Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Logstash

weslambert edited this page Oct 24, 2017 · 41 revisions

We are currently working on integrating the Elastic stack!

Description

From https://www.elastic.co/products/logstash :

Logstash is an open source, server-side data processing pipeline that ingests data from a multitude of sources simultaneously, transforms it, and then sends it to your favorite “stash".

Configuration

  • Configuration files for Logstash can be found in /etc/logstash/.

  • Configuration files for custom parsing can be placed in /etc/logstash/conf.d/.
    After adding your custom configuration file, restart Logstash and check the log(s) for errors:

    sudo docker restart so-logstash && sudo tail -f /var/log/logstash/logstash.log

  • Other configuration options for Logstash can be found in /etc/nsm/securityonion.conf.

  • By default, if total available memory is 8GB or greater, LOGSTASH_HEAP in /etc/nsm/securityonion.conf is configured (during setup) to equal 25% of available memory, but no greater than 31GB.

    See https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html#compressed_oops for more details.

    You may need to adjust the value for LOGSTASH_HEAP depending on your system's performance (running sudo so-elastic-restart after).

  • Logstash pipeline.workers can be adjusted in /etc/logstash/logstash.yml.

  • Logstash queue.max_bytes can be adjusted in /etc/logstash/logstash.yml.

  • Logstash logs can be found in /var/log/logstash/.

  • Logging configuration can be found in /etc/logstash/log4j2.properties.

Data Fields

Logstash process Bro logs, syslog, IDS alerts, etc., formatting them into many different data fields, as described on the Data Fields page.

Clone this wiki locally