This guide is about how to install and configure Logstash 8 on Ubuntu/Debian as a continuation of our guide on how to setup Elastic Stack 8. We have already covered the installation of Elasticsearch and Kibana.
Install Elastic/ELK Stack on Ubuntu/Debian
According to the installation order, Logstash is the third component in the line. Note that for Elastic Stack to function well, the versions of all the components must match.
Note that you can install Logstash 8 on the same node where Elasticsearch is running or on a different node.
Table of Contents
Install Logstash 8 on Ubuntu/Debian
You can install Logstash 8 by either using DEB binary or right from APT repositories.
We prefer the installation from APT repositories as this ensure a seamless upgrade incase of new package releases.
Thus, to install Logstash 8 via the APT repos;
Install Repository public signing key
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor > /etc/apt/trusted.gpg.d/elasticsearch.gpgInstall Elastic Stack APT repositories
apt install apt-transport-httpsecho "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.listInstall Logstash 8;
apt updateapt install logstashConfiguring Logstash 8
Once the installation is done, proceed to configure Logstash.
Logstash data processing pipeline has three sections;
- INPUT: input section is used to ingest data from different endpoints into Logstash.
- FILTERS: which processes and transform the data received.
- OUTPUT: which stashes processed data into a specified destination, which can be Elasticsearch.
You can read more about Logstash Pipeline here.
While configuring Logstash, you can have separate configuration files each for INPUT, FILTERS and OUTPUT. You can as well have single configuration file for all the sections. This guides uses a single configuration files.
Configure Logstash Input plugin
To kick off with, you need to define how data will be ingested into Logstash. For example, to configure Logstash to receive data from Beats on TCP port 5044, the input configuration may look like;
input {
beats {
port => 5044
}
}
Configure Logstash Filters
Now that we have defined an Logstash Input plugin as Beats. Hence, proceed to configure a filter plugin to process events received from the beats. This guide uses grok filter plugin. You can read about other plugins here.
For demonstration purposes, we are going to configure beats to collect SSH authentication events from Ubuntu/CentOS systems. Hence, we are going to create a filter to process such kind of events as shown below.
The grok pattern used in this example matches the ssh authetication log lines below;
May 1 13:15:23 elk sshd[1387]: Failed password for testuser from 192.168.0.102 port 60004 ssh2
May 1 13:08:30 elk sshd[1338]: Accepted password for testuser from 192.168.0.102 port 59958 ssh2
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}\s+%{IPORHOST:dst_host}\s+%{WORD:syslog_program}\[\d+\]:\s+(?<status>\w+\s+password)\s+for\s+%{USER:auth_user}\s+from\s+%{SYSLOGHOST:src_host}.*" }
add_field => { "activity" => "SSH Logins" }
add_tag => "linux_auth"
}
}
Kibana comes bundled with Grok Debugger which is similar to herokuapp grokdebugger. You can access Kibana Grok debugger under Dev Tools > Grok Debugger. You can utilize this to generate the correct grok patterns.
You can as well check common Logstash grok patterns here.
Also for the purposes of making demo a simple, we will add a filter to drop all the events that do not match our grok filter for SSH authentication events used above;
if "_grokparsefailure" in [tags] { drop {} }
Such that our filter looks like;
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}\s+%{IPORHOST:dst_host}\s+%{WORD:syslog_program}\[\d+\]:\s+(?<status>\w+\s+password)\s+for\s+%{USER:auth_user}\s+from\s+%{SYSLOGHOST:src_host}.*" }
add_field => { "activity" => "SSH Logins" }
add_tag => "linux_auth"
}
if "_grokparsefailure" in [tags] { drop {} }
}
Configure Logstash Output
There are different output plugins that enables Logstash to sent event data to particular destinations. This guide uses elasticsearch output plugin that enables Logstash to sent data directly to Elasticsearch.
Note the with Elastic Stack 8, Elasticsearch 8 is configured with SSL/TLS as well as authentication is enabled by default.
This means that if you are using Elasticsearch output;
- you need to have the Elastic Stack SSL/TLS CA certificates to be able to connect to Elasticsearch.
- You also need to have the right credentials to be able to write to an index on Elasticsearch.
