LogScale on Bare Metal - Installing LogScale
CrowdStrike recommends installing LogScale on Ubuntu using a LTS release. Before completing the LogScale installation, the following must be in place:
LogScale releases from v1.154.0 include a bundled JVM for executing LogScale.
Kafka cluster available, and the host names and ports for the Kafka nodes known. See Installing Native Kafka to deploy a native Kafka cluster or if deploying within AWS, use Deploying Kafka using Amazon MSK to deploy an Amazon MSK cluster.
There are some additional preparations required before installing LogScale.
LogScale User & Directories
A suitable user and directories to store the LogScale data must be created first:
Create a non-administrative user named
humioto run LogScale software in the background:shell$adduser humio --shell=/bin/false --no-create-home --system --groupAdd this user to the
DenyUserssection of the/etc/ssh/sshd_configfile on each node to prevent it from being able to ssh or sftp into the node. Restart thesshddaemon after making the change.Create the LogScale system directories and give the
humiouser ownership of them:shell$chown humio:humio /var/log/humio /var/humio/data
LogScale Software Installation
The LogScale software is distributed as a tarball. This should be downloaded into the LogScale users home directory, and then extracted before configuration:
For glibc Linux distributions
$ cd /opt/humio/
$ wget https://repo.humio.com/repository/maven-releases/com/humio/server-linux_x64/1.177.1/server-linux_x64-1.177.1.tar.gz
$ tar xzf /opt/humio/server-linux_x64-1.177.1.tar.gz
For musl libc Linux distributions
$ cd /opt/humio/
$ wget https://repo.humio.com/repository/maven-releases/com/humio/server-alpine_x64/1.177.1/server-alpine_x64-1.177.1.tar.gz
$ tar xzf /opt/humio/server-alpine_x64-1.177.1.tar.gzThe wget here is used to download the latest release from https://repo.humio.com/service/rest/repository/browse/maven-releases/com/humio/server-linux_x64/.
LogScale Configuration
The LogScale configuration is stored in a file
server.conf in the
/etc/humio directory. The lines
in this file contain configuration information as key/value pairs that
are referred to as the LogScale
environment variables
Below is a sample configuration file that defines a LogScale configuration for a single host in KRaft Mode:
AUTHENTICATION_METHOD=single-user
DIRECTORY=/var/humio/data
HUMIO_AUDITLOG_DIR=/var/log/humio
HUMIO_DEBUGLOG_DIR=/var/log/humio
JVM_LOG_DIR=/var/log/humio
HUMIO_PORT=8080
ELASTIC_PORT=9200
KAFKA_SERVERS=kafka1:9092,kafka2:9092,kafka3:9092
KAFKA_BOOTSTRAP_SERVERS=kafka1:9092,kafka2:9092,kafka3:9092
EXTERNAL_URL=http://127.0.0.1:8080
PUBLIC_URL=http://127.0.0.1These lines configure the following settings:
AUTHENTICATION_METHOD=single-userSets the authentication method. Initially a single-user model is used. The
SINGLE_USER_USERNAMEandSINGLE_USER_PASSWORDcan be added to set a username and password to connect to the cluster. For information on other authorization methods, see Authentication and Identity Providers.Sets the directory where LogScale will store data.
HUMIO_AUDITLOG_DIR=/var/log/humioSets the directory for logs from LogScale for auditing.
HUMIO_DEBUGLOG_DIR=/var/log/humioSets the directory for logs from LogScale.
Sets the directory for logs from LogScale.
Sets the default port that will be used to access LogScale.
Sets the port for ingesting data using the Elastic bulk protocol.
KAFKA_SERVERS=kafka1:9092,kafka2:9092,kafka3:9092Sets the list of Kafka servers required by LogScale.
KAFKA_BOOTSTRAP_SERVERS=kafka1:9092,kafka2:9092,kafka3:9092If using Kafka in KRaft mode, set the bootstrap servers to configure the location for configuration LogScale and Kafka started.
EXTERNAL_URL=http://127.0.0.1:8080Sets the external URL that LogScale will listen for connections. The above uses the localhost address (127.0.0.1) but this should be changed to the hostname of the LogScale node, for example
logscale1.Sets the public URL that LogScale will use to advertise and create links. The above uses the localhost address (
127.0.0.1), but this should be changed to the IP address of the load balance used to access the cluster. See Installing Load Balancers for more information.
Important
Changes made to the configuration files must be made on all nodes, and each node will need to be restarted for the changes to take effect.
For more information on each of the environment variables, see Configuration Variables.
Configuring LogScale as a Service
Next you should set up a service file. Using a simple text editor,
create a file named,
humio.service in the
/etc/systemd/system/
sub-directory. Add these lines to that file:
[Unit]
Description=LogScale service
After=network.service
[Service]
Type=notify
Restart=on-abnormal
User=humio
Group=humio
LimitNOFILE=250000:250000
EnvironmentFile=/etc/humio/server.conf
WorkingDirectory=/var/humio
ExecStart=/opt/humio/humio/bin/humio-server-start.sh
TimeoutSec=900
[Install]
WantedBy=default.targetConfiguring the service uses the LogScale Launcher Script
LogScale Ownership & Start-up
The ownership of the LogScale files and start the
LogScale service must be changed to the humio
user created earlier:
$ chown -R humio:humio /var/log/humio /var/humio/dataLogScale is now ready to be started using the systemctl utility:
$ systemctl start humioCheck that LogScale is running using the journalctl tool:
$ journalctl -fu humio
If there are no errors, open a web browser and enter the domain name or
IP address with port 8080.