With the logstash 1.2.1 one can now have conditional to do various stuff. Even the earlier version's conf file can get complicated if one is managing many log files and implement metric extraction.
After looking at this comprehensive example, I really wondered my self, how can I detect any breakages in this configuration?
Any ideas.
For a syntax check, there is --configtest:
java -jar logstash.jar agent --configtest --config <yourconfigfile>
To test the logic of the configuration you can write rspec tests. This is an example rspec file to test a haproxy log filter:
require "test_utils"
describe "haproxy logs" do
extend LogStash::RSpec
config <<-CONFIG
filter {
grok {
type => "haproxy"
add_tag => [ "HTTP_REQUEST" ]
pattern => "%{HAPROXYHTTP}"
}
date {
type => 'haproxy'
match => [ 'accept_date', 'dd/MMM/yyyy:HH:mm:ss.SSS' ]
}
}
CONFIG
sample({'#message' => '<150>Oct 8 08:46:47 syslog.host.net haproxy[13262]: 10.0.1.2:44799 [08/Oct/2013:08:46:44.256] frontend-name backend-name/server.host.net 0/0/0/1/2 404 1147 - - ---- 0/0/0/0/0 0/0 {client.host.net||||Apache-HttpClient/4.1.2 (java 1. 5)} {text/html;charset=utf-8|||} "GET /app/status HTTP/1.1"',
'#source_host' => '127.0.0.1',
'#type' => 'haproxy',
'#source' => 'tcp://127.0.0.1:60207/',
}) do
insist { subject["#fields"]["backend_name"] } == [ "backend-name" ]
insist { subject["#fields"]["http_request"] } == [ "/app/status" ]
insist { subject["tags"].include?("HTTP_REQUEST") }
insist { subject["#timestamp"] } == "2013-10-08T06:46:44.256Z"
reject { subject["#timestamp"] } == "2013-10-08T06:46:47Z"
end
end
This will, based on a given filter configuration, run input samples and test if the expected output is produced.
To run the test, save the test as haproxy_spec.rb and run `logstash rspec:
java -jar logstash.jar rspec haproxy_spec.rb
There are lots of spec examples in the Logstash source repository.
since logstash has been upgraded and now the command will be something like (give the folder)
/opt/logstash/bin/logstash agent --configtest -f /etc/logstash/logstash-indexer/conf.d
If you see some warning, but the error message is mixed together, and you didn't know which one have issue. You have to check its file one by one
Related
I try to only deploy fail2ban Apache jails if apache is actually installed. I have a fact for that that works.
# fail2ban
$jails = [
'ssh', 'ssh-ddos',
'pam-generic'
] + if $f2b_enable_apache { ['apache-auth', 'apache-badbots', 'apache-multiport', 'apache-noscript', 'apache-overflows'] }
notify{"Enable apache jails: ${f2b_enable_apache}":}
notify{"Jails: ${jails}":}
class { 'fail2ban':
package_ensure => 'latest',
jails => $jails
}
When I run it though, then I get the follwing output
Without apache:
Puppet : Enable apache jails: false
Puppet : Jails: [ssh, ssh-ddos, pam-generic, apache-auth, apache-badbots, apache-multiport, apache-noscript, apache-overflows]
With apache:
Puppet : Enable apache jails: true
Puppet : Jails: [ssh, ssh-ddos, pam-generic, apache-auth, apache-badbots, apache-multiport, apache-noscript, apache-overflows]
What am I doing wrong? Why is it in both cases appended? Is there a better way to achieve this that is extensible?
I would likely use a selector expression for this:
$jails = $f2b_enable_apache ? {
true => ['ssh', 'ssh-ddos', 'pam-generic', 'apache-auth', 'apache-badbots', 'apache-multiport', 'apache-noscript', 'apache-overflows'],
false => ['ssh', 'ssh-ddos', 'pam-generic'],
}
There are indeed algorithms for using Array[String] concatenation here, but they become messy due to Puppet DSL enforcing the immutability of variables. This uses one variable, one conditional expression, and no lambda iterator functions.
I´m trying to setup an environment for grok debugging and made this with a docker.
Everything works fine, until logstash tries to resolve a custom pattern.
