# LogServer Quick Setup Guide

## Prerequisites
- Docker and Docker Compose installed
- 4GB+ RAM, 10GB+ disk space
- Port 5601 (Kibana) and 5044 (Logstash) available

## Initial Setup

### 1. System Configuration
```bash
# Required for Elasticsearch
sudo sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
```

### 2. Configure Server
Edit `config/service.env`:
```bash
# Change default password
KIBANA_PASSWORD=your-secure-password
```

### 3. Install
```bash
dropshell install logserver
```

## Generate Client API Keys

Run the interactive key generator:
```bash
./generate-api-key.sh
```

Follow the prompts:
1. Enter hostname for each client
2. Script generates secure API key
3. Shows configuration to copy to client
4. Repeat for additional clients

## Access Kibana

1. Open browser: `http://your-server-ip:5601`
2. Login: `elastic` / `your-secure-password`
3. Create index pattern: `filebeat-*`
4. View logs in Discover tab

## Add Log Clients

On each client machine:
```bash
# Get API key from server admin (they run ./generate-api-key.sh)

# Edit logclient/config/service.env:
LOGSERVER_HOST=your-server-ip
LOGSERVER_PORT=5044
API_KEY=your-api-key-here

# Install and start
dropshell install logclient
```

## Verify Setup

```bash
# Check server status
dropshell status logserver

# View server logs
dropshell logs logserver

# Test client connection (from client)
docker logs logclient-filebeat | grep "connection"
```

## Troubleshooting

**Elasticsearch won't start**: Check `vm.max_map_count` is 262144+

**No logs in Kibana**:
- Verify client can reach server port 5044
- Check API key is correct in client's service.env
- Verify API key exists in server's api-keys.yml
- Refresh index pattern in Kibana

**High memory usage**: Adjust heap sizes in `service.env`:
```bash
ES_HEAP_SIZE=1g  # Reduce from 2g
LS_HEAP_SIZE=512m  # Reduce from 1g
```

## Security Checklist

- [ ] Changed default Kibana password
- [ ] Generated unique API key per client
- [ ] API keys stored securely
- [ ] Firewall allows only necessary ports (5601, 5044)
- [ ] Regular backup configured
- [ ] Reviewed api-keys.yml for old/unused keys