Download logstash:
wget https://logstash.objects.dreamhost.com/release/logstash-1.1.5-monolithic.jar
Create config file:
vim logstash.conf
Add this to logstash.conf (taken from logstash site):
input {
stdin {
type => "stdin-type"
}
file {
type => "linux-syslog"
# Wildcards work, here :)
path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ]
}
}
output {
stdout { }
elasticsearch { embedded => true }
}
Make sure Java is installed:
yum install java
Start the logstash agent. Note I am not starting the GUI at the same time:
java -jar logstash-1.1.5-monolithic.jar agent -f logstash.conf
Start the logstash GUI (in another terminal):
java -jar logstash-1.1.5-monolithic.jar web --backend elasticsearch://127.0.0.1/
Wait a while.
Run netstat:
netstat -napt | grep -i LISTEN
You need to see the following ports:
tcp 0 0 :::9292 :::* LISTEN 9469/java
tcp 0 0 :::9200 :::* LISTEN 9081/java
tcp 0 0 :::9201 :::* LISTEN 9420/java
tcp 0 0 :::9300 :::* LISTEN 9081/java
tcp 0 0 :::9301 :::* LISTEN 9081/java
tcp 0 0 :::9302 :::* LISTEN 9420/java
See logstash site for what these ports are for. Note, the GUI does take a while to load so it's worth running the command above a few times to see if port 9292 appears in the output.
Navigate to http://(ip running agent):9292 and hopefully you will see the logstash GUI! If you don't see anything then enter some text on the agent (and wait a while), press enter and press the refresh button in the GUI.
Currently I have to have iptables off for this to work :(. When I have figured out the correct iptables rules I will update this gist.