====== Install Logstash ======

Logstash is an open source data collection engine. It's designed to ingest data, usually logs. It can enhance or filter the data, and then forward it to a permanent back-end storage facility.

Make sure that all of the latest patches are installed.

<code bash>
sudo apt update
sudo apt dist-upgrade
sudo reboot
</code>


Configure Firewall:<code bash>
sudo ufw allow ssh
sudo ufw allow 5044/tcp
sudo ufw enable
</code>

Install [[linux:install:java]]

Add the Elastic Search Key and Software:<code bash>
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
 
cat > /tmp/elastic-7.x.list << EOF
deb https://artifacts.elastic.co/packages/7.x/apt stable main
EOF
 
sudo mv /tmp/elastic-7.x.list /etc/apt/sources.list.d/
 
sudo apt update
 
sudo apt install -y logstash
</code>

If you are using ElasticSearch as the back-end storage, create the following configuration file:<code bash>
cat > /tmp/beats.conf << EOF
input {
    beats {
        port => "5044"
    }
}

output {
    elasticsearch {
        hosts => ["192.168.0.20:9200"]
        manage_template => false
        index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    }
}
EOF

sudo cp /tmp/beats.conf /etc/logstash/conf.d/
</code>

Then enable and start the service:<code bash>
sudo systemctl enable logstash

sudo service logstash start
</code>