LogServer Quick Setup Guide

Prerequisites

Docker and Docker Compose installed
4GB+ RAM, 10GB+ disk space
Port 5601 (Kibana) and 5044 (Logstash) available

Initial Setup

1. System Configuration

# Required for Elasticsearch
sudo sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf

2. Configure Server

Edit config/service.env:

# Change default password
KIBANA_PASSWORD=your-secure-password

3. Install

dropshell install logserver

Generate Client API Keys

Run the interactive key generator:

./generate-api-key.sh

Follow the prompts:

Enter hostname for each client
Script generates secure API key
Shows configuration to copy to client
Repeat for additional clients

Access Kibana

Open browser: http://your-server-ip:5601
Login: elastic / your-secure-password
Create index pattern: filebeat-*
View logs in Discover tab

Add Log Clients

On each client machine:

# Get API key from server admin (they run ./generate-api-key.sh)

# Edit logclient/config/service.env:
LOGSERVER_HOST=your-server-ip
LOGSERVER_PORT=5044
API_KEY=your-api-key-here

# Install and start
dropshell install logclient

Verify Setup

# Check server status
dropshell status logserver

# View server logs
dropshell logs logserver

# Test client connection (from client)
docker logs logclient-filebeat | grep "connection"

Troubleshooting

Elasticsearch won't start: Check vm.max_map_count is 262144+

No logs in Kibana:

Verify client can reach server port 5044
Check API key is correct in client's service.env
Verify API key exists in server's api-keys.yml
Refresh index pattern in Kibana

High memory usage: Adjust heap sizes in service.env:

ES_HEAP_SIZE=1g  # Reduce from 2g
LS_HEAP_SIZE=512m  # Reduce from 1g

Security Checklist

Changed default Kibana password
Generated unique API key per client
API keys stored securely
Firewall allows only necessary ports (5601, 5044)
Regular backup configured
Reviewed api-keys.yml for old/unused keys

2.1 KiB Raw Blame History