Okay, I seem to have fixed this. There were a couple or three problems:
- In
/etc/systemd/system/logstash.service
,
I had to change
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
to
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/usr/share/logstash/config"
then
sudo systemctl daemon-reload
-
The logging directory,
/var/log/logstash
wasroot:root
and the logs therein werelogstash:root
so Ichown
'd both tologstash:logstash
-
Logstash was trying to listen on
514
&5514
which didn't work as the logstash user (no permission) so I usediptables
to forward 514 to 5514, viz:sudo iptables -N PREROUTING sudo iptables -t nat -A PREROUTING -p UDP -m udp --dport 514 -j REDIRECT --to-ports 5514 sudo iptables -t nat -A PREROUTING -p TCP -m tcp --dport 514 -j REDIRECT --to-ports 5514 iptables-save
I think that was all.