73 lines
1.7 KiB
73 lines
1.7 KiB
apt update
|
|
apt -y dist-upgrade
|
|
|
|
####################################################################
|
|
# Be sure to get OSS version. The "Elastic License" is a non-free, proprietary license.
|
|
# https://www.elastic.co/downloads/logstash-oss
|
|
|
|
apt update
|
|
apt install openjdk-8-jre-headless
|
|
|
|
# Install logstash
|
|
# Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https
|
|
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
|
|
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
|
|
# Disable apt cache in /etc/apt/apt.conf
|
|
apt update
|
|
apt-get install logstash
|
|
|
|
# Configure
|
|
vim /etc/logstash/logstash.yml
|
|
http.host: "10.22.22.108"
|
|
http.port: 9600
|
|
|
|
|
|
cat > /etc/logstash/conf.d/logstash-syslog.conf <<EOF
|
|
input {
|
|
tcp {
|
|
port => 5140
|
|
type => syslog
|
|
}
|
|
udp {
|
|
port => 5140
|
|
type => syslog
|
|
}
|
|
}
|
|
|
|
filter {
|
|
if [type] == "syslog" {
|
|
grok {
|
|
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
|
|
add_field => [ "received_at", "%{@timestamp}" ]
|
|
add_field => [ "received_from", "%{host}" ]
|
|
}
|
|
date {
|
|
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
|
|
}
|
|
}
|
|
}
|
|
output {
|
|
elasticsearch { hosts => ["10.22.22.124:9200"] }
|
|
stdout { codec => rubydebug }
|
|
}
|
|
EOF
|
|
|
|
|
|
|
|
# Start:
|
|
systemctl start logstash.service
|
|
|
|
# Open firewall
|
|
# Logstash
|
|
-A INPUT -p tcp --dport 9600 -j ACCEPT
|
|
# Logstash syslog
|
|
-A INPUT -p tcp --dport 5140 -j ACCEPT
|
|
-A INPUT -p udp --dport 5140 -j ACCEPT
|
|
|
|
# Start on boot:
|
|
systemctl enable logstash.service
|
|
|
|
### XXX Backups
|
|
### XXX Prometheus :)
|
|
|