Logstash

Before You Start - Logstash v/s Beats

Elasticsearch makes a lighter-weight log shipper available now; Beats. So if you're just parsing files, don't already have java installed and don't need to manipulate the log much, give that a look first. It's convenient to use logstash as your shipper, but it's memory footprint with the JVM can be bigger than you like when you're running on a micro-instance. 

Linux Clients

Install Java

If you don't already have it, install it. You'll need at least 1.7 and Oracle is recommended. However, with older systems do yourself a favor and use the OpenJDK as older versions of Sun and IBM do things with cryptography leading to strange bugs in recent releases of logstash.

# On RedHat flavors, install the OpenJDK and select it for use (in case there are others) with the system alternatives utility
sudo yum install java-1.7.0-openjdk

sudo /usr/sbin/alternatives --config java


Install Logstash

This is essentially:

( Look at https://www.elastic.co/downloads/logstash to get the lastest version or add the repo)
wget (some link from the above page)
sudo yum --nogpgcheck localinstall logstash*

# You may want to grab a plugin, like the syslog output, though elasticsearch installs by default
cd /opt/logstash/
sudo bin/plugin install logstash-output-syslog

# If you're ready to configure the service
sudo vim /etc/logstash/conf.d/logstash.conf

sudo service logstash start

Windows Clients

Haven't done any of these yet - we're using NXLOG up to this point, though we'll take a look at beats now.




https://www.elastic.co/guide/en/logstash/current/index.html



Comments