Develop Reference

Logstash parsing data from two different filebeat inputs

I have one machine on which I have set Elasticsearch and Logstash and shipping there logs via Filebeat from another machine. I'd like to add a new machine from which I could ship logs to Logstash, parse them and store in the same elasticsearch index.
I tried to configurate filebeat on new machine with the same Logstash output but it seems logstash doesn't recieve data from multiple sources...
The logstash config file:
input {
beats {
port => 5044
}
}
filter {
grok { match => { "message" => "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \[%{NOTSPACE:referrer}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"} }
grok { match => { "referrer" => "%{WORD:protocol}://%{WORD:domain1}.%{WORD:domain2}.%{WORD:domain3}:%{INT:port}" }
}
geoip { source => "clientip" }
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "my_index"
}
}
Filebeat config file
# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.
#=========================== Filebeat inputs =============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
#enabled: false
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
#- /var/log/*.log
- /var/log/hostname/proxy1/app/nginx.log
- /var/log/hostname/proxy2/app/nginx.log
#- c:\programdata\elasticsearch\logs\*
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']
# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#exclude_files: ['.gz$']
# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
### Multiline options
# Multiline can be used for log messages spanning multiple lines. This is common
# for Java Stack Traces or C-Line Continuation
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
#multiline.pattern: ^\[
# Defines if the pattern set under pattern should be negated or not. Default is false.
#multiline.negate: false
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
#multiline.match: after
#============================= Filebeat modules ===============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
#============================= Elastic Cloud ==================================
# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================
# Configure what output to use when sending the data collected by the beat.
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["logstash:5045"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
Thanks for any suggestions!

You should edit output section in filebeat.yml like below:
output.logstash:
# The Logstash hosts
hosts: ["Logstash_server_private_ip:5044"]
Logstash expects data from port 5044, not from 5045.

Use logstash pipeline
Note: If xpack basic security not enabled username and password not required of ES (remove those lines)
in directory /etc/logstash/conf.d
You can write multiple conf on different port
gunicorn.log
input {
beats {
port => "5044"
}
}
output {
# stdout { codec => rubydebug }
elasticsearch {
hosts => ["xx.xx.xx.xx:xxxx"]
user => ""
password => "*******"
index => "gunicorn"
}
}
access.log
input {
beats {
port => "5047"
}
}
output {
# stdout { codec => rubydebug }
elasticsearch {
hosts => ["xxxxxxx:xxxx"]
user => "*********"
password => "*********"
index => "access"
}
}
in directory /etc/logstash -> pipelines.yml
- pipeline.id: gunicorn
path.config: "/etc/logstash/conf.d/gunicorn.conf"
- pipeline.id: access
path.config: "/etc/logstash/conf.d/access.conf"
on machine - 1 in directory /etc/filebeat filebeat.yml
filebeat.inputs:
- type: log
paths:
- "/home/ubuntu/data/gunicorn.log"
queue.mem:
events: 8000
flush.min_events: 2000
flush.timeout: 10s
output.logstash:
hosts: ["logstash public IP:5044"]
on machine - 2 in directory /etc/filebeat filebeat.yml
filebeat.inputs:
- type: log
paths:
- "/home/ubuntu/data/access.log"
queue.mem:
events: 8000
flush.min_events: 2000
flush.timeout: 10s
output.logstash:
hosts: ["logstash public IP:5047"]

