Logstash getting started

Logstash getting started simple guide covering installation and a simple example.


Fresh vagrant vm with ubuntu precise32

Ensure java 7 is installed

$ sudo apt-get update
$ sudo apt-get install openjdk-7-jre-headless

Download latest logstash package

$ wget https://download.elastic.co/logstash/logstash/logstash-all-plugins-2.1.0.zip

Unzip logstash

$ sudo apt-get install unzip
$ unzip logstash-all-plugins-2.1.0.zip

Prepare a simple example conf file

$ cd logstash-2.1.0/
$ mkdir conf
$ cd conf && vi syslogtest.conf

Add below content to the above file

input {
    syslog {
       type => syslog
       port => 514

output {
   stdout {
      codec => rubydebug

Start logstash with above conf file

$ sudo su
=> need root access for port binding
$ ../bin/logstash -f syslogtest.conf
=> if it works well, the console should output:
Settings: Default filter workers: 1
Logstash startup completed

Start another terminal and test with telnet on the same vm

vagrant@precise32:~$ telnet localhost 514
Connected to localhost.
Escape character is '^]'.

Go back the previous terminal window that has logstash started which should output

           "message" => "hello\r\n",
          "@version" => "1",
        "@timestamp" => "2015-12-24T08:05:16.272Z",
              "type" => "syslog",
              "host" => "",
              "tags" => [
        [0] "_grokparsefailure_sysloginput"
          "priority" => 0,
          "severity" => 0,
          "facility" => 0,
    "facility_label" => "kernel",
    "severity_label" => "Emergency"

Start logstash as daemon you can try with below command:

$ nohup ./bin/logstash -f conf/syslogtest.conf &

However in production env it’s recommended to install logstash with the official package on different flavor of linux such as RPM or Debian package, and then start logstash as service:

$ service logstash start

This is mentioned in a discussion thread of the logstash support community here

Quick reference links

devops logstash