd.users kibana_admin
New password: 
Re-type new password: 
Adding password for user kibana_admin

Modification de /etc/nginx/sites-available/default :

Etape n°7 : Lancement de tous les services :

root@osmc:~# sudo service logstash restart && sudo service elasticsearch restart && sudo service kibana restart && sudo service nginx start
root@osmc:~# sudo service logstash status

● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; disabled)
   Active: active (running) since mer. 2018-09-19 18:56:55 UTC; 1min 25s ago
 Main PID: 7933 (java)
   CGroup: /system.slice/logstash.service
           └─7933 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=...
root@osmc:~# 
root@osmc:~# sudo service elasticsearch status
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled)
   Active: failed (Result: signal) since mer. 2018-09-19 18:58:30 UTC; 49s ago
     Docs: http://www.elastic.co
  Process: 7960 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet -Edefault.path.logs=${LOG_DIR} -Edefault.path.data=${DATA_DIR} -Edefault.path.conf=${CONF_DIR} (code=killed, signal=KILL)
  Process: 7956 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 7960 (code=killed, signal=KILL)

sept. 19 18:58:30 osmc systemd[1]: elasticsearch.service: main process exited, code=killed, status=9/KILL
sept. 19 18:58:30 osmc systemd[1]: Unit elasticsearch.service entered failed state.
root@osmc:~# sudo service kibana status
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; disabled)
   Active: active (running) since mer. 2018-09-19 18:56:55 UTC; 2min 40s ago
 Main PID: 7985 (node)
   CGroup: /system.slice/kibana.service
           └─7985 /opt/kibana/kibana-5.5.2-linux-x86/bin/../node/bin/node --no-warnings /opt/kibana/kibana-5.5.2-linux-x86/bin/../src/cli
root@osmc:~# sudo service nginx status
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
   Active: active (running) since mer. 2018-09-19 18:54:47 UTC; 4min 59s ago
 Main PID: 7783 (nginx)
   CGroup: /system.slice/nginx.service
           ├─7783 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─7784 nginx: worker process
           ├─7785 nginx: worker process
           ├─7786 nginx: worker process
           └─7787 nginx: worker process

Il y en a 1/4 qui ne fonctionne pas … Misère.

root@osmc:~# sudo service elasticsearch start
root@osmc:~# sudo service elasticsearch status
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled)
   Active: active (running) since mer. 2018-09-19 19:00:04 UTC; 43s ago
     Docs: http://www.elastic.co
  Process: 8208 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 8213 (java)
   CGroup: /system.slice/elasticsearch.service
           └─8213 /usr/bin/java -Xms200m -Xmx500m -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava...

Vive le Java … et ensuite il plante, sans laisser trop de logs :

root@osmc:~# tail -f /var/log/elasticsearch/elasticsearch.log 
[2018-09-19T19:00:44,349][INFO ][o.e.n.Node               ] initialized
[2018-09-19T19:00:44,350][INFO ][o.e.n.Node               ] [feSXsTX] starting ...
[2018-09-19T19:00:45,591][INFO ][o.e.t.TransportService   ] [feSXsTX] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2018-09-19T19:00:45,699][WARN ][o.e.b.BootstrapChecks    ] [feSXsTX] initial heap size [209715200] not equal to maximum heap size [524288000]; this can cause resize pauses and prevents mlockall from locking the entire heap
[2018-09-19T19:00:45,700][WARN ][o.e.b.BootstrapChecks    ] [feSXsTX] system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2018-09-19T19:00:48,977][INFO ][o.e.c.s.ClusterService   ] [feSXsTX] new_master {feSXsTX}{feSXsTXeQw-AEPi_pWmySw}{FlzLJ3stTwO--_vZD3nxLw}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2018-09-19T19:00:49,201][INFO ][o.e.h.n.Netty4HttpServerTransport] [feSXsTX] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2018-09-19T19:00:49,202][INFO ][o.e.n.Node               ] [feSXsTX] started
[2018-09-19T19:00:50,662][INFO ][o.e.g.GatewayService     ] [feSXsTX] recovered [1] indices into cluster_state
[2018-09-19T19:00:54,270][INFO ][o.e.c.r.a.AllocationService] [feSXsTX] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] ...]).

