How To Install Logstash On Centos7.6

Installation Of Logstash On Centos 7.6

Logstash is an open source tool for managing events and logs. It provides real-time pipelining for data collections. Logstash will collect your log data, convert the data into JSON documents, and store them in Elasticsearch. Cleanse and democratize all your data for diverse advanced downstream analytics and visualization use cases. In a nutshell, Logstash accelerates your insights by harnessing a greater volume and variety of data. It is really so simple to install Logstash and this article covers the method to install Logstash on CentOS 7.6

Installation process.

Check the centos version by using the following command

[root@linuxhelp ~]# rpm -q centos-release
centos-release-7-6.1810.2.el7.centos.x86_64

You need to download the latest and a stable installation package of Logstash and for that, you need to run the following command

[root@linuxhelp ~]# wget https://artifacts.elastic.co/downloads/logstash/logstash-7.8.0.rpm
--2020-07-23 10:46:10--  https://artifacts.elastic.co/downloads/logstash/logstash-7.8.0.rpm
Resolving artifacts.elastic.co (artifacts.elastic.co)... 151.101.2.222, 151.101.66.222, 151.101.130.222, ...
Connecting to artifacts.elastic.co (artifacts.elastic.co)|151.101.2.222|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 167314018 (160M) [application/octet-stream]
Saving to: ‘logstash-7.8.0.rpm’

100%[=====================================================>] 167,314,018  993KB/s   in 3m 57s 

2020-07-23 10:50:07 (690 KB/s) - ‘logstash-7.8.0.rpm’ saved [167314018/167314018]

Once the download is completed . You shall install the logstash by using the following command

[root@linuxhelp ~]# rpm -ivh logstash-7.8.0.rpm
warning: logstash-7.8.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:logstash-1:7.8.0-1               ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.31/lib/pleaserun/platform/base.rb:112: warning: constant ::Fixnum is deprecated
Successfully created system startup script for Logstash

Your Logstash application has been installed. You should now configure your logstash file, so run the following command that opens a conf file.

[root@linuxhelp ~]# vim /etc/logstash/conf.d/sshd.conf

input {
  file {
    type =>  " secure_log" 
    path =>  " /var/log/secure" 
  }
}
filter {
  grok {
    add_tag =>  [ " sshd_fail"  ]
    match =>  { " message"  =>  " Failed %{WORD:sshd_auth_type} for %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{GREEDYDATA:sshd_protocol}"  }
  }
}

output {
  elasticsearch {
    index =>  " sshd_fail-%{+YYYY.MM}" 
  }
}

You need to provide permission and also start and enable your service

[root@linuxhelp ~]# chmod 640 /var/log/secure

[root@linuxhelp ~]# systemctl start logstash

[root@linuxhelp ~]# systemctl enable logstash

Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.

You can also check the indices created in your Kibana application, and for that you need to run the following command

[root@linuxhelp ~]# curl 192.168.7.228:9200/_cat/indices?v
health status index                          uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana-event-log-7.8.0-000001 pEUhktfgRfaVrdWd9ZiGJg   1   0          1            0      5.3kb          5.3kb
green  open   .apm-custom-link               yuZIMIbuRO-oHr0VW3tQCw   1   0          0            0       208b           208b
green  open   .kibana_task_manager_1         0UVRmSdwShahR4y9izOq_w   1   0          5            0     53.9kb         53.9kb
green  open   .apm-agent-configuration       gTAZhV9AQLmo0P0zkduzoA   1   0          0            0       208b           208b
green  open   .kibana_1                      v-yBrwP4TP620VGGb-eBuA   1   0         16            0     73.5kb         73.5kb

You can also view the documents in those indices, and for that you need to run the following command.

[root@localhost ~]# curl 192.168.7.218:9200/product/_search?pretty

With this, the installation of Logstash on Centos 7.6 comes to an end.

Tag : Logstash forwarder CentOS
FAQ
Q
What is the use of logstash in elasticsearch?
A
Logstash is used to gather logging messages, convert them into JSON documents, and store them in an ElasticSearch cluster. ... Logstash uses an input plugin to ingest data and an Elasticsearch output plugin to index the data in Elasticsearch, following the Logstash processing pipeline.
Q
How to install Logstash on CentOS?
A
rpm -ivh logstash-7.8.0.rpm
Q
How to setup the ElasticSearch index structure with multiple entity bindings?
A
They are,
ElasticSearch
Logstash
JDBC MySQL driver
MySQL server
Q
How to force Logstash to reparse a file?
A
used: start_position => "beginning"
deleted the complete "data" folder from elastissearch (and stopped it first) looked at which files where opened by logstash with lsof -p PI
Q
What is the use of logstash ?
A
Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana 3 is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch.