Lab 1.4: Install Logstash

Install Logstash

Task 1 - Install Logstah

  1. Install Logstash
sudo apt-get install logstash
  1. Install Additional Plugins
sudo /usr/share/logstash/bin/logstash-plugin install logstash-filter-dns
sudo /usr/share/logstash/bin/logstash-plugin install logstash-filter-geoip

Note

Be patient with plugin install it can take a few moments

logstash1

  1. Copy or Create new file to Directory /etc/logstash/conf.d/
sudo cp <git clone directory>/config_files/logstash.conf /etc/logstash/conf.d/logstash.conf
sudo vi /etc/logstash/conf.d/logstash.conf
  1. Logstash restart
sudo systemctl restart logstash.service
  1. Check logstash started correctly with no errors from logstash.conf file

logstash2

  1. To configure Logstash to start automatically when the system boots up, run the following commands:
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable logstash.service
  1. Logstash Control
sudo systemctl start logstash.service
sudo systemctl stop logstash.service
sudo systemctl status logstash.service

logstash.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
  input {
      tcp {
          port => 5516
          type => afm
      }
      tcp {
          port => 5515
          type => dns
      }
      tcp {
          port => 5514
          type => pem
      }
  }

  filter {
      if [type] == 'pem' {
          kv {
            source => "message"
           field_split => ","
         }
      }
      if [type] == 'afm' {
          kv {
            source => "message"
            field_split => ","
        }
          geoip {
              source => "SourceIp"
              target => "SourceIp_geo"
              add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
              add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
          }
          geoip {
              source => "DestinationIp"
              target => "DestinationIp_geo"
              add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
              add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
          }
          mutate {
              convert => [ "[geoip][coordinates]", "float"]
          }
      }
      if [type] == 'dns' {
          kv {
            source => "message"
            field_split => ","
        }
      }
  }

  output {
      if [type] == 'pem' {
        elasticsearch {
        hosts => ["10.1.1.5:9200"]
        index => "pem-%{+YYYY.MM.dd}"
        template_name => "pem"
      }
      }
      if [type] == 'afm' {
        elasticsearch {
        hosts => ["10.1.1.5:9200"]
        index => "afm-%{+YYYY.MM.dd}"
        template_name => "afm"
      }
      }
      if [type] == 'dns' {
        elasticsearch {
        hosts => ["10.1.1.5:9200"]
        index => "dns-%{+YYYY.MM.dd}"
        template_name => "dns"
      }
      }
      stdout {}
  }
Previous Next