configuring-elk-stack.md

@@ -66,9 +66,35 @@ openssl req -x509 -days 365 -batch -nodes -newkey rsa:2048 -keyout logstash-forw
 Now we have a logstash-forwarder.crt and key.
 
 
-#### Configurating Logstash
+##### Configuring Logstash
 
 The configuration is made in /etc/logstash/conf.d/logstash.conf 
 
-![image](/uploads/74af9740f99dd2c76d36f631be668945/image.png) I have commented out the host part because it was unneccessary. 
+![image](/uploads/74af9740f99dd2c76d36f631be668945/image.png) 
+I have commented out the host part because it was unneccessary. 
 
+#### Installing Filebeat
+Filebeat installation comes to the same machine that the GitLab runs on. The first step is the same than in installing the elasticsearch:
+```
+wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -.
+echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elk.list
+```
+Then we install filebeat:
+
+```
+apt-get install –y filebeat
+```
+Now we insert the same certificate that we created in the logstash intallation:
+```
+scp -pr <user-name-of-elk-server>@<elk-server_ip>:/etc/ssl/logstash-forwarder.crt /etc/ssl
+```
+##### Configuring Filebeat
+The filebeat configuration file is in /etc/filebeat/filebeat.yml.
+![image](/uploads/51602e378f177076d809c1c79fdf1447/image.png)
+In the filebeat.prospects part we need to comment on the logs, or remove them, that we don't want the filebeat ship to logstash. I cahnged this part to point at the Gitlab logs -var/log/gitlab/gitlab-rails/production_json.log
+Then we need to add the output file to logstash output.
+![image](/uploads/d32b33789c13d1e4806c55259a2fe376/image.png)
+We want to uncomment the output.logstash part and add the elk-server-ip to the hosts part and add the port 5044. You also need to add the ssl.certificate_authorities the path to the certifcate file.
+
+
+ 
\ No newline at end of file