Sending the data using Logstash


Logstash is an open source tool for collecting, parsing and storing logs for future use. It ingests data from a multitude of sources simultaneously, transforms it, and then sends it to your favorite repository (in this case, Devo).

Logstash is used to read data from multiple data sources and send it:

  1. directly to Devo
  2. using an In-house Relay through the port 13000 (already tagged events). In this case, the relay will securely send the data to Devo, so there is no need to include the certificates in the Logstash configuration file.

These are some of the data sources that Logstash can read:

  • Files
  • Any DB through JDBC
  • Any web site through HTTP
  • Windows Event Logs
  • Cloud services like Amazon S3, Twitter, Salesforce, etc.
  • Other protocols like TCP, UDP, XMPP, IMAP, etc.

For more details on input source, click here. Logstash can also filter and format the data before sending it to the destination. Click here for more details. 



Download and install Logstash

Download Logstash from the Logstash web page. Once downloaded, decompress the file.

Note that Logstash requires Java 8. Java 9 is not supported.

Now install the plugin for syslog output plugin:

bin/logstash-plugin install logstash-output-syslog

For more details on installing Logstash, click here.

Create and set up the configuration file

The Logstash must be created and should contain three sections of variables:

  1. Input - Identifies the input data streams including files, HTTP, SQL, and so on.
  2. Filter - This section is optional. Here you identify and filter plugins to be used to process the data.
  3. Output -  Identifies the destination system. When sending directly to Devo, and not through a relay, this section will reference the authentication certificates.

Check the Configuration file examples article for more details.

Start Logstash

To start Logstash, run the following command in the Logstash path:

./bin/logstash -f <configuration file>

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.