Add an apt repository and install the logstash-forwarder package.
$ sudo sh -c 'echo "deb http://packages.elasticsearch.org/logstashforwarder/debian stable main" > /etc/apt/sources.list.d/logstash.list'
$ wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install logstash-forwarder
Set up a startup script for logstash forwarder.
$ cd /etc/init.d/
$ sudo wget https://raw.github.com/elasticsearch/logstash-forwarder/master/logstash-forwarder.init -O logstash-forwarder
$ sudo chmod +x logstash-forwarder
$ sudo update-rc.d logstash-forwarder defaults
Tell logstash forwarder what logs to capture and where to send those logs.
$ sudo mkdir -p /etc/pki/tls/certs
$ sudo vi /etc/pki/tls/certs/logstash-forwarder.crt # Download this cert from the logstash server
$ sudo vi /etc/logstash-forwarder
The content of /etc/logstash-forwarder
should look like this:
{
"files" : [
{
"fields" : {
"type" : "syslog"
},
"paths" : [
"/var/log/syslog",
"/var/log/auth.log",
"<path to other log files you wish to capture>"
]
}
],
"network" : {
"servers" : [
"<logstash server hostname>:5000"
],
"ssl ca" : "/etc/pki/tls/certs/logstash-forwarder.crt",
"timeout" : 15
}
}
I tried to follow your instructions to install logstash-forwarder and got the following error:
Reading package lists... Done
W: GPG error: http://packages.elasticsearch.org/logstashforwarder/debian stable Release: The following signatures were invalid: 46095ACC8548582C1A2699A9D27D666CD88E42B4
E: The repository 'http://packages.elasticsearch.org/logstashforwarder/debian stable Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
What can I do to make it work?