Follow this recipe if you want your own appliance, aka BYOSBuild Your Own SexiLog”

Here are the steps for building this awesome appliance!


Building the system

SexiLog is built on top of Debian operating system thanks to the netinst media.

OS Installation

The only customisation done during the OS installation (beside all the network/disk layout brew) was to check SSH server and Standard system utilities during tasksel step.


In order to prepare your server you will need to install some prerequisites. First, we encourage you to keep your system up-to-date (this is just best practice, not mandatory, but everyone wish for an up-to-date system :) ), then you must install standard packages (if these are not already installed on your system of course):

Dedicated partition

Due to the way Curator works, it’s best to dedicate a partiton to ElasticSearch indices:

Uptade /etc/fstab with the partition UUID and “” in /etc/elasticsearch/elasticsearch.yml.

Installing SexiLog components

SexiLog is based on an awesome suite known as the ELK stack, which stands for Elasticsearch Logstash Kibana, plus some tools (Curator and Riemann)

As this cookbook is written, below software version were used on the SexiLog appliance:

You may want to verify the downloaded files checksum:


You must install elasticsearch (a flexible and powerful open source, distributed, real-time search and analytics engine) with previously downloaded packages and set it up to start with the system:

Some elasticsearch plugins must also be installed as they could be usefull for troubleshooting:


You must install logstash (helps you take logs and other time based event data from any system and store it in a single place for additional transformation and processing) with previously downloaded packages and set it up to start with the system:

Beginning with Logstash 1.5 there will be a new plugin management system, but as SexiLog is currently based on branch 1.4x so we need to install an additionnal package:

Kibana 3 & kibana-proxy

Kibana is Elasticsearch’s data visualization engine, allowing you to natively interact with all your data in Elasticsearch via custom dashboards.

Since kibana 3 is a fully client side JavaScript, we choose to add kibana-proxy Node.js express app to avoid Elasticsearch queries from client browser (as it was designed to) and node-startup to handle automatic start up of your kibana 3 “server”.


Like a museum curator manages the exhibits and collections on display, Elasticsearch Curator helps you curate, or manage your time-series indices. SexiLog use it to limit indices space usage. In order to install it, you can use pip (a Python packages management tool):


Riemann aggregates events from SexiLog with a powerful stream processing language and handle mail alerts based on tags. It must be set up to start with the system:


Setting up the mixture


Here are the non-default variables used in /etc/elasticsearch/elasticsearch.yml:

  • index.number_of_shards: 1
    • Limit the number of shards used by elasticsearch to 1.
  • index.number_of_replicas: 0
    • “Disable” the distributed features by setting the number of replicas for shards to 0.
  • false
    • Enable unicast discovery.

These settings were initialy set in order to make this appliance easily “exportable”. Adjust these settings to reflect your environnment
  • bootstrap.mlockall: true
    • ElasticSearch performs poorly when JVM starts swapping, we should ensure that it never swaps by locking the memory.
  • indices.memory.index_buffer_size: 50%
    • ElasticSearch by default assumes that you’re going to use it mostly for searching and querying, so it allocates 90% of its allocated total HEAP memory for searching, but SexiLog case was opposite – the goal is to index vast amounts of logs as quickly as possible, so it was changed to 50/50 (explaination extracted from a must-read source: ElasticSearch and Logstash Tuning)
  • sexilog
    • Yes, we customized cluster name, and of course it’s sexilog ^^.


Here are the non-default variables used in /etc/init.d/logstash:

  • LS_USER=root
  • LS_GROUP=root
    • In order to be able to listen on port <1024 (typically syslog with UDP/514) user running logstash service must be root.

 If you plan on using different syslog listening port (ie >1024), these settings aren’t mandatory
    • Increase default heap size for logstash.


Curator is set up with a crontab task that is used to set the purge of indice, the –disk-space 10 parameter tells the purge to use space criteria of 10GB:


If you want your SexiLog appliance to be able to receive SNMP trap, you need to install SNMP daemon:

Here is the custom configuration done in /etc/snmp/snmpd.conf:

  • rocommunity public
  • includeAllDisks 10%

Here is the custom configuration done in /etc/snmp/snmptrapd.conf:

  • authCommunity log public

Here is the custom configuration done  in /etc/default/snmpd:

  • TRAPDRUN=yes
  • TRAPDOPTS='-Ls 2 -p /var/run/ -m ALL -M /usr/share/mibs/vmw/'

Here is the custom configuration done in /etc/rsyslog.d/32-snmptrapd.conf:

  • if $programname == 'snmptrapd' then @localhost:3514
  • if $programname == 'snmptrapd' then ~

In order to get VMware SNMP MIB Modules, you will need to visit VMware KB1013445 to download all *.mib files and put them to /usr/share/mibs/vmw/


In order for SexiMenu to run as expected, you have to download the script and the sample configuration file (used for Riemann configuration) from our Github repository and make it executable:

Next, you have to add it to the .bashrc file (for connexion startup):

Conf files

Up-to-date configuration files can be downloaded straight from sexilog github repository


Once everything is in place, reboot and enjoy your SexiLog appliance. Have fun!


Those tweaks were done on SexiLog appliance, and you could do it on your side if you need it.


By default on Debian 7 Wheezy when running on VMware, mpt-status gets installed by default. Since the virtual machine does not use RAID mpt-statusd reports “non-optimal” RAID status in the log every 10 minutes:

The mpt-status package is used to query the status of LSI SCSI HBAs so unless your machine is using such HBA cards the mpt-status package should be safe to remove:


Default SexiLog appliance uses only ipv4, so we needed to disable ipv6 in order to avoid any issue. It’s done by modifying file /etc/sysctl.conf:

  • net.ipv6.conf.all.disable_ipv6 = 1
  • net.ipv6.conf.default.disable_ipv6 = 1
  • net.ipv6.conf.lo.disable_ipv6 = 1
  • net.ipv6.conf.eth0.disable_ipv6 = 1


As instructed by Elasticsearch guys, let’s tune vm.swappiness in /etc/sysctl.conf:

  • vm.swappiness = 1

Certificate generation

In order to ease communication between appliances (in the case for instance you wanted to forward some messages to another appliance), the best way to do it is based on lumberjack forwarder but SSL is mandatory so we need to create certificates: