Okay, I seem to have fixed this. There were a couple or three problems:
In /etc/systemd/system/logstash.service,
I had to change ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
to ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/usr/share/logstash/config"
then sudo systemctl daemon-reload
The logging directory, /var/log/logstash was root:root and the logs therein were logstash:root so I chown'd both to logstash:logstash
Logstash was trying to listen on 514 & 5514 which didn't work as the logstash user (no permission) so I used iptables to forward 514 to 5514, viz:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.