Difference between revisions of "Logstash"
| Line 3: | Line 3: | ||
=Installation= | =Installation= | ||
| + | |||
| + | You can install logstash either manually or as an APT-GET package. I recommend you to use the ''manual'' installation because the ''automatic'' one will chroot you in /var/log. If your application is using logs that are somewhere else, then you'll be screwed. | ||
| + | |||
| + | |||
| + | ==Manual installation (recommended)== | ||
| + | |||
| + | '''Be careful''': Logstash version must match the ElasticSearch version for better performances. | ||
| + | |||
| + | |||
| + | * Get Logstash from the official website: http://logstash.net/ | ||
| + | * Install it and unpack it into /opt/ | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | cd /tmp | ||
| + | wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz | ||
| + | tar xjvf logstash-1.4.2.tar.gz | ||
| + | rm logstash-1.4.2.tar.gz | ||
| + | mv logstash-1.4.2/ /opt/ | ||
| + | cd /opt | ||
| + | ln -s /opt/logstash-1.4.2 /opt/logstash | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | * Create configuration directories | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | mkdir -p /etc/logstash/conf.d | ||
| + | mkdir /etc/logstash/grok | ||
| + | chmod -R 777 /etc/logstash | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | * touch log file | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | touch /var/log/logstash.log | ||
| + | chmod -R 777 /var/log/logstash.log | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | * Create an init.d script | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | cd /etc/init.d | ||
| + | vim logstash.sh | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | Parse the following content: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | #!/bin/sh | ||
| + | ### BEGIN INIT INFO | ||
| + | # Provides: logstash | ||
| + | # Required-Start: $remote_fs $syslog | ||
| + | # Required-Stop: $remote_fs $syslog | ||
| + | # Default-Start: 2 3 4 5 | ||
| + | # Default-Stop: 0 1 6 | ||
| + | # Short-Description: Start daemon at boot time | ||
| + | # Description: Enable service provided by daemon. | ||
| + | ### END INIT INFO | ||
| + | |||
| + | . /lib/lsb/init-functions | ||
| + | |||
| + | if [ $(id -u) -ne 0 ]; then | ||
| + | echo -e " " | ||
| + | echo -e "!!!!!!!!!!!!!!!!!!!!" | ||
| + | echo -e "!! Security alert !!" | ||
| + | echo -e "!!!!!!!!!!!!!!!!!!!!" | ||
| + | echo -e "You need to be root or have root privileges to run this script!\n\n" | ||
| + | echo -e " " | ||
| + | exit 1 | ||
| + | fi | ||
| + | |||
| + | |||
| + | name="logstash" | ||
| + | logstash_bin="/opt/logstash/bin/logstash" | ||
| + | logstash_conf="/etc/logstash/conf/" | ||
| + | logstash_log="/var/log/logstash.log" | ||
| + | pid_file="/var/run/$name.pid" | ||
| + | |||
| + | start () { | ||
| + | command="${logstash_bin} agent -f $logstash_conf --log ${logstash_log}" | ||
| + | log_daemon_msg "Starting $name" "$name" | ||
| + | if start-stop-daemon --start --quiet --oknodo --pidfile "$pid_file" -b -m --exec $command; then | ||
| + | log_end_msg 0 | ||
| + | else | ||
| + | log_end_msg 1 | ||
| + | fi | ||
| + | } | ||
| + | testConfig () { | ||
| + | echo "#############################" | ||
| + | echo " Logstash configuration test" | ||
| + | echo "#############################" | ||
| + | command="${logstash_bin} -f $logstash_conf --verbose -t" | ||
| + | $command | ||
| + | } | ||
| + | stop () { | ||
| + | log_daemon_msg "Stopping $name" "$name" | ||
| + | start-stop-daemon --stop --quiet --oknodo --pidfile "$pid_file" | ||
| + | } | ||
| + | status () { | ||
| + | status_of_proc -p $pid_file "" "$name" | ||
| + | } | ||
| + | |||
| + | case $1 in | ||
| + | start) | ||
| + | if status; then exit 0; fi | ||
| + | start | ||
| + | ;; | ||
| + | stop) | ||
| + | stop | ||
| + | ;; | ||
| + | reload) | ||
| + | stop | ||
| + | start | ||
| + | ;; | ||
| + | restart) | ||
| + | stop | ||
| + | start | ||
| + | ;; | ||
| + | status) | ||
| + | status && exit 0 || exit $? | ||
| + | ;; | ||
| + | testConfig) | ||
| + | testConfig | ||
| + | ;; | ||
| + | *) | ||
| + | echo "Usage: $0 {start|stop|restart|reload|status|testConfig}" | ||
| + | exit 1 | ||
| + | ;; | ||
| + | esac | ||
| + | exit 0 | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | * Create symlinks | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | ln -s /etc/init.d/logstash.sh /usr/bin/logtash | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | * Register application as a service (optional) | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | cd /etc/init.d | ||
| + | update-rc.d logstash.sh defaults | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
| + | ==Automatic installation== | ||
Source: http://logstash.net/docs/latest/repositories | Source: http://logstash.net/docs/latest/repositories | ||
| Line 20: | Line 174: | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 13:24, 20 November 2014
Contents
Installation
You can install logstash either manually or as an APT-GET package. I recommend you to use the manual installation because the automatic one will chroot you in /var/log. If your application is using logs that are somewhere else, then you'll be screwed.
