Integrating the Windows OS Events Insight Pack with Logstash
You can configure Logstash on Windows to send Windows OS events to Log Analysis.
Before you begin
Ensure that the Logstash is deployed on the Windows Server being monitored. For more information, see Installing Logstash on Windows based servers.
Ensure that the Windows Server can communicate with the Log Analysis server. Communication is directed to the REST interface port on the Log Analysis server (default 9987). Ensure that any firewall restrictions are lifted.
The logstash-scala.conf file is in the directory that Windows OS Events Insight® Pack is installed in. The location of the Windows OS Events Insight Pack can be determined by using the pkg_mgmt.sh command:
<HOME>/IBM/LogAnalysis/utilities/pkg_mgmt.sh -list
About this task
The steps in this task outline how to configure Logstash to send Windows OS Events to the REST interface that is part of Log Analysis.
Procedure
- On the target Windows Server, stop Logstash .
- Make a backup of the <logstash Location>\logstash\config\logstash-scala.conf file.
- Edit the logstash-scala.conf file. You must add the required values. For more information, see Logstash configuration file reference.
- On the IBM® Operations Analytics Log Analysis server, copy the logstash-scala.conf file to the target Windows Server.
- On the Windows Server, place the logstash-scala.conf file
in the <logstash_install>\logstash\config directory.
This overwrites the existing version.
- On the Windows server, ensure that Logstash REST output module is configured to send data to the IBM Operations Analytics Log Analysis server.
- On the Windows server, check that the values of the output module in the new logstash-scala.conf file match that of the backed up copy. This check is needed if you specify a non-standard location for the REST interface output module.
- Start Logstash on the Windows server.