Does anyone have example fluentd & logstash config to make this scenario work?
My Java containers use Logback, with log output encoded into json by the logback LogstashEncoder.
Containers run in OpenShift which enforces use of "fluentd" for log forwarding.
We have fluentd pointing to a stand-alone ELK using its "fluentForward" capability.
On the logstash side we have nominated an input codec of fluent, and a json filter sourcing json from the message field.
We observe errors with text such as: "reason"=>"Can't get text on a START_OBJECT at 1:1712"
I will happily share config here if that is helpful, but seeing some known-to-be-working example would also help.
Kubernetes (OpenShift) ClusterLogForwarder
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
spec:
inputs:
- application:
namespaces:
- unix
name: my-app-logs
outputs:
- name: fluentd-server-insecure
type: fluentdForward
url: 'tcp://logstash.domain.com:24224'
pipelines:
- inputRefs:
- application
- audit
name: forward-to-fluentd-insecure
outputRefs:
- fluentd-server-insecure
Logstash Config
input {
tcp {
host => "10.110.250.127"
port => 24224
codec => fluent
type => "rsyslog"
}
}
filter {
json {
source => "message"
skip_on_invalid_json => true
}
}
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "elasticsearch.domain.com:9200" ]
}
}
}
Error
Can't get text on a START_OBJECT at 1:1712
First things first: you don't have to use the built-in logging functionality with OpenShift, but could instead deploy the Elastic Cloud Operator and then use a beat if that suites your needs a little better.
However, if you want to stick to cluster-logging-operator, stick close to the documentation:
input {
tcp {
codec => fluent
port => 4000
}
}
You are not receiving rsyslog type logs in this scenario, so don't specify that.
Additionally, if you're not doing any bigger processing in your logstash pipeline, which is what it looks like, I'd recommend for you to forward directly to the Elasticsearch instance:
apiVersion: "logging.openshift.io/v1"
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
outputs:
- name: elasticsearch-insecure
type: "elasticsearch"
url: http://elasticsearch.insecure.com:9200
One last remark: make sure to always check if the versions you use are compatible. There is a lot of change ongoing with OpenShift clusterlogging and the forwarder so things might change. Red Hat provides a table where you can look up the compatiblity
Related
I have multiple filebeat services running on different applications, which send the logs to a central logstash server for parsing.
Sometimes a few application logs are not in correct format so there is a 'parse error' in the 'logstash-plain.log' file. The problem I am having is that I am not able to identify from logstash-plain.log file where the logs are coming from (since there are a huge number of applications with filebeat running)
Is there a way to trace the filebeat source from logstash logs?
You can use processors from filebeat to add tags
processors:
- add_tags:
tags: [my_app_1]
target: "application_tags"
and then use different filter plugins configuration in logstash to parse the logs properly.
filter {
if "my_app_1" in [application_tags] {
grok {
....
}
}
}
I have several python programs are running as POD in Kubernetes Cluster on AWS EKS. I want Filebeat to automatically pick-up these logging events/messages from standard output to send it to ELK.
The current Filebeat configuration does not seem to work
data:
filebeat.yml: |-
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
How I can configure Filebeat or Logstash to collect standard out from several python program(s) and automatically ship it to ELK machine?
The above configuration already generates combined logs from all the programs running on a container.
So, this is a correct configuration and one doesn't need to do anything else. It's just that I was not familiar with Kibana hence I could not find it earlier.
data:
filebeat.yml: |-
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
For Kibana, one needs to apply following wildcard filters to get the respective logs.
*<program_name>*
One can apply additional filter on top of that with kubernetes.namespace:<namespace>
I want to log error from my node.js server to another server. I'm thinking of using elasticsearch, logstash and kibana. I want to know how to setup ELK with my node server.
I had exactly this use case in my older organization. A basic tutorial to startup with Beats + ELK - https://www.elastic.co/guide/en/beats/libbeat/current/getting-started.html
So basically this is how it works - Your nodejs app will log in the files (you can use bunyan for this) in different formats like error/warning/info etc. Filebeat will tail these log files and send messages to logstash server. Logstash input.conf will have some input filters (in your case it will be error filters). When any log message passes these filters then logstash will forward it to some endpoint as decided in output.conf file.
Here is what we did -
Initial architecture - Install filebeat (earlier we used logstash forwarder) client to tail the logs on nodejs server and forward it to logstash machine. Logstash will do some processing on input logs and send them to ES cluster (can be on same machine as Logstash). Kibana is just a visualization on this ES.
