It has been a while since I wanted to test logstash as a central syslog-ng server. Turns out that it is dead simple. This is a quick guide so I remember about it the next time. I went for a VM on CentOS 6.3 which has syslog-ng and a few syslog-ng clients sending logs remotely via UDP. First, some considerations, my VM did require slightly more CPU and RAM than I thought it would. To have something stable, I recommend at least 2 VCPUs and 2GB of RAM. I also tested this setup with java 7.
First install and configure syslog-ng on the server, edit /etc/syslog-ng/syslog-ng.conf and add the following then restart the server’s daemon:
# note, you can use the IP of the server to bind ONLY to that socket source s_udp { udp(ip(0.0.0.0) port(514)); }; destination d_udp { file("/var/log/syslog/$HOST"); }; log { source(s_udp); destination(d_udp); };
Then you need to set the clients, again, install syslog-ng on them and add something like this in the same configuration file. Note that it must obviously match the IP of your server.
log { source(s_src); destination(d_udp); }; destination d_udp { udp("192.168.66.66" port(514)); };
Moving onto logstash, download the latest from the main page (used 1.1.1 here) then put that in a directory (used /opt/logstash). Create a configuration file for logstash, i used /opt/logstash/logstash.conf. Mine contains pretty much what is from the quickrun guide. Note that on the syslog server /var/log/syslog must be a directory, i then receive logs from remote servers based on hostnames.
input { stdin { type => "stdin-type" } file { type => "linux-syslog" path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog/*" ] } } output { stdout { debug => true debug_format => "json"} elasticsearch { embedded => true } }
To start logstash, I use the following line: /usr/java/jre1.7.0_09/bin/java -jar logstash-1.1.1-monolithic.jar agent -f logstash-complex.conf — web –backend elasticsearch:///?local.
Now keep in mind that this is java, so it might take a while before the web interface becomes available. When it does, go to your server’s IP like this: http://192.168.66.66:9292 then query for either of your hosts reporting logs or try the generic query on the page.
Nothing more, you have a free splunk which has so many inputs and outputs that it is almost indecent. Expect my next post on using the output to get this into graphite.
How much space is it taking for you?
Which do you mean, disk space for VMs or logs?