I setup ELK stack on my centos machine. In addition, I'm getting syslogs from rsyslog of another centos, So I can see it with "tcpdump" but I wanna see that on Kibana. I think my problem is "logstash.conf file".
I couldn't configurate correctly. So how should I configurate my logstash.conf file? Are there any example ? I couldn't find it. Please some help.
But that's not quite the configuration from the example; you're using port 514 instead of port 5000. Unless you're running Logstash as root (or use a workaround) that won't work and Logstash should be complaining about this in the log.
I already changed LS_USER from etc/sysconfig/logstash, I put LS_USER=root , it was "LS_USER=logstash". When I tried before this changing, service of logstash exited. But now
service of logstash is runnning.
Again, you need to read Logstash's logs. You may have to crank up the loglevel by adding --verbose or --debug to the Logstash command which also can be done via /etc/sysconfig/logstash.
Actually I didn't understand how to do that? Could you give me more details to what I should do exactly? I hope that I will solve my problem with your advice.
I tried that one too. But I still couldn't see on Kibana. Syslogs are not coming to Kibana ? Here I copied my file of "/etc/sysconfig/logstash"
Please check for me, I don't know I need to change something more? , I'm confused about that.
Thanks for your interest and helping me
###############################
# Default settings for logstash
###############################
# Override Java location
#JAVACMD=/usr/bin/java
# Set a home directory
#LS_HOME=/var/lib/logstash
# Arguments to pass to logstash agent
LS_OPTS="--verbose"
# Arguments to pass to java
#LS_HEAP_SIZE="500m"
#LS_JAVA_OPTS="-Djava.io.tmpdir=$HOME"
# pidfiles aren't used for upstart; this is for sysv users.
#LS_PIDFILE=/var/run/logstash.pid
# user id to be invoked as; for upstart: edit /etc/init/logstash.conf
LS_USER=root
# logstash logging
#LS_LOG_FILE=/var/log/logstash/logstash.log
#LS_USE_GC_LOGGING="true"
# logstash configuration directory
#LS_CONF_DIR=/etc/logstash/conf.d
# Open file limit; cannot be overridden in upstart
#LS_OPEN_FILES=16384
# Nice level
#LS_NICE=19
# If this is set to 1, then when `stop` is called, if the process has
# not exited within a reasonable time, SIGKILL will be sent next.
# The default behavior is to simply log a message "program stop failed; still running"
KILL_ON_STOP_TIMEOUT=0
And what do the Logstash logs contain after you've changed LS_OPTS and restarted Logstash? You might also want to check whether Logstash is actually listing on port 514. Use e.g. netstat for that.
I checked "netstat" so port 514 is listening. Also when I looked "tcpdump", syslogs are coming. I can see that. My problem is parsing but I dont know why our conf doesn't work.
Are the messages actually reaching Logstash? If you disable the elasticsearch output for now to simplify the system, are you getting output to stdout (probably connected to /var/log/logstash/logstash.stdout or similar)? What if you re-enable the elasticsearch output?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.