You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jeff Moe de46783cd5
Set up elasticsearch with rsyslog. Logstash/kibana
6 years ago
..
README Set up elasticsearch with rsyslog. Logstash/kibana 6 years ago

README

apt update

apt -y dist-upgrade

####################################################################
# Be sure to get OSS version. The "Elastic License" is a non-free, proprietary license.
# https://www.elastic.co/downloads/logstash-oss

apt update
apt install openjdk-8-jre-headless

# Install logstash
# Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
# Disable apt cache in /etc/apt/apt.conf
apt update
apt-get install logstash

# Configure
vim /etc/logstash/logstash.yml
http.host: "10.22.22.108"
http.port: 9600


cat > /etc/logstash/conf.d/logstash-syslog.conf <<EOF
input {
tcp {
port => 5140
type => syslog
}
udp {
port => 5140
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { hosts => ["10.22.22.124:9200"] }
stdout { codec => rubydebug }
}
EOF



# Start:
systemctl start logstash.service

# Open firewall
# Logstash
-A INPUT -p tcp --dport 9600 -j ACCEPT
# Logstash syslog
-A INPUT -p tcp --dport 5140 -j ACCEPT
-A INPUT -p udp --dport 5140 -j ACCEPT

# Start on boot:
systemctl enable logstash.service

### XXX Backups
### XXX Prometheus :)