Resend old logs from filebeat to logstash

Thanks in advance for your help. I would like to reload some logs to customize additional fields. I have noticed that registry file in filebeat configuration keeps track of the files already picked. However, if I remove the content in that file, I am not getting the old logs back. I have tried also to change the timestamp of the source in registry file with no sucsess. What changes are needed to sent old logs from filebeat to logstash?
How can I get the logs back?
Update:
This is the last log in tomcat container:
2019-03-11 06:22:48 [Thread-4 ] DEBUG: ca.bc.gov.WEB.dbpool.WEBConnectionCacheMonitor Connection cache monitor in thread: Thread-4 shutting down for pool: WEB
This is the log obtained by filebeat:
2019-03-14T16:18:50.377-0700 DEBUG [publish] pipeline/processor.go:308 Publish event: {
"#timestamp": "2019-03-14T23:18:45.376Z",
"#metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.6.0"
},
"host": {
"name": "tomcat",
"architecture": "x86_64",
"os": {
"codename": "Core",
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux"
},
"id": "6aaed308aa5a419f880c5e45eea65414",
"containerized": true
},
"source": "/app/logs/WEB/WEB-rest-api/WEB-rest-api.log",
"log": {
"file": {
"path": "/app/logs/WEB/WEB-rest-api/WEB-rest-api.log"
}
},
"message": "2019-03-11 06:22:48 [Thread-4 ] DEBUG: ca.bc.gov.WEB.dbpool.WEBConnectionCacheMonitor Connection cache monitor in thread: Thread-4 shutting down for pool: WEB",
"beat": {
"name": "tomcat",
"hostname": "tomcat",
"version": "6.6.0"
},
"offset": 6771071,
"prospector": {
"type": "log"
},
"input": {
"type": "log"
},
"meta": {
"cloud": {
"instance_name": "tomcat",
"machine_type": "Standard_D8s_v3",
"region": "CanadaCentral",
"provider": "az",
"instance_id": "6452bcf4-7f5d-4fc3-9f8e-5ea57f00724b"
}
}
}
This is the log ingest by Logstash:
[2019-03-15T10:32:25,982][DEBUG][logstash.outputs.gelf ] Sending GELF event {:event=>{"short_message"=>["2019-03-11 06:22:48 [Thread-4 ] DEBUG: ca.bc.gov.WEB.dbpool.WEBConnectionCacheMonitor Connection cache monitor in thread: Thread-4 shutting down for pool: WEB", " Connection cache monitor in thread: Thread-4 shutting down for pool: WEB"], "full_message"=>"2019-03-11 06:22:48 [Thread-4 ] DEBUG: ca.bc.gov.WEB.dbpool.WEBConnectionCacheMonitor Connection cache monitor in thread: Thread-4 shutting down for pool: WEB, Connection cache monitor in thread: Thread-4 shutting down for pool: WEB", "host"=>"{\"name\":\"tomcat\",\"os\":{\"name\":\"CentOS Linux\",\"version\":\"7 (Core)\",\"codename\":\"Core\"}}", "_source"=>"/app/logs/WEB/WEB-rest-api/WEB-rest-api.log", "_class"=>"ca.bc.gov.WEB.dbpool.WEBConnectionCacheMonitor, %{JAVACLASS}", "_tags"=>"beats_input_codec_plain_applied", "_beat_hostname"=>"tomcat", "_beat_name"=>"tomcat", "_meta_cloud"=>{}, "_log_file"=>{"path"=>"/app/logs/WEB/WEB-rest-api/WEB-rest-api.log"}, "level"=>6}}
Filebeat.yml:
###################### Filebeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.
#=========================== Filebeat inputs =============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /apps/logs/WEB/web-api/web-api.log
- /apps/logs/WEB/web-api/web-rest-api.log
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']
# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#exclude_files: ['.gz$']
# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
# Ignore files which were modified more then the defined timespan in the past
# Time strings like 2h (2 hours), 5m (5 minutes) can be used.
ignore_older: 0
### Multiline options
# Multiline can be used for log messages spanning multiple lines. This is common
# for Java Stack Traces or C-Line Continuation
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
# Defines if the pattern set under pattern should be negated or not. Default is false.
multiline.negate: true
# Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
multiline.match: after
#============================= Filebeat modules ===============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
#setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
#============================= Elastic Cloud ==================================
# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
#================================ Outputs =====================================
# Configure what output to use when sending the data collected by the beat.
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["log1.cgi-dev.ca:9200"]
# Enabled ilm (beta) to use index lifecycle management instead daily indices.
#ilm.enabled: false
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["log1.cgi-dev.ca:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash.crt"]
# Certificate for SSL client authentication
##ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
##ssl.key: "/etc/pki/client/cert.key"
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
#============================== Xpack Monitoring ===============================
# filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:
However, I do not get the log neither Kibana nor Graylog. It is worth noting that the same kind of logs for INFO level related to the same class are visible in Kibana and Graylog, but not the ones with DEBUG level.
Do you know what would be wrong?
Thanks a lot

Stop filebeat and logstash.
Clear old data from Elasticsearch if there.
Delete registry files registry and registry.old.
Run logstash.
Run filebeat using command filebeat -e -once.

The registry keeps the inode and byte offset. Removing the content doesn't change the inode. Try shutting down filebeat and removing/resetting the byte offset in the registry.

