Develop Reference

Elastic stack, how should I send my custom python logs

So I have some custom logging in python which comes in from multiple processes to log a certain crash with a format like
{timestamp},{PID},{Cause}
Now I want these events to be sent to logstash and be used in ELK to later see some info on my kibana dashboard. I've never used ELK before so my question is, what would be the best approach?
-Use python-logstash and have 2 loggers at once
-Simply send the array to logstash( HTTP i think? ) at the time it gets logged and use dissect later?
-Make a JSON when the logger is logging the line and send that to logstash?

If you want to send only the crash, then having a separate logger is handy.
logger.addHandler(logstash.TCPLogstashHandler(host, 5959, version=1)
and configure the logstash pipeline for tcp input.
input {
tcp {
port => 5959
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
}
}
for sending json like data, populate a dict in python and send then using the logger with extra parameter.
logger.log(level=logging.WARN, msg="process crashed", extra={'PID':pid, 'Cause': cause})
result records will look like
{
PID:321,
Cause:'abcde',
timestamp:"2019-12-10T13:37:51.906Z",
message:"process crashed"
}

Logstash Always Keeps One message in PipeLine

I am using Logstash to read and parse logs from a file and send them to a Rest based API. My shipper is working fine, but I am experiencing a strange behavior.
Version:
logstash-2.3.2
Problem:
When Logstash shipper parses the first log entry, it does not send it, It keeps it in the pipeline. When it parses the second log entry, it sends the first log entry to the API. Hence one message always remains in the pipeline and it is not being sent towards my API.
Whenever I stop my Logstash shipper process, then it sends the last remaining message as well. So, In a sense no message is lost, but shipper always is one message behind.
Question:
Why is Logstash unable to flush out its pipeline and send message to the API as soon as it receives.

You should paste your logstash config and log format in order to get the correct answer, however from whatever you have described you seem to be using multiline plugin. So from logstash 2.2 onwards there is a auto_flush_interval for multline plugin in Codec. Basically this 'auto_flush_interval' can be set to a number of seconds and if multline input plugin does not listen any log line till the specified number of seconds then it will flush the input pending in pipepline to your API...
For example and more information please go through this:
input {
file {
path => "$LogstashFilePathValue"
type => "DemandwareError"
tags => "$EnvironmentName"
start_position => "beginning"
sincedb_path => "NUL"
codec => multiline {
pattern => "\A\[%{TIMESTAMP_ISO8601:demandware_timestamp} GMT\]"
negate => true
what => previous
auto_flush_interval => 10
}
}
}
The example is from the link: https://github.com/elastic/logstash/issues/1482
For more information on auto_flush_interval visit: https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html#plugins-codecs-multiline-auto_flush_interval

Messages not making into elasticsearch

We are a setup with three queues in rabbitmq, handling three different types of logs.
The queues are handled by logstash, and given a tag, and then logstash dumps the message into the appropriate index in elasticsearch.
So my input looks something like this:
input {
rabbitmq {
host => "localhost"
queue => "central_access_logs"
durable => true
codec=> json
threads => 3
prefetch_count => 50
port => 5672
tags => ["central_access_log"]
}
And similar setup for the other two queues:
My output is like this:
if("central_access_log" in [tags]){
elasticsearch {
host => "localhost"
index=> "central_access_logs"
}
}
I suspected for a while that not everything was making it into the central_access_log index (the other two indexes, more of less, seemed fine), so I added this:
file {
path => '/data/out'
}
And let that run for a few weeks.
Recently, I noticed that for the last week and half, nothing has been coming into that index (again, the other two are perfectly fine), however the text file contains all the missing messages.
How can I go about debugging this? Is it an error on logstash's end, or elasticsearch?

Logstash doesn't write / process data and seems to fail silently

Logstash seems to hang when processing a local file. The logstash process is still alive and everything looks fine, but no data get written to the output (elasticsearch). The index gets written, though.

Logstash seems to "hang" and not process any of the input data for the following reason:
Logstash keeps track of what has previously been processed, so when you run it again on the same input data (as will be the case during testing), Logstash will think it has already seen and processed this data the previous time and will not read it again. To bypass this during testing, specify explicitly the location of the sincedb file where Logstash should keep track of what it has read or not and manually delete this sincedb file before each test run.
Here is an example:
input {
file {
path => "~/logstash/data/input_file"
start_position => "beginning"
sincedb_path => "~/logstash/data/sincedb.db"
}
}
or maybe even better (added based on comment below):
input {
file {
path => "~/logstash/data/input_file"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}

logstash multiple output doesn't work if one of outputs fails

I have the next configuration of logstash :
output {
elasticsearch {host => "elastichost"
stdout {codec => json}
file {
path => "./out.txt"
}
And in case when Elasticsearch host is unavaliable then I do not receive any output at all. There is just errors about ElasticSearch output fails.
So the question is how I can configure logstash for reliable sending logs to outputs even if one of them fails?

You can't do this in Logstash 1; any output thread that blocks will hang them all up.
The design of Logstash 2 is supposed to fix this.