~/elk/logstash/bin/logstash -e 'input { stdin { } } output { stdout {} }'
Collect logs from a file and index in Elasticsearch for easy browsing
input {
file {
path => ["/home/vagrant/elk-workshop/generated.log"]
}
}
output {
elasticsearch {
host => "localhost"
}
}
git checkout 01-the-file-input
mouth feed -f ApacheAccessEx -t File -m 1000 -g 0.001
Codecs parse logs directly within an input plugin using a pre-defined format or serializer
input {
file {
path => ["/home/vagrant/pylog/generated.log"]
codec => json
}
}
filter {
grok {
match => ["message", "%{COMBINEDAPACHELOG}"]
}
}
git checkout 02-the-grok-filter
mouth feed -f ApacheAccessEx -t File -m 1000 -g 0.001
filter {
multiline {
type => "catalina_out"
pattern => "^\s"
what => "previous"
}
}
RabbitMQ is an advanced message broker with queuing abilities. We can use it to build an elaborate pipeline with ELK
input {
rabbitmq {
host => "localhost"
codec => "json"
queue => "logstash"
durable => "true"
auto_delete => "true"
exclusive => "false"
}
}
RabbitMQ reference: linkgit checkout 03-rabbitmq-as-a-broker
mouth feed -f ApacheAccessEx -t test_amqp -m 1000 -g 0.001 -c resources/feeder_config.py
filter {
geoip {
source => "clientip"
}
}
git checkout 04-geoip-to-kibana-map
mouth feed -f ApacheAccessEx -t test_amqp -m 1000 -g 0.001 -c resources/feeder_config.py
filter {
translate {
dictionary => [ "100", "Continue",
"101", "Switching Protocols",
"merci", "thank you",
"old version", "new version" ]
}
}
filter {
date {
# 04/Aug/14:10:59:09 +0000
match => [ "timestamp", "dd/MMM/YY:HH:mm:ss +0000" ]
target => "@timestamp"
remove_field => [ "timestamp" ]
}
}
git checkout 05-the-date-filter
mouth feed -f ApacheAccessEx -t test_amqp -m 1000 -g 0.001 -c resources/feeder_config.py
We can dedup logs in Elasticsearch, removing duplicate log entries to save space and cleanup the logs
filter {
fingerprint {
source => ["message"]
target => "fingerprint"
}
}
output {
elasticsearch {
document_id => "%{fingerprint}"
}
}
filter {
metrics {
meter => ["messages"]
add_tag => "metric"
}
}
output {
if "metric" in ["tags"] {
graphite {
fields_are_metrics => true
include_metrics => "messages\.rate_[0-9]m"
metrics_format => "logstash.*"
}
}
}
output {
elasticsearch {
host => "localhost"
document_id => "%{fingerprint}"
}
file {
path => "/home/vagrant/elk-workshop/analyzed.log"
}
}
git checkout 06-output-to-file
mouth feed -f ApacheAccessEx -t test_amqp -m 1000 -g 0.001 -c resources/feeder_config.py