[+] Install raspbian

Download raspbian lite:

Raspbian download

Copy image to SD card:

sudo dd bs=4M if=2016-02-26-raspbian-jessie-lite.img of=/dev/mmcblk

Resize SD card:

SSH to the raspberry-pi and execute as root raspi-config.

1st step

final step

Configure network


[+] Install Elasticsearch

Install java8

sudo apt-get install oracle-java8-jdk

Download latest elasticsearch

wget https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.2.1/elasticsearch-2.2.1.tar.gz

Install elasticsearch

tar zxvf elasticsearch-2.2.1.tar.gz
sudo mkdir -p /etc/elasticsearch/conf.d
sudo mv elasticsearch-2.2.1 /opt/elasticsearch
sudo ln -s /opt/elasticsearch/config/elasticsearch.yml /etc/elasticsearch/conf.d/

Check elasticsearch

/opt/elasticsearch/bin/elasticsearch &

curl -X GET http://localhost:9200

[+] Configure Elasticsearch

Edit /etc/elasticsearch/elasticsearch.yml

cluster.name: (Whatever name you want)
http.port: 9200

Start the service

/opt/elasticsearch/bin/elasticsearch &

[+] Install logstash

Download latest logstash

wget https://download.elastic.co/logstash/logstash/logstash-2.2.2.tar.gz

Install logstash

tar xvzf logstash-2.2.2.tar.gz
sudo mv logstash-2.2.2 /opt/logstash
sudo mkdir -p /etc/logstash/conf.d
sudo mkdir -p /var/log/logstash/

sudo apt-get install git
git clone https://github.com/jnr/jffi.git
cd jffi/
sudo apt-get install ant
ant jar
sudo mkdir -p /opt/logstash/vendor/jar/jni/arm-Linux/
sudo cp build/jni/libjffi-1.2.so /opt/logstash/vendor/jar/jni/arm-Linux/
sudo apt-get install zip
cd /opt/logstash/vendor/jruby/lib/
sudo wget https://s3.amazonaws.com/jruby.org/downloads/1.7.23/jruby-complete-1.7.23.jar
mv jruby-complete-1.7.23.jar jruby.jar
sudo zip -g jruby.jar jni/arm-Linux/libjffi-1.2.so

[+] Configure Logstash

Edit /etc/logstash/conf.d/input.conf

        input {
                port => 5000
                type => syslog

Edit /etc/logstash/conf.d/output.conf

        output {
            #Default output
            #elasticsearch { hosts => ["localhost:9200"] }
            stdout { codec => rubydebug }

            #GROK parse failure log file
            if "_grokparsefailure" in [tags] {
                file { path => "/var/log/logstash/grokparsefailure" }

[+] Installing kibana

Download kibana

wget https://download.elastic.co/kibana/kibana/kibana-4.4.2-linux-x86.tar.gz

Move kibana to /usr/share

tar xvzf kibana-4.4.2-linux-x86.tar.gz
sudo mv kibana-4.4.2-linux-x86 /opt/kibana/

Edit /opt/kibana/config/kibana.yml

        # The URL of the Elasticsearch instance to use for all your queries.
        server.host: ""
        elasticsearch.url: ""

Fix error with nodejs

wget http://node-arm.herokuapp.com/node_latest_armhf.deb
sudo dpkg -i node_latest_armhf.deb
sudo mv /opt/kibana/node/bin/node /opt/kibana/node/bin/node_orig.bak
sudo mv /opt/kibana/node/bin/npm /opt/kibana/node/bin/npm_orig.bak
sudo ln -s /usr/local/bin/node /opt/kibana/node/bin/node
sudo ln -s /usr/local/bin/npm /opt/kibana/node/bin/npm

[+] Install nginx

sudo apt-get install nginx apache2-utils

[+] Configure nginx

Create admin user

sudo htpasswd -c /etc/nginx/htpasswd.users kibana_admin

Edit /etc/nginx/sites-available/default

        server {
            listen 80;

            server_name example.com;

            auth_basic "Restricted Access";
            auth_basic_user_file /etc/nginx/htpasswd.users;

            location / {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;

[+] Make everything start on boot


[+] Installing syslog-ng

apt-get install syslog-ng

[+] Syslog-ng configuration

Edit /etc/syslog-ng/conf.d/logstash.conf

        # Logstash configuration file for syslog-ng

        # Add extra options
        options {

        # Source
        source s_network { udp(); };

        # Destination
        destination d_logstash { udp("" port(5000)); };
        destination d_pipe { pipe("/var/log/syslog-ng/pipe"); };

        # Log
        log { source(s_network); destination(d_logstash); };
        log { source(s_network); destination(d_pipe); };