Setting Up a Logstash Forwarder

Prerequisites:

The Linux machine requires Java 1.8 installed.

To download and install logstash, enter the designated machine as an Administrator and follow these guidelines

  1. Run the command: apt-get update  to update the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.
  2. Install Java JRE 1.8 on the Linux OS. If the machine already runs Java 1.8 you may skip this part. To install Java run the command: apt-get install default-jre
  3. To verify that the installed Java is 1.8 run the command: java -version. If verified you may proceed to the next step of installing logstash (reference: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html
  4. Add ones to logstash:
    1. Download and install the Public Signing Keywget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
    2. install the apt-transport-https package on Debianapt-get install apt-transport-https
    3. Save the repository definition to /etc/apt/sources.list.d/elastic-7.x.listecho "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
  5. Update again package lists to apply them for the add ones as well. Run the command:  apt-get update
  6. Install Logstash as a service:
    1. Run the command: apt-get install logstash
    2. Install a SysLog output plugin for Logstash. Run the command: /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog
  7. Configure Logstash to forward data to XpoLog SysLog or HTTP/S Listener. To do so create a <CONF>.conf file and place it at the path /etc/logstash/conf.d/ (ether SysLog or HTTP/S forwarding config file).
    1. To define Logstash forwarder using HTTP/S protocol using Winlogbeat forwarders and Filebeat forwarders, download the following configuration file: http.conf and place it at /etc/logstash/conf.d/
    2. Edit the config file http.conf it with the relevant XpoLog HTTP/S listener URL and in the output section replace both phrases PLACE_HERE_THE_URL_AND_TOKEN_FROM_THE_HTTP_LISTENER with the relevant URL
  8. Start Logstash service. To start the service use the command service logstash start. The available options are: service logstash {start|stop|status|restart|force-reload}


Notes: 

    • Any change in /etc/logstash/conf.d/<CONF>.conf  configuration file requires restarting the logstash service.
    • In case Logstash in not running as a service it can be run manually in the background using the command: /usr/share/logstash/bin/logstash -f http.conf &
    • To define Logstash forward using SysLog TCP/UDP protocol you may download and use the example: syslog.conf 
    To start logstash use: sudo systemctl start logstash.service           (reference: https://www.elastic.co/guide/en/logstash/7.5/running-logstash.html)