========
Logstash
========

What?
-----

* `Logstash <https://www.elastic.co/products/logstash>`_ is a centralized data processor. In our case used as a log endpoint.

Who?
----

* ITS Linux System Administration will provide a working Logstash server. :doc:`logstash.linux.bfh.ch </servers/logstash.linux.bfh.ch/index>`

* Every System Administrator can send logfiles to this instance and ITS Linux System Administration will take care of parsing them. Please inform its-linux-sysadmin@lists.bfh.ch

How?
----

* Actually there are 2 possibilities to send logfiles to logstash. if needed, more could be added.

.. raw:: html

   <table>
   	<tr>
   		<th>protocol</th>
   		<th>hostname</th>
   		<th>port</th>
   	</tr>
   	<tr>
   		<td>syslog udp/tcp</td>
   		<td>logstash.linux.bfh.ch</td>
   		<td>514</td>
   	</tr>
   	<tr>
   		<td>beats</td>
   		<td>logstash.linux.bfh.ch</td>
   		<td>5044</td>
   	</tr>
   </table>

* example syslog configuration for linux system

.. code-block:: bash

   echo "*.* @@logstash.linux.bfh.ch:514" >> /etc/rsyslog.d/logstash.conf

* winlogbeat installation and configuration for windows system

   `installation <https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html>`_
   `configuration <https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-configuration.html>`_
   the following changes have to be made in the configuration file:

.. code-block:: bash

   comment output.elasticsearch and following definitions of this output.
   uncomment output.logstash and put logstash.linux.bfh.ch:5044 as host.