make it easy

logserver/README.md

@@ -27,10 +27,16 @@ dropshell install logserver
 # Save the API key for client configuration
 ```
 
-5. **Access Kibana**
+5. **Setup Kibana** (first time only)
+```bash
+./setup-kibana.sh
+```
+
+6. **Access Kibana**
 - URL: `http://<server-ip>:5601`
 - Username: Set in `service.env` (KIBANA_USERNAME, default: `admin`)
 - Password: Set in `service.env` (KIBANA_USER_PASSWORD)
+- Click "Discover" → View your logs!
 
 ## Ports
 - `5601` - Kibana Web UI

logserver/SIMPLE_GUIDE.md

@@ -0,0 +1,84 @@
+# Simple Guide to Viewing Logs in Kibana
+
+## First Time Setup
+Run this once after installing LogServer:
+```bash
+./setup-kibana.sh
+```
+
+## Viewing Logs - The Easy Way
+
+### 1. Open Kibana
+Go to: `http://<your-server>:5601`
+
+### 2. Login
+Use the username and password from your service.env
+
+### 3. Click "Discover"
+It's in the left menu (looks like a compass icon)
+
+### 4. You're Done!
+Your logs are now visible. That's it!
+
+## Simple Controls
+
+### See Recent Logs Only
+- Top-right corner: Click the time picker
+- Choose "Last 15 minutes" or "Last 1 hour"
+
+### Filter by Container
+- Find any log entry
+- Next to `container_name`: click the `+` button
+- Now you only see logs from that container
+
+### Filter by Server
+- Next to `host.name`: click the `+` button
+- Now you only see logs from that host
+
+### Search for Text
+- Top search bar: Type any word
+- Press Enter
+- Shows only logs containing that word
+
+### Live Updates
+- Top-right: Click "Refresh"
+- Choose "Every 5 seconds"
+- Logs update automatically
+
+### Remove Filters
+- Look for filter pills under the search bar
+- Click the `x` on any filter to remove it
+
+## Common Searches
+
+**Show errors only:**
+```
+error OR ERROR OR Error
+```
+
+**Show warnings and errors:**
+```
+error OR ERROR OR warn OR WARN
+```
+
+**Show specific container:**
+```
+container_name: "myapp"
+```
+
+**Show multiple containers:**
+```
+container_name: ("app1" OR "app2")
+```
+
+## Tips
+
+1. **Too many columns?** Click "container_name" and "message" in the left sidebar to show just those
+
+2. **Want raw logs?** Click the ">" arrow next to any log entry to expand it
+
+3. **Export logs?** Click "Share" → "CSV Reports" → "Generate CSV"
+
+4. **Time zone wrong?** Click your profile icon → "Advanced Settings" → search "timezone"
+
+That's all you need to know! Kibana has many advanced features, but for basic log viewing and searching, these commands are sufficient.

logserver/config/logstash.yml

@@ -8,6 +8,7 @@ node.name: "logstash"
 pipeline.workers: 2
 pipeline.batch.size: 125
 pipeline.batch.delay: 50
+pipeline.ecs_compatibility: disabled
 
 # HTTP API settings
 http.host: "0.0.0.0"

logserver/setup-kibana.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+
+# Setup Kibana for simple log viewing
+# This creates index patterns and saved searches for easy log access
+
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "CONTAINER_NAME" "ELASTIC_PASSWORD" "KIBANA_PORT"
+
+KIBANA_URL="http://localhost:${KIBANA_PORT}"
+AUTH="elastic:${ELASTIC_PASSWORD}"
+
+echo "Setting up Kibana for simple log viewing..."
+echo ""
+
+# Wait for Kibana to be ready
+echo -n "Waiting for Kibana to be ready..."
+MAX_WAIT=60
+WAITED=0
+while [ $WAITED -lt $MAX_WAIT ]; do
+    if docker exec ${CONTAINER_NAME}_kibana curl -s -u "$AUTH" "${KIBANA_URL}/api/status" 2>/dev/null | grep -q '"level":"available"'; then
+        echo " Ready!"
+        break
+    fi
+    echo -n "."
+    sleep 2
+    WAITED=$((WAITED + 2))
+done
+
+if [ $WAITED -ge $MAX_WAIT ]; then
+    echo ""
+    echo "ERROR: Kibana is not ready after ${MAX_WAIT} seconds"
+    exit 1
+fi
+
+# Create index pattern for Filebeat
+echo "Creating Filebeat index pattern..."
+docker exec ${CONTAINER_NAME}_kibana curl -s -X POST \
+    -u "$AUTH" \
+    -H "Content-Type: application/json" \
+    -H "kbn-xsrf: true" \
+    "${KIBANA_URL}/api/saved_objects/index-pattern/filebeat-*" \
+    -d '{
+      "attributes": {
+        "title": "filebeat-*",
+        "timeFieldName": "@timestamp",
+        "fields": "[]"
+      }
+    }' > /dev/null 2>&1
+
+# Set as default index pattern
+docker exec ${CONTAINER_NAME}_kibana curl -s -X POST \
+    -u "$AUTH" \
+    -H "Content-Type: application/json" \
+    -H "kbn-xsrf: true" \
+    "${KIBANA_URL}/api/kibana/settings" \
+    -d '{
+      "changes": {
+        "defaultIndex": "filebeat-*"
+      }
+    }' > /dev/null 2>&1
+
+# Create a simple saved search for Docker logs
+echo "Creating saved searches..."
+docker exec ${CONTAINER_NAME}_kibana curl -s -X POST \
+    -u "$AUTH" \
+    -H "Content-Type: application/json" \
+    -H "kbn-xsrf: true" \
+    "${KIBANA_URL}/api/saved_objects/search" \
+    -d '{
+      "attributes": {
+        "title": "Docker Container Logs",
+        "description": "View all Docker container logs",
+        "columns": ["container_name", "message"],
+        "sort": ["@timestamp", "desc"],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"match_all\":{}},\"filter\":[{\"meta\":{\"index\":\"filebeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"container_name\",\"value\":\"exists\"},\"exists\":{\"field\":\"container_name\"}}]}"
+        }
+      }
+    }' > /dev/null 2>&1
+
+echo ""
+echo "========================================="
+echo "Kibana Setup Complete!"
+echo "========================================="
+echo ""
+echo "QUICK START GUIDE:"
+echo ""
+echo "1. Open Kibana: ${SERVER_PUBLICBASEURL:-http://$(hostname -I | awk '{print $1}'):${KIBANA_PORT}}"
+echo ""
+echo "2. Login with:"
+echo "   Username: ${KIBANA_USERNAME:-elastic}"
+echo "   Password: [your password]"
+echo ""
+echo "3. TO VIEW LOGS SIMPLY:"
+echo "   a) Click 'Discover' in the left menu"
+echo "   b) Time range is in top-right (set to 'Last 15 minutes' or 'Today')"
+echo "   c) Your logs will appear below"
+echo ""
+echo "4. TO FILTER LOGS:"
+echo "   - By container: Click '+' next to any 'container_name' value"
+echo "   - By host: Click '+' next to any 'host.name' value"
+echo "   - Search box: Type keywords to search all logs"
+echo ""
+echo "5. TO VIEW LIVE LOGS:"
+echo "   - Click the 'Refresh' button in top-right"
+echo "   - Set it to refresh every 5 seconds"
+echo ""
+echo "========================================="