J’ai donc fait un changement sur la mémoire :

[2018-09-19T19:08:50,943][INFO ][o.e.n.Node               ] JVM arguments [-Xms100m, -Xmx300m, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/share/elasticsearch]
[2018-09-19T19:08:59,377][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [aggs-matrix-stats]
[2018-09-19T19:08:59,378][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [ingest-common]
[2018-09-19T19:08:59,379][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [lang-expression]
[2018-09-19T19:08:59,380][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [lang-groovy]
[2018-09-19T19:08:59,381][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [lang-mustache]
[2018-09-19T19:08:59,382][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [lang-painless]
[2018-09-19T19:08:59,383][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [parent-join]
[2018-09-19T19:08:59,384][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [percolator]
[2018-09-19T19:08:59,384][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [reindex]
[2018-09-19T19:08:59,385][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [transport-netty3]
[2018-09-19T19:08:59,386][INFO ][o.e.p.PluginsService     ] [feSXsTX] loaded module [transport-netty4]
[2018-09-19T19:08:59,389][INFO ][o.e.p.PluginsService     ] [feSXsTX] no plugins loaded
[2018-09-19T19:09:10,792][INFO ][o.e.d.DiscoveryModule    ] [feSXsTX] using discovery type [zen]
[2018-09-19T19:09:14,675][INFO ][o.e.n.Node               ] initialized
[2018-09-19T19:09:14,677][INFO ][o.e.n.Node               ] [feSXsTX] starting ...
[2018-09-19T19:09:15,785][INFO ][o.e.t.TransportService   ] [feSXsTX] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2018-09-19T19:09:15,878][WARN ][o.e.b.BootstrapChecks    ] [feSXsTX] initial heap size [104857600] not equal to maximum heap size [314572800]; this can cause resize pauses and prevents mlockall from locking the entire heap
[2018-09-19T19:09:15,879][WARN ][o.e.b.BootstrapChecks    ] [feSXsTX] system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2018-09-19T19:09:19,189][INFO ][o.e.c.s.ClusterService   ] [feSXsTX] new_master {feSXsTX}{feSXsTXeQw-AEPi_pWmySw}{GJAcwscZQNacEta1vC5mPA}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2018-09-19T19:09:19,320][INFO ][o.e.h.n.Netty4HttpServerTransport] [feSXsTX] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2018-09-19T19:09:19,321][INFO ][o.e.n.Node               ] [feSXsTX] started
[2018-09-19T19:09:20,504][INFO ][o.e.g.GatewayService     ] [feSXsTX] recovered [1] indices into cluster_state
[2018-09-19T19:09:21,932][INFO ][o.e.c.r.a.AllocationService] [feSXsTX] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] ...]).

Voir même :

# grep "JVM arguments " /var/log/elasticsearch/elasticsearch.log
[2018-09-19T18:11:34,304][INFO ][o.e.n.Node               ] JVM arguments [-Xms200m, -Xmx500m, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/share/elasticsearch]
[2018-09-19T18:57:06,655][INFO ][o.e.n.Node               ] JVM arguments [-Xms200m, -Xmx500m, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/share/elasticsearch]
[2018-09-19T19:00:14,095][INFO ][o.e.n.Node               ] JVM arguments [-Xms200m, -Xmx500m, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/share/elasticsearch]
[2018-09-19T19:08:50,943][INFO ][o.e.n.Node               ] JVM arguments [-Xms100m, -Xmx300m, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.path.home=/usr/share/elasticsearch]

Il me reste donc à comprendre le plantage d’elasticsearch ….

A noter que quand je fais : http://192.168.0.28/ ( L’IP de OSMC ) :

Mais ensuite cela se complique :

A suivre … après un long instant j’ai Kabana qui est devenu accessible ( mais avec le Status : Red ) :

Je viens de modifier /etc/logstash/jvm.options :

-Xms256m
-Xmx400m