Ready to get going? Start your 14 days free trial today

Start free trial

Have an account? Sign in

Send data via CentOS to your Logstash instance provided by Logit.io

CentOS System Log Files

Ship system log files from CentOS to Logstash

Configure Filebeat to ship logs from Centos Systems to Logstash and Elasticsearch.

Step 1 - Install FilebeatCopy

We recommend using Filebeat to upload logs locally from CentOS to Logstash.

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo

sudo yum install filebeat

Step 2 - Locate Configuration FileCopy

/etc/filebeat/filebeat.yml

Step 3 - Enable the System ModuleCopy

There are several built in filebeat modules you can use. To enable the system module run.

sudo filebeat modules list
sudo filebeat modules enable system

Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location

rpm /etc/filebeat/modules.d/

Step 4 - Configure OutputCopy

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

Step 5 - (Optional) Update Logstash FiltersCopy

All Logit stacks come pre-configured with popular Logstash filters. We would recommend that you add System specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.

Edit your Logstash filters by choosing Stack > Settings > Logstash Filters

if [fileset][module] == "system" {
  if [fileset][name] == "auth" {
    grok {
      match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$",
                "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }
      pattern_definitions => {
        "GREEDYMULTILINE"=> "(.|\n)*"
      }
      remove_field => "message"
    }
    date {
      match => [ "[system][auth][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
    geoip {
      source => "[system][auth][ssh][ip]"
      target => "[system][auth][ssh][geoip]"
    }
  }
  else if [fileset][name] == "syslog" {
    grok {
      match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }
      pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
      remove_field => "message"
    }
    date {
      match => [ "[system][syslog][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

Step 6 - Validate ConfigurationCopy

Let's check the configuration file is syntactically correct. Run from extracted archive directory.

sudo filebeat -e -c filebeat.yml

Step 7 - Start FilebeatCopy

Ok, time to start ingesting data!

sudo systemctl enable filebeat
sudo systemctl start filebeat

Step 8 - CentOS OverviewCopy

CentOS is a Linux distribution & computing platform that is often compared with Red Hat Enterprise Linux (RHEL).

The main difference between the two is that CentOS lacks the high level of technical support that is supplied as part of the RHEL package.

CentOS is built off of the Red Hat Enterprise Linux’s open source code base, explaining their commonalities and relative compatibility.

Due to this similarity their library versions are identical. This means that binaries that work on RHEL will work on CentOS. If you're using their administration tools you might notice incompatibilities between the two distributions as minor patches are updated at different rates. Large patches & major releases for CentOS are released sporadically & infrequently compared to other Linux distributions (such as Ubuntu & Debian).

CentOS users are typically individuals & businesses that don’t require strong levels of support, certification & training to use this enterprise class Linux distribution successfully.

Our built in CentOS log file analyser is included in our log management platform and is built upon the open source tools Elasticsearch, Logstash & Kibana to ease the processing of large amounts of Linux server data for troubleshooting & root cause analysis.

Logit can be used to centralise your Linux log data & alerts on errors to monitor your operating system (OS). The platform can also be used to view logs within Kibana for detailed visualisations & reporting.

If you need any assistance with analysing your CentOS logs we're here to help. Feel free to reach out by contacting the Logit support team via live chat & we'll be happy to help you get started.

Toggle View

Expand View

Return to Search