Final Architecture - Initial setup was cool for small traffic but we realized that logstash can be single point of failure and may result in log loss when traffic increased. So we integrated Kafka along with Logstash so that system scales smoothly. Here is an article - https://www.elastic.co/blog/logstash-kafka-intro
Hope this helps!
It is possible to use logstash without agents running to collect logs from the application.
Logstash has input plugins (https://www.elastic.co/guide/en/logstash/current/input-plugins.html). This can be configured in the pipeline. One basic setup is to configure the TCP (https://www.elastic.co/guide/en/logstash/current/plugins-inputs-tcp.html) or UDP (https://www.elastic.co/guide/en/logstash/current/plugins-inputs-udp.html)input plugin. Logstash can listen on the port configured in the plugin.
Then the application can send the log directly to the logstash server. The pipeline can then transform and forward to ES.
By configuring Logstash pipeline to be durable, data loss can be avoided. This approach is better when the application servers are ephemeral ( as in containers).
For nodejs, https://www.npmjs.com/package/winston-logstash is a package which is quite active. This gist https://gist.github.com/jgoodall/6323951 provides a good example for the overall approach in other languages.
This is the sample (minimal) TCP input plugin configuration
input {
tcp {
'port' => '9563'
}
}
You can install Logstash in the NodeJS Server, and then create a configuration file that accepts input (location of the log file(s)) and output to your Elastic Server host.
Below is the sample configuration file (custom.conf) which has to created in your logstash directory.
input {
file {
path => "/path to log"
start_position => beginning
}
}
output {
stdout { }
elasticsearch{
type => "stdin-type"
embedded => false
host => "192.168.0.23"
port => "9300"
cluster => "logstash-cluster"
node_name => "logstash"
}
}
Execute the logstash
logstash -f custom.conf
Reference: https://www.elastic.co/guide/en/logstash/current/config-examples.html
If you are planning to customize a NodeJS application for sending error logs then you can install some ELKStack Nodjs wrapper and post error log within your application. ELKStack Nodjs wrapper - https://www.npmjs.com/package/elksdk
Our solution requires that some of the data created or modified in CouchDB is logged to Elastic Search using LogStash. So far we have been able to configure LogStash to connect to CouchDb via the changes feed however we have not been able to apply a CouchDB filter to the changes feed. How can we configure LogStash to specify and apply a CouchDB filter to the _changes feed and only log records that pass the filter based on a GET parameter?
LogStash Configuration:
input {
couchdb_changes {
db => "database-members"
host => "192.168.0.18"
sequence_path => "/root/.couchdb_seq_database-members"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
document_id => "%{[#metadata][_id]}"
index => "logstash-database-members-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
unfortunately the logstash plugin does not support filters yet.
if you know a bit of ruby its easy to add though and will roughly go here:
https://github.com/logstash-plugins/logstash-input-couchdb_changes/blob/master/lib/logstash/inputs/couchdb_changes.rb#L115
you would need to add the filter option to the logstash module and then make sure the request uri that the module creates is according to this doc
http://docs.couchdb.org/en/2.0.0/api/database/changes.html
We have the following setup.
1 central logstash server (behind that we have an elasticsearch
cluster based on two nodes)
1 central zabbix server
10 Servers with logstash-forwarder
On our logstash server we are getting syslogs apache/nginx access and error logs from 10 mentioned servers trough logstash-forwarder.
Since we want to see the amount of error logs per server per minute in a nice graph in our zabbix system we are using the metrics plugin (http://logstash.net/docs/1.4.2/contrib-plugins)
Here is the PROBLEM:
we are currently not able the get the logs with the correct tags from the plugin to send them to zabbix.
logstash-forwarder confing and logstash server conf see link
https://db.tt/4cn8DWi2
if anyone has an idea, how we can get rid of this problem, we would be very thankful.
It looks like you are messing up top level sections in your config files, check the logstash config language.
Each file should be something like this;
# section input
input {
# multiple plugin defintions *within* the input section
file {}
file {}
}
# section filter
filter {
grok{}
grok{}
grok{}
}
# section output
output {
elasticsearch{}
stoud{}
}
Your config looks like this:
input {
file {}
}
input {
file {}
}
output {
elasticsearch{}
}
output {
stoud{}
}