Filebeat and Logstash read old files sometimes

I have a folder with log files from 2016-present and setup filebeat with "ignore_older: 48h". All the files get rotated so that "log" is always the new one, "log.1" is the next etc.
Logs are on linux NFS partition mounted on the logstash host.
I expect filebeat to get only log files that where changed in the last 24h and ignore the older ones.
The above happens except from time to time it also gets older files in no specific order.
I ran "stat" command on one of the older file from 2018 and i see the following:
Access: 2019-03-02 03:15:32.254460960 +0000
Modify: 2018-09-06 13:12:00.331460890 +0000
Change: 2019-02-28 03:34:33.946462475 +0000
I run filebeat version 6.4.2
Is this data confusing Logstash? What is it actually looking at when checking if a file has changed. How can i stop it from taking older files.
UPDATE:
My filebeat configuration looks like this:
- type: log
enabled: true
paths:
- /path/to/my/log/file/log*
fields:
logname: "log.name"
include_lines: ["SOME_TEXT"]
ignore_older: 48h
Logs are in CSV format.
On another host i do the same but with logstash directly, the input config is like this:
input {
file {
path => "/path/to/my/log/file/log*"
mode => "tail"
start_position => "beginning"
close_older => "24h"
ignore_older => "2w"
}
}
I have the same issue here.

You can try to do two things, one is to remove the * after log in the path like this
- /path/to/my/log/file/log
Since filebeat will read a rotated log file even after it is moved until it reaches a certain age.
Or for logstash the path parameter is an array and you create a list of files to be read, if you know how often the files get rotated:
path => [ "path/to/my/log/file.log", "/path/to/my/log/file1.log", "path/to/my/log/file2.log"]

How to setup syslog in yocto?

I like to configure syslog. It seems that are more than one way to set up syslog. I am asking for the common way/steps to do that.
I have several use cases. To simplify I like to ask how to configure syslog to write an infinity long log file in /var/log/.
Following steps:
1.) configure what messages
1.1) create own "syslog.conf" (define /var/log/myLog)
1.2) append it to "recipes-core/busybox"
2.) configure how to log
??
I found two possible places to do that:
#meta-poky
-> "meta-poky/recipes-core/busybox/busybox/poky-tiny/defconfig"
#
# System Logging Utilities
#
CONFIG_SYSLOGD=y
CONFIG_FEATURE_ROTATE_LOGFILE=y
CONFIG_FEATURE_REMOTE_LOG=y
CONFIG_FEATURE_SYSLOGD_DUP=y
CONFIG_FEATURE_SYSLOGD_CFG=y
CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=256
CONFIG_FEATURE_IPC_SYSLOG=y
CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=16
CONFIG_LOGREAD=y
CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING=y
CONFIG_KLOGD=y
CONFIG_FEATURE_KLOGD_KLOGCTL=y
CONFIG_LOGGER=y
add/change:
"CONFIG_FEATURE_ROTATE_LOGFILE=n" by adding that line to meta-mylayer/conf/layer.conf"
etc.
???
# "/etc/syslog-startup.conf"
# This configuration file is used by the busybox syslog init script,
# /etc/init.d/syslog[.busybox] to set syslog configuration at start time.
DESTINATION=file # log destinations (buffer file remote)
LOGFILE=/var/log/messages # where to log (file)
REMOTE=loghost:514 # where to log (syslog remote)
REDUCE=no # reduce-size logging
DROPDUPLICATES=no # whether to drop duplicate log entries
#ROTATESIZE=0 # rotate log if grown beyond X [kByte]
#ROTATEGENS=3 # keep X generations of rotated logs
BUFFERSIZE=64 # size of circular buffer [kByte]
FOREGROUND=no # run in foreground (don't use!)
#LOGLEVEL=5 # local log level (between 1 and 8)
In the systemV init script "/etc/init.d/syslog.bussybox" the file "/etc/syslog-startup.con" is read and used for configuration.
System behaviour:
When running my system, the log wraps when the logfile reaches 200kBytes. One logfile + one log-rotate file is generated.
Any ideas how to archive that syslog writes an infinite long log-file?
I am working on the Yocto krogoth branch + meta-atmel / meta_openembedded (# krogoth too).

