# Configure Central Logging to Elastic

To ship the logs of a system to the central logging service (Elastic) following pre steps are needed:

1. Have a space in Elastic to ship the logs to
2. Have a space API key

Both prerequisites you can check with / talk to Michel Rebmann (michel.rebmann@psi.ch) / Group 9522, which will provide a configuration similar to the following:

```
{
  "id" : "${space_id}",
  "name" : "input_${space_name}",
  "api_key" : "${space_api_key}",
  "encoded" : "${space_encoded_key}"
}
```

Afterwards the log shipping can be configures as follows in hiera:

```
base::enable_elastic: true
elastic::space: "${space_name}"
elastic::space_api_key: "${space_id}:${space_api_key}"  # The resulting string should be encrypted
```

```{note}
Replace the space name as well as the space_api_key according to your setup.
```

Notice that `space` contains the `name` without the `input_` prefix, while `space_api_key` contains a `:`-separated value: 
* the first part corresponds to the `id` of the space,
* the second part corresponds to the `api_key`.
* The resulting string `"${space_id}:${space_api_key}"` **should be encrypted** with [eyaml](https://linux.psi.ch/admin-guide/puppet/hiera.html?highlight=eyaml#encrypting-data-with-the-public-key)

By default __all__ journald logs are shipped to the central Elastic instance. If you want to __limit__ the logs to specific units, the units can be specified as follows:

```
elastic::systemd_units:
    - 'sshd.service'
```