Below is a very quick and easy install to get a single service of Logstash 5.4.x up and running on CentOS 7. There are other sites that will explain every step in greater detail and this is not intended for that purpose, instead it is a quick install to get Logstash installed. This is based on the install scripts/instructions used for production Elasticsearch environments.
The install documented here is based on a fresh install of CentOS 7 x86_64 Minimal
When you build your CentOS server do not create a swap file, this is the easiest and best way to keep the JVM from swapping and it is unnecessary on a dedicated Elasticsearch server.
First, make sure your CentOS install is up to date
sudo yum update sudo yum upgrade -y
sudo yum install java -y
Download and install Logstash and then install the x-pack plugin
sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.3.rpm sudo rpm -ivh logstash-5.4.3.rpm sudo /usr/share/logstash/bin/logstash-plugin install x-pack
Add the firewall rules to allow access to the server to send logs. In the example are ports for Syslog (don’t use 514 for syslog, CentOS considers them privileged ports and they are more difficult to use).
firewall-cmd --permanent --add-port=1514/tcp firewall-cmd --permanent --add-port=1514/udp firewall-cmd --reload
Under most circumstances extra RAM for Logstash is not necessary unless you heavily use plugins with built in cache’s. The following changes the JVM to 2GB which is enough for 10k or more per second of logs.
Because you are running without a swap partition it is important to set the min/max values for the JVM to be the same that way RAM usage on your server is predictable.
sudo sed -i -e 's#Xms256m#Xms2g#' /etc/logstash/jvm.options sudo sed -i -e 's#Xmx1g#Xmx2g#' /etc/logstash/jvm.options
Change the node name for Logstash. This will be visibile in Kibana for monitoring purposes. The example below changes the default node name to “LS-node-1”, change to suite your needs.
sudo sed -i -e 's|# node.name: test|node.name: LS-node-1|' /etc/logstash/logstash.yml
Add the monitoring config for Logstash so that it reports into Elasticsearch properly. This assumes a local Elasticsearch Client instance running on the Logstash server (localhost:9200)
sudo sed -i '14ixpack.monitoring.elasticsearch.password: "changeme"' /etc/logstash/logstash.yml sudo sed -i '14ixpack.monitoring.elasticsearch.username: "logstash_system"' /etc/logstash/logstash.yml sudo sed -i '14ixpack.monitoring.elasticsearch.url: "http://localhost:9200"' /etc/logstash/logstash.yml sudo sed -i '14i#' /etc/logstash/logstash.yml sudo sed -i '14i# ------------ xpack monitoring ------------' /etc/logstash/logstash.yml sudo sed -i '14i#' /etc/logstash/logstash.yml
Enable the Logstash service to start on boot and then start it manually.
sudo systemctl enable logstash sudo systemctl start logstash
Your config directory is located at /etc/logstash/conf.d/ and is empty by default.