B Configuring Visualization Server

Perform the following procedure to create the LogServer (logstorage, logparser, loggui) stack.

1. Install the following RPMs:
   • logstorage: On all the nodes
   • logparser: Only on master and data nodes
   • loggui: Only on ingestion Node
   • logstorage curator: Only on the master and data nodes
   • Rsync: Only on the master and data nodes
2. Update the /etc/logstorage/logstorage.yml configurations file for logstorage search:
   • cluster.name: Name of the stack
   • node.name: Hostname of the node
   • network.host: IPV4 address of the node
   • node.data: true if it’s a data node else false
   • node.master: true if it’s a master node else false
   • discovery.seed_hosts: contains the IPV4 address of all other nodes in the stack (Master node, data node and ingestion node)
   • cluster.initial_master_nodes: On ingestion node specify all the master node IP addresses
   • gateway.recover_after_nodes: Minimum number of master node should be available before processing

   Sample “/etc/logstorage/logstorage.yml”
   # ---------------------------------- Cluster -----------------------------------
   # Use a descriptive name for your cluster:
   cluster.name: vstp
   # ------------------------------------ Node ------------------------------------
   # Use a descriptive name for the node:
   node.name: node-1
   # ----------------------------------- Paths ------------------------------------
   # Path to directory where to store the data (separate multiple locations by comma):
   path.data: /var/lib/logstorage
   # Path to log files:
   path.logs: /var/log/logstorage
   # Set the bind address to a specific IP (IPv4 or IPv6):
   network.host: 10.75.219.169
   # Set a custom port for HTTP:
   http.port: 9200
   node.master: true
   node.data: true
   # --------------------------------- Discovery ----------------------------------
   #
   # Pass an initial list of hosts to perform discovery when this node is started:
   # The default list of hosts is ["127.0.0.1", "[::1]"]
   #
   #discovery.seed_hosts: ["host1", "host2"]
   # Bootstrap the cluster using an initial set of master-eligible nodes:
   cluster.initial_master_nodes: ["node-1"]
   # Block initial recovery after a full cluster restart until N nodes are started:
   #gateway.recover_after_nodes: 3
   

3. Update the /etc/ logparser /conf.d/ logparser.conf configurations file for logparser on the Master and data node.

   input {
     file {
      mode => "read"
      path => "/var/log/dummy3/*.csv"  path of the directory where logs are present 
      start_position => "beginning"
      codec => plain {
               charset => "ISO-8859-1"
            }
      file_completed_action => "delete"
      sincedb_path => "/dev/null"
     }
   }
   filter {
           if [message] =~ /^\s*$/ {
               drop { }
           }
   mutate {
               gsub => ["message", "\t", ""]
          }
   grok {
         match => {"message" => "%{GREEDYDATA:TIME},%{WORD:CM_NAME},%{WORD:Cat},%{WORD:OPERMODE},%{WORD:MSGTYPE},%{NOTSPACE:SESSION_ID},%{INT:CMD_CODE},%{INT:APP_ID},%{WORD:PEER_NAME},%{WORD:SUBSCRIBERTYPE},%{INT:IMSI},%{INT:MCC},%{NOTSPACE:ORIG_HOST},%{NOTSPACE:ORIG_REALM},%{NOTSPACE:DEST_HOST},%{NOTSPACE:DEST_REALM},%{INT:PLMN_ID},%{GREEDYDATA:ERRORTEXT}"}
   
        }
   
    mutate
          {
                        remove_field => [ "message" ]
           }
   
   if "_grokparsefailure" in [tags] {
       drop { }
     }
   }
   output {
           logstorage {
               hosts => [ "http://A:B:C:D:9200" ]  Host IP addresses 
                   index => "dsa"  Index where all the data will be captured and can be used on loggui to get all the logs.
       }
   }
   

   Note:

   Only path, index hosts and index field must be updated. Rest of the details will remain the same for DSA.
4. Update the following mandatory fields in /etc/loggui/loggui.yml.

   server.host is the IP address of the host.

   logstorage.hosts is the IP address of the host in which logstoragemodule is running. In our architecture, logstorage, loggui will be running on the same instance/VM.

   logging.dest: is used to redirect the log of loggui. “stdout” is the default option.

5. Follow these steps on the loggui GUI:
   1. By default, loggui runs on port 5601.
   2. Go to the loggui GUI and navigate to Management, and then loggui, and then Create index pattern.
      It will display all the existing index where data has been generated.
   3. Click Next Step, and then @timestamp.
   4. Click Create Index pattern.
      Now index has been generated and data can be seen in the discover tab.
   5. When the index is created, import the sample visualization first (visual_MCC_Cat.ndjson, visual_top_imsi.ndjson), and then import the sample dashboard from the DSA package.
   6. On loggui, navigate to Management, and then Saved Objects, and then Import.
6. Logstorage curator: Curator helps to clear the older logs for an index pattern.

   command: 
     curator /root/curator/delete.yaml --config /root/curator/curator.yml
   Need to run a cron job to run curator periodically to clear the data.
   crontab -e and add below command in that.
   * */2 * * * /usr/bin/curator /root/curator/delete.yaml --config /root/curator/curator.yml
   Sample “/root/curator/delete.yaml” file:
   actions:
     1:
       action: delete_indices
       description: >-
         Delete indices older than 30 days (based on index name), for tomcat-
         prefixed indices. Ignore the error if the filter does not result in an
         actionable list of indices (ignore_empty_list) and exit cleanly.
       options:
         ignore_empty_list: True
         timeout_override:
         continue_if_exception: False
         disable_action: False
       filters:
       - filtertype: pattern
         kind: regex
         value: dsa  ----------> specify the regex of the index pattern
         exclude:
       - filtertype: age
         source: creation_date
         direction: older
         unit: days
         unit_count: 30
   sample “/root/curator/curator.yml” file:
   client:
     hosts:
       - A:B:C:D   IP address of the system.
     port: 9200
     url_prefix:
     use_ssl: False
     certificate:
     client_cert:
     client_key:
     ssl_no_validate: False
     http_auth:
     timeout: 30
     master_only: False
   logging:
     loglevel: INFO
     logfile:
     logformat: default
   blacklist: ['logstorage', 'urllib3']
   

7. Some recommendations to increase the performance of the server:
   • Use separate index name for each logparser
   • Index name should be of the form: visual_dsa*
   • Example- visual_dsa1, visual_dsa2 and so on
   • In logparser.yml configure pipeline.workers as 32 and pipeline.batch.size as 500. Here in our setup 16 vCPU is there.
   • In jvm.options of logparser increase the heap space:
     • Xms10g
     • Xmx10g
   • In jvm.options of logstorage increase the heap size:
     • Xms6g
     • Xmx6g

   Note:

   After changing all the configuration files, services needs to be restart otherwise configurations will not get updated.

   • systemctl restart logparser
   • systemctl restart logstorage
   • systemctl restart loggui

   Note:

   Get all the sample configuration files from DSA package.