Centralized Logging with Logstash and Kibana

Logstash

Process Any Data, From Any Source​

(Collect, Enrich & Transport Data​)

  • Centralize data processing of all types
  • Normalize varying schema and formats
  • Quickly extend to custom log formats
  • Easily add plugins for custom data sources

Kibana

  • Flexible analytics and visualization platform
  • Real-time summary and charting of streaming data
  • Intuitive interface for a variety of users
  • Instant sharing and embedding of dashboards

See the Value in Your Data​

How can they work together?

ElasticSearch

Logstash forward 1

Logstash forward 2

Logstash forward 3

...

Logstash

ES

...

Kibana​

 

Logstash can output data to many plugins:

https://www.elastic.co/guide/en/logstash/current/output-plugins.html​

 

Configuration

 
cat logstash-forwarder.conf 
{
  "network": {
    "servers": [
      "logstash.mygo1.com:5000"
    ],
    "timeout": 15,
    "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt"
  },
  "files": [
    {
      "paths": [
        "/var/log/syslog",
        "/var/log/auth.log"
      ],
      "fields": { "type": "syslog" }
    },
    {
      "paths": [
        "/var/log/apache2/access.log",
        "/var/log/apache2/other_vhosts_access.log"
      ],
      "fields": { "type": "apache-access" }
    },
    {
      "paths": [
        "/var/log/apache2/error.log"
      ],
      "fields": { "type": "apache-error" }
    }
  ]
}
{
  "network": {
    "servers": [ "logstash.mygo1.com:5000" ],
    "timeout": 15,
    "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt"
  },
  "files": [
    {
      "paths": [
        "/var/log/syslog",
        "/var/log/auth.log"
       ],
      "fields": { "type": "syslog" }
    },
    {
      "paths": [
        "/var/log/haproxy.log"
      ],
      "fields": { "type": "haproxy-access" }
    }
  ]
}
$cat 01-lumberjack-input.conf
input {
  lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

$cat 01-lumberjack-input.conf 
input {
  lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}
[ec2-user@ip-172-31-15-219 conf.d]$ cat 10-syslog.conf 
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}
cat 12-haproxy.conf 
filter {
  if [type] == "haproxy-access" {
    grok {
      patterns_dir => ["/etc/logstash/patterns/"]
      pattern => "%{HAPROXYHTTP}"
      named_captures_only => true
    }
    geoip {
      source => "client_ip"
      database => "/etc/logstash/GeoLiteCity.dat"
   }
  }
}
cat /etc/logstash/patterns/haproxy 
## These patterns were tested w/ haproxy-1.4.15

## Documentation of the haproxy log formats can be found at the following links:
## http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
## http://code.google.com/p/haproxy-docs/wiki/TCPLogFormat

HAPROXYTIME (?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])
HAPROXYDATE %{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}

# Override these default patterns to parse out what is captured in your haproxy.cfg
HAPROXYCAPTUREDREQUESTHEADERS %{DATA:captured_request_headers}
HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:captured_response_headers}

# Example:
#  These haproxy config lines will add data to the logs that are captured
#  by the patterns below. Place them in your custom patterns directory to 
#  override the defaults.  
#
#  capture request header Host len 40
#  capture request header X-Forwarded-For len 50
#  capture request header Accept-Language len 50
#  capture request header Referer len 200
#  capture request header User-Agent len 200
#
#  capture response header Content-Type len 30
#  capture response header Content-Encoding len 10
#  capture response header Cache-Control len 200
#  capture response header Last-Modified len 200
# 
HAPROXYCAPTUREDREQUESTHEADERS %{DATA:request_header_host}\|%{DATA:request_header_x_forwarded_for}\|%{DATA:request_header_accept_language}\|%{DATA:request_header_referer}\|%{DATA:request_header_user_agent}
HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:response_header_content_type}\|%{DATA:response_header_content_encoding}\|%{DATA:response_header_cache_control}\|%{DATA:response_header_last_modified}

# parse a haproxy 'httplog' line 
HAPROXYHTTP %{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response:int}/%{NOTSPACE:time_duration:int} %{INT:http_status_code} %{NOTSPACE:bytes_read:int} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"

# parse a haproxy 'tcplog' line
HAPROXYTCP %{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}
cat 30-amazones-output.conf 
output {
    amazon_es {
        hosts => ["search-gcsearch-6knzluohklaqa5sekix4pkue4m.ap-southeast-2.es.amazonaws.com"]
        region => "ap-southeast-2"
        aws_access_key_id => 'AKIAIXE47JOOU5H4UTRQ'
        aws_secret_access_key => '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'
        index => "logstash-%{+YYYY.MM.dd}"
    }
}

Demo

https://kibana4.gocatalyze.com/_plugin/kibana/

Centralized Logging with Logstash and Kibana

By Sang Lê Thanh

Made with Slides.com

Centralized Logging with Logstash and Kibana

Centralized Logging with Logstash and Kibana

  • 1,013

More from Sang Lê Thanh