Thus, download Elasticsearch CA certificate
Logstash output configuration may look like;
output {
elasticsearch {
hosts => ["https://es-node01.kifarunix-demo.com:9200"]
cacert => '/etc/logstash/elasticsearch-ca.crt'
user => 'elastic'
password => '<elastic_user_password>'
}
}
This configuration;
- sends data to Elasticsearch running on host
es-node01.kifarunix-demo.com. The name should be resolvable. - Ensure port 9200/TCP is opened on firewall.
- uses the superuser Elasticsearch user (
elastic) which can write to any index. Consider creating a different user and give the specific permissions to write to specific index only. We use the elastic user password from our guide on installing elastic stack 8. - will create and write data to the default Logstash Index,
logstash-*index on Elasticsearch (since we used the superuser)
Check how to create publishing roles for specific user on a specific index.
- Download Elasticsearch CA certificate and save it to a file specified by
cacertparameter above,/etc/logstash/elasticsearch-ca.crt.
openssl s_client -showcerts -connect es-node01.kifarunix-demo.com:9200 </dev/null 2>/dev/null \
| openssl x509 > /etc/logstash/elasticsearch-ca.crtPutting togerther the NPUT, FILTER and OUTPUT configs in one file, then create a configuration file as shown below;
vim /etc/logstash/conf.d/ssh-authentication.conf
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}\s+%{IPORHOST:dst_host}\s+%{WORD:syslog_program}\[\d+\]:\s+(?<status>\w+\s+password)\s+for\s+%{USER:auth_user}\s+from\s+%{SYSLOGHOST:src_host}.*" }
add_field => { "activity" => "SSH Logins" }
add_tag => "linux_auth"
}
if "_grokparsefailure" in [tags] { drop {} }
}
output {
elasticsearch {
hosts => ["https://es-node01.kifarunix-demo.com:9200"]
cacert => '/etc/logstash/elasticsearch-ca.crt'
user => 'elastic'
password => '<elastic_user_password>'
}
}
You can also store the password in a keystore instead of placing in the configuration in plaintext.
If you need to sent the event data to standard output for the purposes of debugging plugin configurations, then you would add the line, stdout { codec => rubydebug } to the output configuration section.
output {
elasticsearch {
hosts => ["https://es-node01.kifarunix-demo.com:9200"]
cacert => '/etc/logstash/elasticsearch-ca.crt'
user => 'elastic'
password => '<elastic_user_password>'
}
}
stdout { codec => rubydebug }
}
You can also check sample Logstash pipelines here.
If you need to debug Logstash Grok Filters to confirm that they can actually parse your logs into the required fields, see the link below on how to debug Logstash Grok filters.
How to Debug Logstash Grok Filters
Test Logstash Configuration
Once you are done with configurations, run the command below to verify the Logstash configuration before you can start it.
sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -tConfiguration OK
[2022-07-16T07:42:10,315][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting LogstashWell, if you get Configuration OK then you are good to go.
To run Logstash and load a specific configuration file for debugging, you can execute the command below;
sudo -u logstash /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/config-file.confRunning Logstash
You can now start and enable Logstash to run on system boot.
systemctl enable --now logstash
You can also check the Logstash configuration file for any errors, /var/log/logstash/logstash-plain.log.
tail -f /var/log/logstash/logstash-plain.log
...
[2022-07-16T10:38:30,215][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2022-07-16T10:38:30,450][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/beats-input.conf"], :thread=>"#"}
[2022-07-16T10:38:31,130][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>0.68}
[2022-07-16T10:38:31,157][INFO ][logstash.inputs.beats ][main] Starting input listener {:address=>"0.0.0.0:5044"}
[2022-07-16T10:38:31,197][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2022-07-16T10:38:31,302][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2022-07-16T10:38:31,495][INFO ][org.logstash.beats.Server][main][a8ac06f266dffa737ca74e142bc94412d96789db1667ea3f32d274fc6578859b] Starting server on port: 5044
ss -altnp
LISTEN 0 50 [::ffff:127.0.0.1]:9600 *:* users:(("java",pid=46795,fd=58))
LISTEN 0 4096 *:5044 *:* users:(("java",pid=46795,fd=102))
And that is how easy it is to install and run Logstash 8 on Ubuntu/Debian.
Other Tutorials
Setup Multinode Elasticsearch 8.x Cluster
