Install Log Parsing Sensors
Access Logs Based Instrumentation
i. Pre-requisites
- Satellite has been successfully installed.
- You have noted down the Satellite's
hostname:portorip-address:portinformation. - The Satellite is reachable (via HTTP/s) from the location where you are going to install the log-parser.
Approaches
For below log formats proceed with Approach 1.
- Nginx
- Apache
- Azure API Gateway
For below log formats proceed with Approach 2.
- CEF
Note: For instrumenting Imperva WAF - Incapsula logs that are stored on Amazon S3 Bucket, please proceed with Approach 2.
Approach 1
Follow instructions for your platform
Install on Linux host via Docker
Prerequisites
- Docker Engine version
18.03.0and above - Pick an
Application NameAuto discovered API endpoints and their OpenAPI specifications are shown in the API Catalog, grouped under an application name. The application name helps segregate and group API endpoints from different environments, similar to how file folders work in an operating system.
Pick a descriptive name which will be used in the subsequent step below. For example: `my-test-app`.
Installation
# Replace '<SATELLITE_URL>' with the values you noted down from the Satellite install
#
# Specify below the 'APP_NAME'. Do not quote the 'APP_NAME'.
# Environment Name is optional. If not specified, it defaults to 'staging'
#
docker run --rm -d --name=log-parser \
-v ./logs:/mnt/levo/logs \
-e LEVO_SATELLITE_URL=<LEVO_SATELLITE_URL> \
-e LEVOAI_ORG_ID=<LEVOAI_ORG_ID> \
-e APP_NAME=<APP_NAME> \
-e ENV_NAME=<ENV_NAME> \
levoai/log-parser
NOTE:
- The default address for the satellite in Docker-based Log Parser installations is
https://satellite.levo.ai.- In case of levo hosted satellite, it is necessary that you must also specify an organization ID (
LEVOAI_ORG_ID).- If you wish, you may also host the Satellite yourself and specify the address of the satellite to direct the Log Parser's data to it.
2. Verify connectivity with Satellite
Execute the following command to check for connectivity health:
# Please specify the actual container name for log-parser below
docker logs log-parser | grep "starting fluentd"
If connectivity is healthy, you should see output similar to below.
2024-02-22 01:27:06 +0000 [info]: starting fluentd-1.16.3 pid=7 ruby="3.2.2"
2024-02-22 01:27:06 +0000 [info]: #0 starting fluentd worker pid=16 ppid=7 worker=0
2024-02-22 01:27:06.831947051 +0000 fluent.info: {"pid":16,"ppid":7,"worker":0,"message":"starting fluentd worker pid=16 ppid=7 worker=0"}
Please proceed to the next step, if there are no errors.
Approach 2
Install on Linux host via Docker
1. Prerequisites
- Docker Engine version
18.03.0and above.
2. Installation steps
- Loading...the docker-compose and configuration files.
- Run below command to install log-parser containers filebeat and logstash.
docker compose up -d
3. Verify the installation
- Verify the installation by checking the logs of the containers.
docker ps -f name=levoai
- View the logs of the container by running below command.
docker logs -f levoai-logstash
docker logs -f levoai-filebeat
4. Uninstallation steps
- Clean up the containers by running below command.
docker compose down
docker volume rm log-parser_filebeat-data log-parser_logstash-queue && rm -rf filebeat/data/ && rm -rf logstash/data/
Install on Kubernetes via Helm
1. Prerequisites
- Kubernetes version >=
v1.18.0 - Helm v3 installed and working.
- The Kubernetes cluster API endpoint should be reachable from the machine you are running Helm.
kubectlaccess to the cluster, withcluster-adminpermissions.- At least 4 CPUs
- At least 8 GB RAM
2. Add levoai Helm repo
helm repo add levoai https://charts.levo.ai && helm repo update levoai
3. Installation steps
- Create secret for
aws-credentialswith your AWS credentials which has access to the S3 bucket.
kubectl apply -f aws-credentials.yaml
# aws-credentials.yaml
apiVersion: v1
kind: Secret
metadata:
name: aws-credentials
labels:
app: levoai-filebeat
app.kubernetes.io/name: aws-credentials-secret
type: Opaque
data:
aws-bucket-arn: <Your AWS Bucket ARN like "arn:aws:s3:::<bucket-name>">
aws-access-key-id: <Your Access Key ID>
aws-secret-access-key: <Your Secret Access Key>
aws-default-region: <Your Region like "us-west-2">
- Run the below command to install the log-parser containers in
levoainamespace.
helm upgrade --install -n levoai --create-namespace levoai-log-parser levoai/levoai-log-parser --set global.levoaiOrgId=<your-org-id>
info
By default this will send all the logs to satellite running in the same namespace.
If you want to send logs to a different satellite, you can specify the satellite URL using --set global.levoaiSatelliteUrl=<your-satellite-url>.
In case of levo hosted satellite, use satellite url as https://collector.levo.ai.
4. Verify the installation
Check the status of the pods by running below command.
kubectl get pods -n levoai
If the levoai-log-parser helm is healthy, you should see output similar to below.
NAME READY STATUS RESTARTS AGE
levoai-filebeat-6bbf84d957-c44kh 1/1 Running 0 104s
levoai-logstash-77775d78c-q7cgm 1/1 Running 0 104s
Check the status of the services by running below command.
kubectl get services -n levoai
If the levoai-logstash service is healthy, you should see output similar to below.
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
levoai-logstash ClusterIP 10.0.81.244 <none> 5044/TCP 120s
5. Uninstallation steps
- Run the below command to uninstall the services.
helm uninstall levoai-log-parser
kubectl delete secret aws-credentials -n levoai
Please reach out to support@levo.ai if you're facing any issue.