Course Outline
Introduction
- Comprehensive overview of the Elastic Stack (ELK).
Module 1: ELK Stack Architecture and Review of Existing Environment
- Review of the current architecture at Altor CB.
- ELK architecture components: Elasticsearch, Logstash, Kibana, and Beats.
- Distinguishing between Ingest nodes and Logstash.
- Scalability and performance considerations for on-premise installations.
- Best practices for administration.
Module 2: Beats – Distributed Monitoring (2 hours)
- Configuration and utilization of Filebeat, Auditbeat, Winlogbeat, and Packetbeat.
- Secure data shipping via SSL.
- Differences between preconfigured modules and custom inputs.
- Integration with Logstash and Ingest Pipelines.
Module 3: Parsing and Ingesting Logs from Applications and Databases (4 hours)
- Ingesting custom logs generated by applications.
- Employing Logstash for data parsing and transformation.
- Utilizing filters: grok, dissect, kv, mutate, and date.
- Establishing database connections (Oracle, PostgreSQL, SQL Server) via the JDBC input plugin.
- Practical scenarios: error logs, audit trails, traces, and slow queries.
Module 4: Advanced Search and Regular Expressions (2 hours)
- Advanced search syntax within Kibana.
- Application of regular expressions (regex).
- Constructing filters using OR and AND combinations.
- Handling nested fields and arrays.
- Saving reusable queries and filters.
Module 5: Custom Dashboards and Visualizations in Kibana (3 hours)
- Visualization types: bar charts, line graphs, maps, and tables.
- Understanding aggregations and metrics.
- Implementing dynamic filters, controls, and drill-down capabilities.
- Dashboard sharing functionalities.
- Practical exercises: building dashboards from database and system logs.
Module 6: Alerts and Email Notifications (3 hours)
- Introduction to Watcher and alternative solutions (ElastAlert, Kibana Alerts).
- Developing custom conditions and triggers.
- Configuring email output settings.
- Practical exercise: triggering an email alert upon detection of critical events in Windows or database logs.
Module 7: User and Permission Management (2 hours)
- Overview of X-Pack and free-tier options.
- Creating users and defining roles.
- Implementing access control by index, dashboard, and query.
- Practical exercise: defining roles for audit and operational teams.
Module 8: Elasticsearch REST API (3 hours)
- Fundamentals of the Elasticsearch RESTful API.
- Executing GET and POST queries.
- Manual and automated indexing techniques.
- Using utility tools such as curl and Postman.
- Practical exercises: searching, inserting, deleting, and updating documents.
Summary and Next Steps
Requirements
- A foundational understanding of the ELK Stack architecture and its core components.
- Practical experience in ingesting and visualizing logs using Kibana and Logstash.
- Familiarity with the Linux command line interface and basic scripting skills.
Target Audience
- System administrators.
- Infrastructure engineers.
- Technical teams aiming to implement advanced log centralization capabilities.
Testimonials (2)
The content is very helpful, and the trainer makes it more easier to understand
Ibrahim Al mayahi - Vastech SA
Course - Advanced Elasticsearch and Kibana Administration
the profesionalism of the trainer; the way he tried to respond to all the questions; the review questions we had to ask: engaging us in conversations
