Great Tutorial but wanted configuration for apache2 ssl_access logs and also 
error logs as well as auth log and mysql slow query and generel logs can you please add that also  

@puneetbrar: You need to add them to the files section in <code>/etc/logstash-forwarder</code> It would look like:
<pre>
  "files": [
    {
      "paths": [
        "/var/log/syslog",
        "/var/log/auth.log"
       ],
      "fields": { "type": "syslog" }
    },
    {
      "paths": [ "/var/log/apache2/*.log" ],
      "fields": { "type": "apache" }
    }
   ]
</pre>

But if i have different servers how will i differentiate between the logs 
on kibana

@puneetbrar: Check out the section where we set up a filter in the tutorial. You'll want to add something along the lines of:
<pre>
 add_field => [ "received_from", "%{host}" ]
</pre>

Great tutorial, until 'sudo gem install fpm' failed to install. Not sure where I went wrong.

Building native extensions.  This could take a while...
ERROR:  Error installing fpm:
	ERROR: Failed to build gem native extension.

        /usr/bin/ruby1.9.1 extconf.rb

Gem files will remain installed in /var/lib/gems/1.9.1/gems/json-1.8.1 for inspection.

Could you also advise on the corresponding /etc/logstash/conf.d/10-syslog.conf and /etc/logstash-forwarder additions to monitor the nginx web server access logs? That would be really appreciated.

@crawfishmedia: Is that the entire output?  Be sure to install the "ruby-dev" package (sudo apt-get install ruby-dev), not just "ruby".

@samuel.leach: To add Nginx logs to Logstash, do the following.

On your Nginx server, edit your logstash-forwarder config file and send the nginx access.log by modifying the "files" section so it looks like this:

<pre>
"files": [
    {
      "paths": [
        "/var/log/syslog",
        "/var/log/auth.log"
       ],
      "fields": { "type": "syslog" }
    },
    {
      "paths": [
        "/var/log/nginx/*access*.log",
       ],
      "fields": { "type": "nginx" }
    }
   ]
</pre>

Then restart the logstash forwarder.  Then on your Logstash server, open a file called "nginx" in /opt/logstash/patterns:

<pre>
sudo vi /opt/logstash/patterns/nginx
</pre>

Then insert the following:

<pre>
NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent}
</pre>

Save and quit. Then change the ownership of the file to logstash:

<pre>
chown logstash: /opt/logstash/patterns/nginx
</pre>

Then edit your /etc/logstash/conf.d/10-syslog.conf file, and add the following filter under your first filter (syslog):

<pre>
filter {
  if [type] == "nginx" {
    grok {
      match => { "message" => "%{NGINXACCESS}" }
    }
  }
}
</pre>

Then restart Logstash.

Great write up, but unless I missed something, you should maybe add a line asking the user to change into their home directory before doing the git pull for the logstash forwarder, otherwise the contents of the repo are installed in /etc/pki/tls (not ideal)

In this tutorial, we will go over the installation of Logstash 1.4.2 and Kibana 3, and how to configure them to gather and visualize the syslogs of our systems in a centralized location. Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana 3 is a web interface that can be used to search and view the logs that Logstash has indexed.

Elasticsearch, Logstash, and Kibana, when used together is known as an ELK stack.