ElasticSearch Multiple Indexes and Routing

elasticsearchlogging

Currently I have the following setup.

Syslog –> Logstash –> ElasticSearch –> Kibana

Logstash is creating a daily index "/etc/elasticsearch/data/test-elasticsearch/nodes/0/indices/logstash-2014.02.04" and I'm viewing all of the logs through Kibana. We want to set up some user based access control using the kibana-authentication-proxy setup due to it supporting
Per-user kibana index supported. now you can use index kibana-int-userA for user A and kibana-int-userB for user B
I'd like to make it where all logs coming in from logstash with a location of "/var/log/UNIX/*.log" get sent to a new index of unix-2014.02.04 instead of the logstash one. That way I can use the Kibana auth proxy to give my UNIX users access only to their logs. I've read a little about creating the mappings but wasn't sure how to tie it all together. I saw you could do various things with API calls but was curious if I could set all of this up in the elasticsearch.yml file from the start.

Thanks,

Eric

Best Answer

I found out that you can do this in the logstash configuration using input and output filters. The new if way is shown below but I haven't gotten it to work yet.

input {
  file { 
    type => "unixlogs"
    path => "/var/log/UNIX/*.log"
  } 
}

output {
  if [type] == "unixlogs" {
    elasticsearch { 
      host => "localhost"
      index => "unix-%{+YYYY.MM.dd}"
    }
  }
}

Below is the older way to do it that I have gotten to work.

file {
    type => "syslog"
    exclude => ["*.gz"]
    start_position => "end"
    path => [ "/var/logs/Security/*.log"]
  }

file {
    type => "unix-syslog"
    exclude => ["*.gz"]
    start_position => "end"
    path => [ "/var/logs/UNIX/*.log"]
  }

output {
    elasticsearch {
    type => "unix-syslog"
    embedded => "false"
    host => "X.X.X"
    cluster => "my-elasticsearch"
    index => "unix-%{+YYYY.MM.dd}"
  }
    elasticsearch {
    embedded => "false"
    host => "X.X.X"
    cluster => "my-elasticsearch"
 }
}

With the top way it will only write to the one index you tell it to. With the bottom way, the UNIX logs will write to the unix index and the generic index since it's not if, just and.

Related Solutions

Run elasticsearch on a single server

I've discovered after much suffering that the best way to run elasticsearch on a single server is to change the default setting of:

index.number_of_replicas: 1

index.number_of_replicas: 0

If there are 0 replicas, elasticsearch will never try to assign shards to any other "replica" then itself, thereby removing the issue of unassigned shards and corrupted indices.

My full (stable) standalone, non-default elasticsearch config is:

node.max_local_storage_nodes: 1
index.number_of_replicas: 0

Note, this is a config for a log-reader setup only, not a full scale production setup.

Elasticsearch Cluster State immediately goes Yellow after first index created

The easiest fix for this is to configure elasticsearch so that it doesn't use any replicas:

index.number_of_replicas: 0

If elasticsearch isn't trying to distribute shards to other nodes, it won't have unassigned shards.

I'm not sure why the default config on elasticsearch is to have

index.number_of_replicas: 1

Must people who are tricking around with it for the first time will run it on a single server, and then spend days trying to figure out why the health goes yellow due to unassigned shards.

Best Answer

Related Solutions

Run elasticsearch on a single server

Elasticsearch Cluster State immediately goes Yellow after first index created

Related Topic