📌 Installing and Configuring Logstash
Logstash is a powerful tool for collecting, processing, and forwarding logs to various destinations like Elasticsearch. This guide will help you install and configure Logstash on your system. 🚀
🛠️ Step 1: Install Logstash
To install Logstash, use the following command:
sudo apt install logstash
🔹 This command installs Logstash using the package manager in Debian-based systems.
📂 Step 2: Configure Logstash Inputs
📥 Create a Filebeat Input Configuration File
We will create a configuration file called 02-beats-input.conf to set up the Filebeat input.
sudo nano /etc/logstash/conf.d/02-beats-input.conf
🔹 Add the following content to the file:
input {
beats {
port => 5044 # 🔄 Placeholder: Change if using a different port
}
}
✅ Explanation:
- This configuration sets up Logstash to listen on TCP port
5044for logs coming from Filebeat. - Beats is a lightweight log shipper that forwards logs to Logstash for further processing.
💡 Ensure that your firewall allows traffic on port 5044.
📄 Step 3: Configure Logstash Outputs
🔄 Create an Elasticsearch Output Configuration File
Now, we need to send the logs to Elasticsearch. Create another configuration file:
sudo nano /etc/logstash/conf.d/30-elasticsearch-output.conf
🔹 Add the following content:
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => ["localhost:9200"] # 🔄 Placeholder: Replace with actual Elasticsearch host if different
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline => "%{[@metadata][pipeline]}"
}
} else {
elasticsearch {
hosts => ["localhost:9200"] # 🔄 Placeholder: Replace with actual Elasticsearch host if different
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
✅ Explanation:
- This configuration forwards logs to Elasticsearch running on
localhost:9200. - If you are using a remote Elasticsearch server, replace
localhost:9200with the actual host address. - The
indexpattern helps organize logs based on the beat name, version, and date. - If metadata contains a
pipeline, it will use it; otherwise, it follows the default route.
🔍 Step 4: Test Logstash Configuration
Before starting Logstash, validate the configuration:
sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
✅ Explanation:
- This command checks if your configuration files are correctly formatted and have no syntax errors.
- If everything is correct, you should see an output like:
Configuration OK
🚀 Step 5: Start and Enable Logstash
Once the configuration is verified, start the Logstash service:
sudo systemctl start logstash
To make Logstash start automatically at boot, enable the service:
sudo systemctl enable logstash
✅ Explanation:
start logstashlaunches the Logstash service.enable logstashensures Logstash starts on every reboot.
📊 Step 6: Add Logstash to PATH for Version Check Anywhere
To run logstash --version from anywhere:
sudo ln -s /usr/share/logstash/bin/logstash /usr/bin/logstash
🔹 This creates a symbolic link so you can check the version from anywhere using:
logstash --version
🎯 Final Thoughts
✅ Logstash is now installed and configured to receive logs from Filebeat and forward them to Elasticsearch.
📌 Next Steps:
- Install and configure Filebeat to send logs to Logstash.
- Check if logs are successfully reaching Elasticsearch using Kibana.
- Fine-tune Logstash with filters for better log processing.
🚀 Happy Logging!📝