Configure Elastic
Logstash pipeline from Elastic Search to AWS S3
Follow the steps below to add a Logstash integration and configure it to move events from Elastic Search to AWS S3.
Add Logstash Integration
Click on the search bar on the top of the page of your Elastic console and search for
Logstash
. Click on theLogstash
integration.To add your first integration, click on
Install Elastic Agent
Follow the steps as shown on the page
Install Elastic Agent
. If using linux tar, copy the commands from theLinux Tar
tab, and paste it on the machine on which you want to install elastic agent.Note: Elastic Agent will be installed at
/opt/Elastic/Agent
You will get a confirmation when the agent enrollment is confirmed:
Click on
Add the integration
button, and then click onConfirm incoming data
Now on the machine where the elastic agent is installed, install logstash. Refer the documentation for the same.
Create Role for configuring Logstash
To create a Role. Open the left panel and expand
Management
, and click onStack Management
Again, on the left panel, find the section
Security
, and click onRoles
. On theRoles
page, click onCreate role
button.Referring to the authorization required for the role used by the
elasticsearch
input plugin. Give a name to the role you want to create and add the following privileges:Cluster privileges:Select
monitor
privilege.Index privileges:Under
Indexes
, select the index you want to give permission to. (Assuming that an Index is already created). Addread
privilege to corresponding to the index.Click on
Create role
to create the role.
Create User for configuring Logstash
To create a User. Open the left panel and expand
Management
, and click onStack Management
Again, on the left panel, find the section
Security
, and click onUsers
. On theUsers
page, click onCreate user
button.Add necessary details to create User
Under privileges section. Select the role that was created in previous step.
Click on
Create user
to create the user. Keep note of theUsername
, andPassword
for the User.
Configure Logstash
Once the installation of Logstash is complete. Follow the instructions below to configure Logstash.
Install necessary plugins for Logstash. Required input plugin is elasticsearch, and output plugin is s3
Navigate to Logstash installation directory:
$ cd /usr/share/logstash
Install the required plugins:
$ sudo bin/logstash-plugin install logstash-input-elasticsearch $ sudo bin/logstash-plugin install logstash-output-s3
Create configuration file
$ sudo nano /etc/logstash/conf.d/logstash.conf
Add the following configuration to the configuration file created. Replace
your_index_name
with the index of the alerts generated from a rule.input { elasticsearch { hosts => "http://elastic-localhost:9200" # Replace with your Elasticsearch host index => "your_index_name" # Replace with your index name user => "your_username" # Replace with your Elasticsearch username created password => "your_password" # Replace with your Elasticsearch password schedule => "* * * * *" # Schedule to run every minute size => 500 # Number of documents to fetch per run scroll => "5m" # Scroll context time docinfo => true } } output { s3 { access_key_id => "your_access_key_id" # Replace with your AWS Access Key ID secret_access_key => "your_secret_access_key" # Replace with your AWS Secret Access Key region => "your_region" # Replace with your AWS region, e.g., "us-east-1" bucket => "your_bucket_name" # Replace with your S3 bucket name prefix => "your_folder_prefix/" # Optional, specify the folder prefix in the bucket time_file => 5 # Number of minutes before creating a new file in S3 size_file => 10485760 # Size in bytes before creating a new file in S3 (10MB) codec => "json_lines" # Format of the output file } }
To get the index of the alerts for a rule. You may open an alert details, and click on
JSON
tab. The field value_index
is the index of the alert.
Note: For more information on the elasticsearch input plugin, click here. For more information on the s3 output plugin click here
Start Logstash
Start Logstash with the configuration file you created.
$ sudo systemctl start logstash
Check the status to ensure Logstash is running correctly
$ sudo systemctl status logstash
Optional Steps:
Monitor Logstash Logs:Logs can be found in the
/var/log/logstash/
directory. Use these logs to troubleshoot any
issues that may arise.
Test Logstash Configuration:
Check Logstash Configuration Syntax. The following command will check the configuration file for syntax errors.
$ sudo /usr/share/logstash/bin/logstash --config.test_and_exit -f /etc/logstash/conf.d/logstash.conf
If there are no errors, you will see a message indicating that the configuration is OK.
Verify Data Flow
Run Logstash in the Foreground
Run Logstash in the foreground to observe its behavior and debug any issues. This will also allow you to see the logs in real-time.
$ sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
Verify the that data is being written to your specified S3 bucket. You should see files being created in the bucket, following the configuration specified in
logstash.conf
.