Jeff Moe
c9e8c4cf55
|
6 years ago | |
|---|---|---|
| .. | ||
| README.md | 6 years ago | |
README.md
apt update apt -y dist-upgrade
####################################################################
Be sure to get OSS version. The "Elastic License" is a non-free, proprietary license.
https://www.elastic.co/downloads/logstash-oss
apt update apt install openjdk-8-jre-headless
Install logstash
Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
Disable apt cache in /etc/apt/apt.conf
apt update apt-get install logstash
Configure
vim /etc/logstash/logstash.yml http.host: "10.22.22.108" http.port: 9600
cat > /etc/logstash/conf.d/logstash-syslog.conf <<EOF input { tcp { port => 5140 type => syslog } udp { port => 5140 type => syslog } }
filter { if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } date { match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } } } output { elasticsearch { hosts => ["10.22.22.124:9200"] } stdout { codec => rubydebug } } EOF
Start:
systemctl start logstash.service
Open firewall
Logstash
-A INPUT -p tcp --dport 9600 -j ACCEPT
Logstash syslog
-A INPUT -p tcp --dport 5140 -j ACCEPT -A INPUT -p udp --dport 5140 -j ACCEPT
Start on boot:
systemctl enable logstash.service