Logstash + Elasticsearch + Kibana Centralized Log server (as Splunk replacement) Marko Ojleski DevOps Engineer
Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup
Jan 26, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Logstash + Elasticsearch + Kibana Centralized Log server
(as Splunk replacement)
Marko Ojleski DevOps Engineer
$plunk
Business as usual, untill…
#Outage @03:00AM
Check logs….?!? 10 network devices
40 servers 100 logs
Massive RAGE
tail cat
grep sed awk sort uniq
and looots of |
tail -10000 access_log | awk '{print $1}' | sort | uniq -c | sort -n
it’s just too much
1. collect data 2. parse/filter 3. send data
Logstash written in JRuby Author: Jordan Sissel
output
parse/filter
input
1. collect data
30+ inputs
Logstash input
1. collect data
file syslog tcp udp zmq
redis log4j
Log shippers
Logstash Beaver (Python) Lumberjack (Go)
Woodchuck (Ruby) Nxlog (C)
Sample conf
input { tcp { type => “server1" host => "192.168.1.1" port => "5555" }
2. parse/filter
40+ filters
Logstash filters
2. parse/filter
grok
grep
json xml
csv
geoip
mutate key/value
Grok filter
REGEX pattern collection
Grok filter
Grok filter
(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-
9]{1,2}))(?![0-9])
Grok filter
(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-
9]{1,2}))(?![0-9])
IP
`$=`;$_=\%!;($_)=/(.)/;$==++$|;($.,$/,$,,$\,$",$;,$^,$#,$~,$*,$:,@%)=( $!=~/(.)(.).(.)(.)(.)(.)..(.)(.)(.)..(.)......(.)/,$"),$=++;$.++;$.++;
$_++;$_++;($_,$\,$,)=($~.$"."$;$/$%[$?]$_$\$,$:$%[$?]",$"&$~,$#,);$,++ ;$,++;$^|=$";`$_$\$,$/$:$;$~$*$%[$?]$.$~$*${#}$%[$?]$;$\$"$^$~$*.>&$=`
`$=`;$_=\%!;($_)=/(.)/;$==++$|;($.,$/,$,,$\,$",$;,$^,$#,$~,$*,$:,@%)=( $!=~/(.)(.).(.)(.)(.)(.)..(.)(.)(.)..(.)......(.)/,$"),$=++;$.++;$.++;
$_++;$_++;($_,$\,$,)=($~.$"."$;$/$%[$?]$_$\$,$:$%[$?]",$"&$~,$#,);$,++ ;$,++;$^|=$";`$_$\$,$/$:$;$~$*$%[$?]$.$~$*${#}$%[$?]$;$\$"$^$~$*.>&$=`
Just another Perl hacker.
Grok filter
120+ regex patterns
USERNAME IP
HOSTNAME SYSLOGTIMESTAMP
LOGLEVEL etc…
Grok filter
2.10.146.54 - 2013-12-01T13:37:57Z - some really boring message
Grok filter
2.10.146.54 - 2013-12-01T13:37:57Z - some really boring message
%{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message}
Grok filter
client => 2.10.146.54 time => 2013-12-01T13:37:57Z message = > some really boring message
Grok filter
input { tcp { type => “server1" host => "192.168.1.1" port => "5555" }
filter { if [type] == “server1" { grok { match => { "message" => "%{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message} "} } }
3. send data
50+ outputs
Logstash output
3. send data
stdout
elastic redis mongo zmq tcp
statsd
1. RESTful api 2. JSON-oriented 3. Horizontal scale 4. HA 5. Full Text search 6. Based on Lucene
Elasticsearch Distributed RESTful
search server
Logstash => elasticsearch
input { tcp { type => “server1" host => "192.168.1.1" port => "5555" } filter { if [type] == “server1" { grok { match => { "message" => "%{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message} "} } } output { elasticsearch {} }
1. Clean and simple UI 2. Fully customizable 3. Bootstrap based 4. Old version running on Ruby 5. Milestone 3 fully rewritten in HTML/Angular.js
Kibana Awesome Elasticsearch
Web Frontend to search/graph
Real Life Scenarios
Scenario 1
L2 switch
Cisco ASA
L3 switch
Syslog broker (lightweight shipper)
Logstash (main log server)
Elasticsearch
Kibana
UDP
UDP
UDP
Scenario 2
Apache (lightweight shipper)
IIS (lightweight shipper)
Jboss (lightweight shipper)
Logstash (main log server)
Elasticsearch
Kibana
TCP
TCP
TCP
Related Documents
