Configuring logstash on
Windows allows Windows OS events to be forwarded to IBM® Operations Analytics - Log Analysis.
Before you begin
Ensure that the logstash Integration
Toolkit is deployed on the Windows Server being monitored. For more
details on configuring logstash,
see the Installing logstash topic.
Ensure that
the Windows Server can communicate with the IBM Operations Analytics - Log Analysis server.
Communication is directed to the EIF receiver port on the IBM Operations Analytics - Log Analysis server
(default 5529). Ensure that any firewall restrictions are lifted.
About this task
The steps in this task outline how to configure logstash to
send Windows OS Events to the EIF Receiver that is deployed with IBM Operations Analytics - Log Analysis.
For more details on configuring the EIF Receiver on IBM Operations Analytics - Log Analysis,
see the Configuring the EIF Receiver topic.
Procedure
- On the target Windows Server, stop logstash .
- Make a backup of the <logstash Location>\lstoolkit\logstash\config\logstash-scala.conf file.
- On the IBM Operations Analytics - Log Analysis server,
copy the logstash-scala.conf file to the target
Windows Server.
The logstash-scala.conf file
is in the directory that Windows OS Events Insight Pack is installed
in.
The location of the Windows OS Events Insight Pack can be
determined by using the pkg_mgmt.sh command:
<HOME>/IBM/LogAnalysis/utilities/pkg_mgmt.sh -list
- On the Windows Server, place the logstash-scala.conf file
in the location <logstash Location>\lstoolkit\logstash\config. This overwrites the existing version.
- On the Windows server, ensure that logstash eif
output module is configured to send data to the IBM Operations Analytics - Log Analysis server.
- On the Windows server check that the values of the output
module in the new logstash-scala.conf file match
that of the backed up copy. This check is needed if you specify a
non-standard location for the eif output module.
- On the target Windows Server start logstash.