QuickELK

Click Here to access code.

Prerequisite

• Kubernets Cluster with minimum 3 workers, to host 3 Elasticsearch nodes.
• Docker Based Container Runtime Environment.
• Helm Installed and Configured to access Kubernetes Cluster Master for deployments.
• Ansible Installed and Configured to run playbook.
• Sufficient resource over kubernetes worker for the entire deployment.
• External Load Balancer(Eg. Metal LB) need to be configured over Kubernetes, to access Kubernetes GUI from LoadBalancer Service.

Consideration

Docker images hosted at official “docker.elastic.co” are valid and used for ELK deployments. Below are the docker repo:

• ElasticSearch: docker.elastic.co/elasticsearch/elasticsearch
• Kibana: docker.elastic.co/kibana/kibana
• Filebeat: docker.elastic.co/beats/filebeat
• Logstash: docker.elastic.co/logstash/logstash
• Metricbeat: docker.elastic.co/beats/metricbeat

Tools and Technologies Used

• Kubernetes: Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
• Docker: Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.
• Ansible: Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code.
• Helm: Helm helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application.
• Elasticsearch: Elasticsearch provides near real-time search and analytics for all types of data. Whether you have structured or unstructured text, numerical data, or geo spatial data, Elasticsearch can efficiently store and index it in a way that supports fast searches.
• Logstash: Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to Elasticsearch.
• Kibana: Kibana is a free and open user interface that lets you visualize your Elasticsearch data and navigate the Elastic Stack.
• Filebeat: Lightweight shipper for logs Whether you’re collecting from security devices, cloud, containers, hosts, or OT, Filebeat helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files.
• Metricbeat: Lightweight shipper for metrics Collect metrics from your systems and services. From CPU to memory, Redis to NGINX, and much more, Metricbeat is a lightweight way to send system and service statistics.
• Github: GitHub, Inc. is a provider of Internet hosting for software development and version control using Git. It offers the distributed version control and source code management functionality of Git, plus its own features.

Installation and Usage

Target Architecture Diagram

Installing via Ansible

Clone the “QuickELK” project, ensure that all Prerequisite are in place. Select a kubernetes namespace where this stack is required to be created. Namespace will be automatically created if not exist. Select a helm deployment name for the stack. Run below command from inside the clone directory.

Installing via Helm
Clone the “QuickELK” project, ensure that all Prerequisites are in place. Select a kubernetes namespace where this stack is required to be created. Namespace will be automatically created if not exist. Select a helm deployment name for the stack. Run below command from inside the clone directory.

Installing Specific ELK stack Release via Helm/Ansible
Update file “ELK/elk-stack/Chart.yaml”, value of key “appVersion” to the specific version of ELK stack. Presently we have configured entire stack installation from version “6.8.20”.

Installation Validation via Kubectl
Run below command for deployment validation, provide the namespace provided in previous step

Integration Validation
To validate indeces for ElasticSearch to validate Integration with filebeat, logstash and metricbeat.

MetricBeat and LogStash indices should be visible. Also you can select any index and check data using below command.

Installation Cleanup
To delete entire deployment provide kubernetes namespace where this stack is created. Namespace will be automatically deleted. Also provide helm deployment name of the created stack.

Run below command.

Backup Strategy

• Elasticsearch: Snapshot is a backup taken from a running Elasticsearch cluster. You can take snapshots of an entire cluster, including all its data streams and indices. You can also take snapshots of only specific data streams or indices in the cluster. You must register a snapshot repository before you can create snapshots. Snapshots can be stored in either local or remote repositories. Remote repositories can reside on Amazon S3, HDFS, Microsoft Azure, Google Cloud Storage, and other platforms supported by a repository plugin.
• Kibana: Dashboard and configuration are important for Kibana, Dashboards could be exported and source control managed. Configuration could backed up externally on PV or NFS. Rest of the instance could be treated as Cow.
• Logstash: Logstash will act as middle layer in between Logging source and Elastic Search, no specific backup measures required. Keep the backup of its configuration instead. Could be treated as a Cow.
• Metricbeat: Metricbeat will act as middle layer in between Metric source and Elastic Search, no specific backup measures required. Keep the backup of its configuration instead. Could be treated as a Cow.
• Filebeat: Filebeat will act as middle layer in between Logging source and Elastic Search, no specific backup measures required. Keep the backup of its configuration instead. Could be treated as a Cow.

Deployment Constraints

• This is a POC, low resource are assigned to kubernetes objects created under this activity. With real-time production setup resources allocated to kubernets objects needed to be increased for better performance.
• No PVC are used in this deployment. We may need to attach PVC to improve redundancy and robustness.
• Readiness and Liveliness are also not integrated, may be considered for future rollout in production.
• FileBeat/MetricBeat could be attached to any application container as side-car to forward logs/metric to Elastic Search. Not covered in this POC.
• This is a quick study, take it as reference for your basic understanding before you productize.