By checking the sources of syslog and busybox I found a possible solution. This solution shows how to configure syslog to log in two logs with max 10MByte:
1.) get valid syslog build config
1.1) download busybox -> git/busybox
1.2) build busybox via bitbake -> bitbake busybox
1.3) copy defconfig file to downloaded busybox -> cp /defconfig git/busybox/
1.4) make menueconfig
1.5) goto "System Logging Utilities"
1.6) deselect klogd because it can colide with printk
1.7) save to "defconfig"
#
# System Logging Utilities
#
# CONFIG_KLOGD is not set
# CONFIG_FEATURE_KLOGD_KLOGCTL is not set
CONFIG_LOGGER=y
CONFIG_LOGREAD=y
CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING=y
CONFIG_SYSLOGD=y
CONFIG_FEATURE_ROTATE_LOGFILE=y
CONFIG_FEATURE_REMOTE_LOG=y
CONFIG_FEATURE_SYSLOGD_DUP=y
CONFIG_FEATURE_SYSLOGD_CFG=y
CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=256
CONFIG_FEATURE_IPC_SYSLOG=y
CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=64
CONFIG_FEATURE_KMSG_SYSLOG=y
2.) setup your log config
Create "syslog.conf" and enter the rules:
This is an example:
#
# /etc/syslog.conf Configuration file for busybox's syslogd utility
#
kern.notice /var/log/messages
#
# my software messages
#
user.err /var/log/mySWError
user.* /var/log/mySWFull
local0.* /var/log/mySWFull
local0.err /var/log/mySWError
#
#this prevents from logging to default log file (-O FILE or /var/log/messages)
#
*.* /dev/null
3.) modify configuration for the busybox syslog deamon
This example logs to files which are limited to 10 MBytes. If "ROTATESIZE" is not set syslog set the log filesize automatic to 200 kBytes. The content of "syslog-startup.conf" looks like:
# This configuration file is used by the busybox syslog init script,
# /etc/init.d/syslog[.busybox] to set syslog configuration at start time.
DESTINATION=file # log destinations (buffer file remote)
#LOGFILE=/var/log/messages # where to log (file)
REMOTE=loghost:514 # where to log (syslog remote)
REDUCE=no # reduce-size logging
DROPDUPLICATES=no # whether to drop duplicate log entries
ROTATESIZE=10000 # rotate log if grown beyond X [kByte]
#ROTATEGENS=3 # keep X generations of rotated logs
BUFFERSIZE=64 # size of circular buffer [kByte]
FOREGROUND=no # run in foreground (don't use!)
#LOGLEVEL=5 # local log level (between 1 and 8)
4.) get the configuration into yocto build
4.1) create following directory structure in your own layer(meta-custom):
meta-custom/recipes-core/
meta-custom/recipes-core/busybox/
meta-custom/recipes-core/busybox/busybox
4.2) copy into "meta-custom/recipes-core/busybox/busybox":
defconfig
syslog.conf
syslog-startup.conf
4.3) create in "meta-custom/recipes-core/busybox/" "busybox_1.24.1.bbappend". If you using an older/newer version of busybox you need to change the "1.24.1" number to yours. You can find your version in "/poky/meta/recipes-core/busybox/"
Add this two lines to this file:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/poky-tiny:"
5.) build your custom defined syslog
bitbake busybox
and transfer it into the rootfs of the image
bitbake core-image-minimal
Now it should work!

Adding to the Stefan Jaritz comment, you can skip the download step by just issuing
bitbake busybox -c devshell
Then running make menuconfig and getting the new config file from it. Note that this will use Yocto's defconfig by default, so you don't need to do worry about "what's this default config".

CsvReporter not spitting out metrics in cassandra

I have added the following file on my cassandra node
/etc/dse/cassandra/metrics-reporter-config.yaml
csv:
-
outdir: '/mnt/cassandra/metrics'
period: 10
timeunit: 'SECONDS'
predicate:
color: "white"
useQualifiedName: true
patterns:
- "^org.apache.cassandra.metrics.Cache.+"
- "^org.apache.cassandra.metrics.ClientRequest.+"
- "^org.apache.cassandra.metrics.CommitLog.+"
- "^org.apache.cassandra.metrics.Compaction.+"
- "^org.apache.cassandra.metrics.DroppedMetrics.+"
- "^org.apache.cassandra.metrics.ReadRepair.+"
- "^org.apache.cassandra.metrics.Storage.+"
- "^org.apache.cassandra.metrics.ThreadPools.+"
- "^org.apache.cassandra.metrics.ColumnFamily.+"
- "^org.apache.cassandra.metrics.Streaming.+"
And then added this line to etc/dse/cassandra/cassandra-env.sh
​JVM_OPTS="$JVM_OPTS -Dcassandra.metricsReporterConfigFile=metrics-reporter-config.yam"
And then finally restarted DSE, /etc/init.d/dse restart
I dont see any csv metrics files being spitted out by the MetricsReported in /mnt/cassandra/metrics folder.
any ideas why?

Check the logs, check if you have something like:
Trying to load metrics-reporter-config from file followed by Enabling CsvReporter to
Possibly metrics reporter could not create metrics directory or so...

In my case, I just had to change csv: to console: