Logstash getting started
Logstash getting started simple guide covering installation and a simple example.
Environment
Fresh vagrant vm with ubuntu precise32
Ensure java 7 is installed
$ sudo apt-get update
$ sudo apt-get install openjdk-7-jre-headless
Download latest logstash package
$ wget https://download.elastic.co/logstash/logstash/logstash-all-plugins-2.1.0.zip
Unzip logstash
$ sudo apt-get install unzip
$ unzip logstash-all-plugins-2.1.0.zip
Prepare a simple example conf file
$ cd logstash-2.1.0/
$ mkdir conf
$ cd conf && vi syslogtest.conf
Add below content to the above file
input {
syslog {
type => syslog
port => 514
}
}
output {
stdout {
codec => rubydebug
}
}
Start logstash with above conf file
$ sudo su
=> need root access for port binding
$ ../bin/logstash -f syslogtest.conf
=> if it works well, the console should output:
Settings: Default filter workers: 1
Logstash startup completed
Start another terminal and test with telnet on the same vm
vagrant@precise32:~$ telnet localhost 514
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
hello
Go back the previous terminal window that has logstash started which should output
{
"message" => "hello\r\n",
"@version" => "1",
"@timestamp" => "2015-12-24T08:05:16.272Z",
"type" => "syslog",
"host" => "127.0.0.1",
"tags" => [
[0] "_grokparsefailure_sysloginput"
],
"priority" => 0,
"severity" => 0,
"facility" => 0,
"facility_label" => "kernel",
"severity_label" => "Emergency"
}
Start logstash as daemon you can try with below command:
$ nohup ./bin/logstash -f conf/syslogtest.conf &
However in production env it’s recommended to install logstash with the official package on different flavor of linux such as RPM or Debian package, and then start logstash as service:
$ service logstash start
This is mentioned in a discussion thread of the logstash support community here
Quick reference links