Setting Up a Logstash Forwarder
Prerequisites:
The Linux machine requires Java 1.8 installed.
To download and install logstash, enter the designated machine as an Administrator and follow these guidelines
- Run the command: apt-get update to update the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.
- Install Java JRE 1.8 on the Linux OS. If the machine already runs Java 1.8 you may skip this part. To install Java run the command: apt-get install default-jre
- To verify that the installed Java is 1.8 run the command: java -version. If verified you may proceed to the next step of installing logstash (reference: https://www.elastic.co/guide/en/logstash/current/installing-logstash.html)
- Add ones to logstash:
- Download and install the Public Signing Key: wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
- install the
apt-transport-https
package on Debian: apt-get install apt-transport-https - Save the repository definition to
/etc/apt/sources.list.d/elastic-7.x.list
: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
- Download and install the Public Signing Key: wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
- Update again package lists to apply them for the add ones as well. Run the command: apt-get update
- Install Logstash as a service:
- Run the command: apt-get install logstash
- Install a SysLog output plugin for Logstash. Run the command: /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog
- Configure Logstash to forward data to XpoLog SysLog or HTTP/S Listener. To do so create a <CONF>.conf file and place it at the path /etc/logstash/conf.d/ (ether SysLog or HTTP/S forwarding config file).
- To define Logstash forwarder using HTTP/S protocol using Winlogbeat forwarders and Filebeat forwarders, download the following configuration file: http.conf and place it at /etc/logstash/conf.d/
- Edit the config file http.conf it with the relevant XpoLog HTTP/S listener URL and in the output section replace both phrases PLACE_HERE_THE_URL_AND_TOKEN_FROM_THE_HTTP_LISTENER with the relevant URL.
- Additional guidelines about configuration are available in the article Adding Data from Logstash (HTTP/S)
- Learn more about XpoLog HTTP/S listener it the article HTTP/S
- Start Logstash service. To start the service use the command service logstash start. The available options are: service logstash {start|stop|status|restart|force-reload}
Notes:
- Any change in /etc/logstash/conf.d/<CONF>.conf configuration file requires restarting the logstash service.
- In case Logstash in not running as a service it can be run manually in the background using the command: /usr/share/logstash/bin/logstash -f http.conf &
- To define Logstash forward using SysLog TCP/UDP protocol you may download and use the example: syslog.conf
- Additional guidelines about configuration are available in the article Adding Data from Logstash (Syslog)
- Learn more about XpoLog Syslog listener it the articles Syslog TCP and SysLog UDP