OpenStack, which started in 2010 as a collaboration between Rackspace Hosting and NASA, is an open-source platform for cloud computing that is usually deployed as infrastructure as a service. As the project has grown, so has the number of users. Notable ones include PayPal, CERN, Intel, Sony, and Wikimedia Labs.

Why Deploy ELK on OpenStack?

There are many reasons to install the ELK Stack in an OpenStack environment, and they are generally related to three components within OpenStack itself.

Cinder (volume storage)

OpenStack has a volume storage service named Cinder. When you take advantage of this service, adding a new volume to your ELK Stack is simple. All you need to do is create a new volume and attach it to an instance. The data is persistent, so if you lose a single instance, the data will not be lost and will be able to be recovered and attached to another instance instead.

Neutron LBaaS (load balancing as a service)

Load balancing is a natural way to scale your environment by putting load balancers in front of your Logstash and Kibana front ends.

Heat (orchestration)

Heat is the orchestration engine for OpenStack. With Heat, you can automatically deploy almost all of the components that are needed for an ELK cluster. Heat has a lot of advantages such as the fact that it is a native tool that hooks into all of OpenStack’s APIs — which is great when you want to utilize OpenStack’s built-in functionality.

But just remember: Heat does not provide much-added benefit to the software installations inside provisioned instances. Software installations can and should be managed by a configuration management suite of tools.

The Step-By-Step Guide to ELK on OpenStack

Below is a basic example of how to deploy the ELK stack in a single machine that is attached to a Cinder volume (which can be used for data persistence or higher throughput as long as the underlying infrastructure has that option).

In this example, we will use an Ubuntu 14.04 server as our base image, assuming that the following already exists in your OpenStack environment:

Image-name – ubuntu_14.04

Flavor – x1

Network – network_id

Keypair – my_keypair

Security group – SSH (22) and ping (ICMP) ingress are allowed, outgress all ports are allowed

You will have to have the correct credentials to interact with OpenStack services, which are usually kept in environment files that look something like the following:

export OS_USERNAME=my_user export OS_TENANT_NAME=my_tenant export OS_PASSWORD=my_password export OS_AUTH_URL=http://<my_ip>:5000/v2.0/

The file has a username, tenant name, password, and URL endpoint for Keystone, which will allow you to interact with OpenStack.

Source the file:



source keystone_adminrc

Create a new volume:



cinder create --display_name elk_vol1 10

Boot an image and attach the volume to the instance:



nova boot --flavor m1.large --image Ubuntu_14.04_Server --key-name msaidelk-mac --block-device-mapping vdb=e9cc8338-fb6c-4ab5-8d48-d62d313e3bc5:::0 --nic net-id=7e2f391b-bacc-45ef-b734-1b2b7466e6b8 elk_test1

Once the instance is deployed and up and running, SSH into the newly deployed instance:



ssh -i my_keypar.pem ubuntu@<IP>

Update the software on the instance:



sudo apt-get update && sudo apt-get upgrade

Mount the additional volume under /opt.

Install Open JDK:



sudo apt-get install openjdk-7-jre-headless -y

Install Elasticsearch:



wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb http://packages.elastic.co/elasticsearch/1.7/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-1.7.list sudo apt-get update -y sudo apt-get install elasticsearch -y sudo service elasticsearch start sudo update-rc.d elasticsearch defaults 95 10

Test that Elasticsearch is available by running the following:



curl localhost:9200

You should get a result similar to the one below:

{"status":200,"name":"Johann Schmidt","cluster_name":"elasticsearch","version":{"number":"1.7.5","build_hash":"00f95f4ffca6de89d68b7ccaf80d148f1f70e4d4","build_timestamp":"2016-02-02T09:55:30Z","build_snapshot":false,"lucene_version":"4.10.4"},"tagline":"You Know, for Search"}

Install Logstash:



echo "deb http://packages.elasticsearch.org/logstash/1.5/debian stable main" | sudo tee -a /etc/apt/sources.list sudo apt-get update -y sudo apt-get install logstash -y sudo update-rc.d logstash defaults 97 8 sudo service logstash start

Redirect your system logs to Logstash:

Create the file /etc/logstash/conf.d/10-syslog.conf to pipe all of your logs into Logstash:

input { file { type => "syslog" path => [ "/var/log/messages", "/var/log/*.log", "/var/log/syslog" ] } } output { stdout { codec => rubydebug } elasticsearch { host => localhost } }

Add the Logstash user to the adm group:



sudo usermod -a -G adm logstash

Restart the Logstash service:



sudo service logstash restart

Install Kibana:

wget https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz tar -xzf kibana-4.1.1-linux-x64.tar.gz cd kibana-4.1.1-linux-x64/

Move everything to /opt (which is the Cinder volume):



sudo mkdir -p /opt/kibana sudo mv * /opt/kibana cd /etc/init.d && sudo wget https://raw.githubusercontent.com/akabdog/scripts/master/kibana4_init -O kibana4 sudo chmod +x /etc/init.d/kibana4 sudo update-rc.d kibana4 defaults 96 9 sudo service kibana4 start

Now try to access your Kibana instance by opening your browser and going to: http://YOUR_ELASTIC_IP:5601

It will fail.

The reason being is that the security group rules do not allow traffic to this port.

Create the appropriate security group and its rules:



neutron security-group-create kibana1 --description "allow traffic to Kibana" neutron security-group-rule-create --direction ingress --ethertype IPv4 --protocol tcp --port-range-min 5601 --port-range-max 5601 --remote-ip-prefix 0.0.0.0/0 kibana1 nova add-secgroup elk_test1 kibana1

Now you should be able to access Kibana to see the logs. First, configure an index pattern, then you can start browsing your logs.

Summary

In general, the amount of information in data centers and the cloud is constantly rising. As a result, it is increasingly difficult and cumbersome to manage, collect, organize, and analyze everything that is logged in systems. Therefore, you should store your data in a central location such as an ELK Stack for security purposes, analytics, data mining, and more.

Making use of the information, tools, and deployment example above, as well as the additional tools that are available to you in OpenStack, will allow you to navigate the vast amount of information in the cloud.