Here is my environment
I start the docker with
docker run -it --name logstash_debug -v
/home/cloud/docker-elk/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
-v /home/cloud/docker-elk/logstash/pipeline/:/usr/share/logstash/pipeline/
-v /home/cloud/docker-elk/logstash/patterns/:/usr/share/logstash/patterns
docker.elastic.co/logstash/logstash:7.2.0
As I said, logstash starts up, loads the pipeline (debug.conf)
input { stdin {} }
filter {
grok {
patterns_dir => ["/usr/share/logstash/patterns"]
match => ["message", "%{YEAR1} \[%{LOGLEVEL:loglvl}\] %{GREEDYDATA:message}"]
}
date {
match => ["customer_time", "${YEAR1}"]
target => "#timestamp"
}
}
output { stdout { codec => rubydebug } }
and gives me this error:
Cannot evaluate ${YEAR1}. Replacement variable YEAR1 is not
defined in a Logstash secret store or as an Environment entry and
there is no default value given.
the patterns_dir contains a file "dateformats" which contains (stripped it down to a minimum)
YEAR1 %{YEAR}
the logstash debug output gives me this:
[DEBUG][logstash.filters.grok ] config
LogStash::Filters::Grok/#patterns_dir =
["/usr/share/logstash/patterns"]
[DEBUG][logstash.filters.grok ] config
LogStash::Filters::Grok/#match = {"message"=>"%{YEAR1}
\[%{LOGLEVEL:loglvl}\] %{GREEDYDATA:message}"}
.....
[DEBUG][logstash.filters.grok ] config
LogStash::Filters::Grok/#patterns_files_glob = "*"
Normally logstash should be able to grab this file (I even started the docker with --user 0 to be sure that I have no permission problem) but it somehow can´t.
Anyone can me give a hint to what´s going on ?
Thanks and cheers,
Wurzelseppi
I am trying to configure my Logstash to read from a specified log file. When I configure it to read from stdin it works as expected, my input results in a message from Logstash and displays in my Kibana UI.
$ cat /tmp/logstash-stdin.conf
input {
stdin {}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
$./logstash -f /tmp/logstash-stdin.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path //usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
The stdin plugin is now waiting for input:
hellloooo
{
"#version" => "1",
"host" => "myhost.com",
"#timestamp" => 2017-11-17T16:05:41.595Z,
"message" => "hellloooo"
}
However, when I run Logstash with a file input I get no indication that the file is loaded into Logstash, and it does not show in Kibana.
$ cat /tmp/logstash-simple.conf
input {
file {
path => "/tmp/test_log.txt"
type => "syslog"
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
$ ./logstash -f /tmp/logstash-simple.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path //usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
Any suggestions of how I can troubleshoot why my Logstash is not ingesting the configured file?
By default the file input plugin starts reading at the end of the file, so only lines added after Logstash starts will be processed. To read all existing lines upon startup add the option "start_position" => "beginning" to the configuration, as explained in documentation.
Need your help in custom log parsing through logstash
Here is the log format that I am trying to parse through logstash
2015-11-01 07:55:18,952 [abc.xyz.com] - /Enter, G, _null, 2702, 2, 2, 2, 2, PageTotal_1449647718950_1449647718952_2_App_e9c00521-eeec-4d47-bf5b-b842ec14a4ff_178.255.153.2___, , , NEW,
And my logstash conf file looks like below
input {
file {
path => [ "/tmp/access.log" ]
}
}
filter{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:message}" }
}
date {
match => ["timestamp","yyyy-MM-dd HH:mm:ss,SSSS"]
}
}
For some reason running the logstash command passing the conf file doesnt parse the logs, not sure whats wrong with the config. Any help would be highly appreciated.
bin/logstash -f conf/access_log.conf
Settings: Default filter workers: 6
Logstash startup completed
I have checked your Grok Match filter and is fine with:
Grok Debugger
You don't have to use the date matcher because the grok matcher already correctly match the TIMESTAMP_ISO8601 timestamp.
I think your problem is with "since_db" file.
Here is the documentation:
since_db
In few words, logstash remember if a file is already read and doesn't read it anymore. Logstash remember if one file was already read because write it in the since Database.
If you would like to test your filter reading always the same file, you could try:
input {
file {
path => [ "/tmp/access.log" ]
sincedb_path => "/dev/null"
}
}
Regards
I am trying to read a son file data and visualize it in Kibana.The following is my stack.
read json file --> logstash --> elastic search -> Kibana (UI)
I tried the following simple configuration and it works fine till it reaches kibana.
input { stdin { } }
output {
elasticsearch { host => localhost }
}
When I tried to read the data from file and push it to elastic.I am not able to see the output .
input {
stdin {
type => "stdin-type"
}
file {
type => "jsonlog"
# Wildcards work, here :)
path => [ "/Users/path/logstash-1.5.0/sample.json" ]
codec => json
}
}
output {
stdout { }
elasticsearch { embedded => true }
}
Output : It says "logstash started".But I could not see the results in elastic nor the stdout
Jun 10, 2015 4:32:10 PM org.elasticsearch.node.internal.InternalNode start
INFO: [logstash-MacBook-Pro.local-12298-9782] started
Logstash startup completed
Software Version :
Logstash -> 1.5.0
Elasticsearch -> 1.5.2
Thanks in advance !