Next to the given instructions below, you should check and verify the official instructions from elastic for installation.
Like Elaticsearch and Kibana, Logstash is also available via Ubuntus software package manager:
# Add Logstash to your apt repositories source list: $ echo "deb http://packages.elastic.co/logstash/2.3/debian stable main" | sudo tee -a /etc/apt/sources.list $ sudo apt-get update $ sudo apt-get install logstash
Also keep in mind that SSL is a good friend at this place, especially as external agents will connect to this tool; you also want to avoid security leaks. Elastic provides a whole package called X-Pack for security purpose only:
$ sudo mkdir -p /etc/pki/tls/certs $ sudo mkdir /etc/pki/tls/private $ sudo nano /etc/ssl/openssl.cnf ... [ v3_ca ] ... subjectAltName = IP: ELK_server_private_IP $ cd /etc/pki/tls $ sudo openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
Keep in mind, that the mentioned endpoint is referenced for certificate validity to connect to this server from external agents and clients. Another option – for FQDNs – is available at DigitalOcean.com.
Logstash must now be configured to use the newly created certificates for incommunc traffic from external agents and clients:
$ sudo nano /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
# Open the firewall:
$ sudo ufw allow 5044
To enable Logstash to forward incomming logs via port 5044 to Elasticsearch, the parsing must be configured within the Logstashs filters:
$ sudo nano /etc/logstash/conf.d/10-syslog-filter.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\\[%{POSINT:syslog_pid}\\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
As last element the endpoint itself (Elasticsearch) must be configured. All parsed data will be send there:
$ sudo nano /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Now logstash configuration can be verified and logstash be enabled. In case of issues you can check /var/logs/syslog for failing bootups and issues; keep in mind that logstash has multiple configuration files in /etc/logstash/conf.d/, which will be referenced together in /var/log/sysout. You can merge these files for a checkup (cat /etc/logstash/conf.d/* > /tmp/total.conf):
$ sudo /opt/logstash/bin/logstash --configtest -f /etc/logstash/conf.d/ $ sudo systemctl restart logstash $ sudo systemctl enable logstash