forksand-it-manual/source/resources/apps/logstash/README.md

apt update
apt -y dist-upgrade

####################################################################
# Be sure to get OSS version. The "Elastic License" is a non-free, proprietary license.
# https://www.elastic.co/downloads/logstash-oss

apt update
apt install openjdk-8-jre-headless

# Install logstash
# Disable apt-cache in /etc/apt/apt.conf, it doesn't work with https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
# Disable apt cache in /etc/apt/apt.conf
apt update
apt-get install logstash

# Configure
vim /etc/logstash/logstash.yml
http.host: "10.22.22.108"
http.port: 9600


cat > /etc/logstash/conf.d/logstash-syslog.conf <<EOF
input {
  tcp {
    port => 5140
    type => syslog
  }
  udp {
    port => 5140
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}
output {
  elasticsearch { hosts => ["10.22.22.124:9200"] }
  stdout { codec => rubydebug }
}
EOF



# Start:
systemctl start logstash.service

# Open firewall
# Logstash
-A INPUT -p tcp --dport 9600 -j ACCEPT
# Logstash syslog
-A INPUT -p tcp --dport 5140 -j ACCEPT
-A INPUT -p udp --dport 5140 -j ACCEPT

# Start on boot:
systemctl enable logstash.service

### XXX Backups
### XXX Prometheus :)