forked from OpenStackCookbook/OpenStackCookbook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
logstash.sh
executable file
·82 lines (66 loc) · 2.4 KB
/
logstash.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
sudo apt-get install unzip python-software-properties software-properties-common -y
sudo add-apt-repository ppa:webupd8team/java
wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -
echo 'deb http://packages.elasticsearch.org/elasticsearch/1.1/debian stable main' | sudo tee /etc/apt/sources.list.d/elasticsearch.list
echo 'deb http://packages.elasticsearch.org/logstash/1.4/debian stable main' | sudo tee /etc/apt/sources.list.d/logstash.list
sudo apt-get update
# state that you accepted the license
echo debconf shared/accepted-oracle-license-v1-1 select true | sudo debconf-set-selections
echo debconf shared/accepted-oracle-license-v1-1 seen true | sudo debconf-set-selections
# install Oracle Java 7
sudo apt-get -q -y install oracle-java7-installer
# update environment variable
sudo bash -c "echo JAVA_HOME=/usr/lib/jvm/java-7-oracle/ >> /etc/environment"
# Install Elasticsearch & Set to start on boot:
sudo apt-get install -y elasticsearch=1.1.1
sudo service elasticsearch start
sudo update-rc.d elasticsearch defaults 95 10
# Install Kibana
cd ~; wget http://download.elasticsearch.org/kibana/kibana/kibana-latest.zip
unzip kibana-latest.zip
sudo mkdir -p /var/www/kibana
sudo cp -R ~/kibana-latest/* /var/www/kibana/
sudo cat > /etc/apache2/conf-enabled/kibana.conf <<EOF
Alias /kibana /var/www/kibana
<Directory /var/www/kibana>
Order allow,deny
Allow from all
</Directory>
EOF
sudo service apache2 restart
# Install logstash
sudo apt-get install -y logstash=1.4.1-1-bd507eb
# Configure Logstash to listen for syslog
sudo cat > /etc/logstash/conf.d/10-syslog.conf <<EOF
input {
tcp {
port => 9000
type => syslog
}
udp {
port => 9000
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
EOF
service logstash restart
# Configure rsyslog to puke into logstash
sudo echo "*.* @@localhost:9000" >> /etc/rsyslog.d/50-default.conf
sudo service rsyslog restart