Logstash forwarder is replaced by Filebeat. Use beats-input-plugin
Graylog Logstash forwarder Lumberjack Input Plugin
Currently the options available for reading files into graylog server are logstash and fluentd. logstash runs with bigger
footprint. logstash-forwarder is a lightweight tool to collect logs to be processed elsewhere. With this plugin you can
ship log files directly to graylog server from logstash-forwarder without logstash.
This plugin provides support for logstash-forwarder lumberjack protocol.
- Support for reading from files
- Compressed frames support
- TLS/SSL for secure transport
How To
Following are the steps to integrate this plugin with Graylog server and index the files
Copy the plugin to Graylog plugins directory
Generate SSL certificates
-
Generate SSL certificates to be used for transport using following command (for further information refer logstash-forwarder [documentation] (https://github.com/elastic/logstash-forwarder/))
openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt -subj /CN=<graylog-server-name>
-
Export these certificates
openssl pkcs12 -export -in lumberjack.crt -inkey lumberjack.key -out lumberjack.p12 -name <graylog-server-name> -passin pass:<password> -passout pass:<store-pass>
-
Import the certificates using keytool.
keytool -importkeystore -srckeystore lumberjack.p12 -srcstoretype PKCS12 -srcstorepass <store-pass> -alias <graylog-server-name> -deststorepass <keystore-pass> -destkeypass <key-pass> -destkeystore lumberjack.jks
-
The above commands will generate following files lumberjack.crt, lumberjack.key, lumberjack.jks
Configure plugin in Graylog
Create logstash-forwarder configuration file
Start indexing the files
- Launch logstash-frowarder with -config option
- Create extractors to extract timestamp from message.
Getting started
This project is using Maven 3 and requires Java 7 or higher. The plugin will require Graylog 1.0.0 or higher.
- Clone this repository.
- Run
mvn package
to build a JAR file.
- Optional: Run
mvn jdeb:jdeb
and mvn rpm:rpm
to create a DEB and RPM package respectively.
- Copy generated JAR file in target directory to your Graylog plugin directory.
- Restart the Graylog.
- Input configuration requires following parameters