Manual installation (recommended)
Be careful: Logstash version must match the ElasticSearch version for better performances.
- Get Logstash from the official website: http://logstash.net/
- Install it and unpack it into /opt/
cd /tmp
wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz
tar xjvf logstash-1.4.2.tar.gz
rm logstash-1.4.2.tar.gz
mv logstash-1.4.2/ /opt/
cd /opt
ln -s /opt/logstash-1.4.2 /opt/logstash
- Create configuration directories
mkdir -p /etc/logstash/conf.d
mkdir /etc/logstash/grok
chmod -R 777 /etc/logstash
- touch log file
touch /var/log/logstash.log
chmod -R 777 /var/log/logstash.log
- Create an init.d script
cd /etc/init.d
vim logstash.sh
Parse the following content:
#!/bin/sh
### BEGIN INIT INFO
# Provides: logstash
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable service provided by daemon.
### END INIT INFO
. /lib/lsb/init-functions
if [ $(id -u) -ne 0 ]; then
echo -e " "
echo -e "!!!!!!!!!!!!!!!!!!!!"
echo -e "!! Security alert !!"
echo -e "!!!!!!!!!!!!!!!!!!!!"
echo -e "You need to be root or have root privileges to run this script!\n\n"
echo -e " "
exit 1
fi
name="logstash"
logstash_bin="/opt/logstash/bin/logstash"
logstash_conf="/etc/logstash/conf/"
logstash_log="/var/log/logstash.log"
pid_file="/var/run/$name.pid"
start () {
command="${logstash_bin} agent -f $logstash_conf --log ${logstash_log}"
log_daemon_msg "Starting $name" "$name"
if start-stop-daemon --start --quiet --oknodo --pidfile "$pid_file" -b -m --exec $command; then
log_end_msg 0
else
log_end_msg 1
fi
}
testConfig () {
echo "#############################"
echo " Logstash configuration test"
echo "#############################"
command="${logstash_bin} -f $logstash_conf --verbose -t"
$command
}
stop () {
log_daemon_msg "Stopping $name" "$name"
start-stop-daemon --stop --quiet --oknodo --pidfile "$pid_file"
}
status () {
status_of_proc -p $pid_file "" "$name"
}
case $1 in
start)
if status; then exit 0; fi
start
;;
stop)
stop
;;
reload)
stop
start
;;
restart)
stop
start
;;
status)
status && exit 0 || exit $?
;;
testConfig)
testConfig
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status|testConfig}"
exit 1
;;
esac
exit 0
- Create symlinks
ln -s /etc/init.d/logstash.sh /usr/bin/logtash
- Register application as a service (optional)
cd /etc/init.d
update-rc.d logstash.sh defaults
Automatic installation
Source: http://logstash.net/docs/latest/repositories
- Add Logstash repository: see Sources#ELK
- Install application
apt-get install logstash logstash-contrib>> Binaries in /opt/logstash
>> Configuration in /etc/logstash/conf.d/
>> Logs in /var/log/logstash/
Configuration
Edit the configuration file:
vim /etc/logstash/conf.d/logstash.conf
Check your configuration:
cd /opt/logstash/bin
./logstash -f /etc/logstash/conf.d/ -t --verbose
Apache2 logs
To process your Apache2 logs you can use the following configuration. That comes from the official ElasticSearch webinar:
vim /etc/logstash/conf.d/apache2_logs.conf
Put the following content
## List of complete inputs | filters | output available on the official website:
## http://logstash.net/docs/latest/index
## Configuration syntax: http://logstash.net/docs/latest/configuration
###### Data sources to process #####
input {
file {
path => "/var/log/apache2/combined_log"
type => "apache"
}
file {
path => "/var/log/messages"
type => "syslog"
}
}
filter {
# REMINDER: you can check on Kibana the field name to use for each filter.
if [type] == "apache" {
# To process log data (message's content) using some regex
grok {
match => [ "message", "%{}"]
}
# To extract log's time according to a date pattern
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z"]
}
# Extraction browser information, if available.
if [agent] != "" {
useragent {
source => "agent"
}
}
if [clientip] != "" {}
geoip {
source => "clientip"
}
}
}
}
output {
elasticsearch {
cluster => "clusterName"
node => "logstash_agent_name"
}
}
Application logs
To be done: LOG4J logs
Start Logstash
service logstash start
## OR ##
/etc/init.d/logstash start
References
- Very good webinar from the ElasticSearch team: http://www.elasticsearch.org/webinars/introduction-to-logstash/?watch=1
https://home.regit.org/2014/01/a-bit-of-logstash-cooking/
mkdir -p /usr/share/logstash/grok vim /usr/share/logstash/grok/apacheErrorLog
HTTPERRORDATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR} APACHEERRORLOG \[%{HTTPERRORDATE:timestamp}\] \[%{WORD:severity}\] \[client %{IPORHOST:clientip}\] %{GREEDYDATA:message_remainder}
/opt/logstash/bin/logstash agent -f /etc/logstash/conf.d/ --verbose
