We will installing logstash in a more secure fashion on CentOS 6 as Part 1 of our series on Monitoring your systems with logstash and Graylog2. ::Part 2::Part 3::Part 4::, but our the methodology is applicable to other distributions as well. We’ll be using Tanuki Software’s open source version of their “Java Service Wrapper” to facilitate running the program as a system service.
Our goals are simple:
- Run as an unprivileged user
- Consistent installation, logging, and configuration locations
- Ability to scale to securely monitor other remote systems
- Automating the installation
The installation overview:
- Download the logstash package
- Create the installation environment
- Configure the logstash options
- Modify Access to our log files
- Test the logstash Install
- Download the Java Service Wrapper
- Configure the Java Service Wrapper
- Test running Logstash via the JSW
- Verify everything works
- Tie up loose ends
We will assume you know the basics of system administration (ie.file permissions, ownership, etc.).
So let’s get this working!
Our first step will be to download logstash. You’ll likely want to download the monolithic package. While you’re at the logstash site, take a look at the available documentation.
Our next step is to create the installation environment. I’ve created a shell script to create the directories we’ll be needing, as well as to create our unprivileged user. I’ll wait while you download and look over the script. You’ll need to run the script as root, but can test it as a normal user quite easily (with some minor modifications to the script).
The command to run the script is:
Our script will create the following directories:
Our script will then create a system user named “logstash”, and
modify directory permissions so “logstash” can write to those locations.
We should next unpack the logstash archive to “/usr/local/bin/logstash”, creating a “jar” archive like “logstash-X.X.XX-monolithic.jar”. We’ll then create a symbolic link to the file via root shell, which will enable us to update the installation very easily (Note: change “X.X.XX” to reflect your logstash version).
To create logstash.jar symbolic link, as root:
We will next create a simple configuration file for our test. Using your favorite editor, create a “mylogstash.conf” in “/etc/logstash”. My example is below and you can also download it via this link.
You’ll note the section titled “GELF” is commented out. We’ll be uncommenting that section in a later tutorial to connect to Graylog. So if you’re creating your own, you can discard the section.
Now we’ll need to modify some permissions to allow our “logstash” group to be able to read “/var/spool/messages” and our apache logs. We’ll accomplish this task by modifying ACLs on the necessary files and directories, using the “setfacl” command as root.
We will now test our installation to verify that it functions as we expect before we configure the Java Service Wrapper.
As “root” you should “su” to become user “logstash” and test that our inputs are readable and if successful we will attempt to launch logstash.
If no errors were reported we were successful, and can now launch logstash as user “logstash” with the following command (spread over multiple lines):
This command tells logstash to:
- Use “/var/spool/logstash/data” to store our elasticsearch database
- Use super verbose logging “-vvv”
- Use “/etc/logstash/mylogstash.conf” as our config file
- Log to “/var/spool/logstash/log/logstash.log”
- Start the web interface to elasticsearch on the local host
Give logstash a couple minutes to get going, and see if we can view some data.
Point your browser at http://127.0.0.0:9292
Once the interface comes up, restart apache and/or plug in a USB device to generate some events. Then put an asterik in the “Query” box and click the “Search” button and you should see some logged events.
If everything seems to be working as we hoped, we now configure logstash to run under the “Java Service Wrapper” which will allow us to run logstash as a service, launching as root and forking to run as user “logstash”.
We should now download the Community version of the Java Service Wrapper and unpack it to ~/wrapper (ie. “/home/username/wrapper”), and we will then copy some files from the ~/wrapper directory for our logstash config.
Edit the below lines in /usr/local/bin/logstash/bin/logstash0_wrapper with your favorite editor.
Edit the below lines in /etc/logstash/wrapper.conf with your favorite editor (Note: I’ve hard coded some perfectly valid variables contained in Tanuki’s provided script).
You should now be able to launch logstash as root and have it run as logstash.
In a terminal window as root:
You can again check everything is running as expected at:
We will now edit the logstash account to remove it’s bash shell
you’ll want to do this after logstash is working as expected.
If you run the wrapper script without any parameters, you’ll see it has a number of useful options.
That’s a wrap. We can now resume normal logging instead of verbose. We’ll be expanding on our logstash usage in future articles. For the lastest news and information, I suggest you subscribe to the logstash users google group.