Below is a very quick and easy install to get a single service of Logstash 5.4.x up and running on CentOS 7. There are other sites that will explain every step in greater detail and this is not intended for that purpose, instead it is a quick install to get Logstash installed. This is based on the install scripts/instructions used for production Elasticsearch environments.

The install documented here is based on a fresh install of CentOS 7 x86_64 Minimal
http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1611.iso

When you build your CentOS server do not create a swap file, this is the easiest and best way to keep the JVM from swapping and it is unnecessary on a dedicated Elasticsearch server.

First, make sure your CentOS install is up to date

sudo yum update
sudo yum upgrade -y

Install Java

sudo yum install java -y

Download and install Logstash and then install the x-pack plugin

sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.3.rpm
sudo rpm -ivh logstash-5.4.3.rpm
sudo /usr/share/logstash/bin/logstash-plugin install x-pack

Add the firewall rules to allow access to the server to send logs. In the example are ports for Syslog (don’t use 514 for syslog, CentOS considers them privileged ports and they are more difficult to use).

firewall-cmd --permanent --add-port=1514/tcp
firewall-cmd --permanent --add-port=1514/udp
firewall-cmd --reload

Under most circumstances extra RAM for Logstash is not necessary unless you heavily use plugins with built in cache’s. The following changes the JVM to 2GB which is enough for 10k or more per second of logs.

Because you are running without a swap partition it is important to set the min/max values for the JVM to be the same that way RAM usage on your server is predictable.

sudo sed -i -e 's#Xms256m#Xms2g#' /etc/logstash/jvm.options
sudo sed -i -e 's#Xmx1g#Xmx2g#' /etc/logstash/jvm.options

Change the node name for Logstash. This will be visibile in Kibana for monitoring purposes. The example below changes the default node name to “LS-node-1”, change to suite your needs.

sudo sed -i -e 's|# node.name: test|node.name: LS-node-1|' /etc/logstash/logstash.yml

Add the monitoring config for Logstash so that it reports into Elasticsearch properly. This assumes a local Elasticsearch Client instance running on the Logstash server (localhost:9200)

sudo sed -i '14ixpack.monitoring.elasticsearch.password: "changeme"' /etc/logstash/logstash.yml
sudo sed -i '14ixpack.monitoring.elasticsearch.username: "logstash_system"' /etc/logstash/logstash.yml
sudo sed -i '14ixpack.monitoring.elasticsearch.url: "http://localhost:9200"' /etc/logstash/logstash.yml
sudo sed -i '14i#' /etc/logstash/logstash.yml
sudo sed -i '14i# ------------  xpack monitoring ------------' /etc/logstash/logstash.yml
sudo sed -i '14i#' /etc/logstash/logstash.yml

Enable the Logstash service to start on boot and then start it manually.

sudo systemctl enable logstash
sudo systemctl start logstash

Your config directory is located at /etc/logstash/conf.d/ and is empty by default.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu