| ... | ... | @@ -70,8 +70,42 @@ Now we have a logstash-forwarder.crt and key. |
|
|
|
|
|
|
|
The configuration is made in /etc/logstash/conf.d/logstash.conf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`input {
|
|
|
|
beats {
|
|
|
|
port => 5044
|
|
|
|
ssl => true
|
|
|
|
ssl_certificate => "/etc/ssl/logstash-forwarder.crt"
|
|
|
|
ssl_key => "/etc/ssl/logstash-forwarder.key"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
filter {
|
|
|
|
# if [type] == "application" {
|
|
|
|
grok {
|
|
|
|
match => { "message" => "%{MONTH} %{MONTHDAY}, %{YEAR} %{HOUR}:%{MINUTE}: %{WORD:status} %{WORD:category}: %{GREEDYDATA:key_values}" }
|
|
|
|
}
|
|
|
|
if [status] {
|
|
|
|
kv {
|
|
|
|
source => "key_values"
|
|
|
|
}
|
|
|
|
mutate {
|
|
|
|
remove_field => [ "message", "key_values" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# }
|
|
|
|
#}
|
|
|
|
# if [type] == "production"
|
|
|
|
json {
|
|
|
|
source => "message"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
output {
|
|
|
|
elasticsearch {
|
|
|
|
hosts => ["localhost:9200"]
|
|
|
|
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
`
|
|
|
|
I have commented out the host part because it was unneccessary.
|
|
|
|
|
|
|
|
#### Installing Filebeat
|
| ... | ... | |
| ... | ... | |
