ELK: LogStash to read log files from remote Samba-mapped network drives

elasticsearchelklogstash

I'm new to ELK, and I would like to set up a solution to index Microsoft IIS and applicative .NET logs with ES.

I'm aware about different approaches:

1) [app servers: log files ➔ Logstash] ➔ [collecting server: Redis ➔ Logstash] ➔ [ES cluster: ES ➔ Kibana]

The con of this method is to having to install, configure and maintain a logstash instance on each Windows server producing logs

2) [app servers: log files ➔ Filebeat] ➔ [collecting server: Logstash ➔ Redis ➔ Logstash] ➔ [ES cluster: ES ➔ Kibana]

The con of this method is that currently filebeat does not support multiline log entries, and my .NET apps produce multi-line exceptions. I'm not sure how the intermediate logstash+redis+logstash is to be configured to handle this.

So I thought, maybe given that Logstash is able to collect log data without filebeat or any other forwarder by itself (please correct me if I'm wrong), I might try the following:

[app servers: log files] ➔ [collecting server: Samba-mapped network drives ➔ Logstash ➔ Redis ➔ Logstash] ➔ [ES cluster: ES ➔ Kibana]

In that hypothesis, I won't need to install a Logstash instance on each app server. The central logstash instance (or multiple instances) would fetch files (using Samba-mapped network drives) and apply the multiline codec before pushing log entries to Redis.

Is that technically feasable? Is that a sound architectural choice?

Best Answer

While running Logstash with a file input against your logs on a CIFS share will work, I don't think it'll work very well. I haven't directly used Logstash like that but, In my experience using Logstash-Forwarder to watch logs files over an SSHFS mount, it doesn't deal well will file rotations or reboots of either end.

As for not being sure how to deal with your multi-line exceptions with Filebeat, I don't think you need to worry about it. FileBeat just takes lines from the files you want to ship, and fires them across the network. It adds a few fields, but they don't affect the overall concept of FileBeat being a very basic log shipper.

This means you can just run your multi-line filter in Logstash on the collecting server, just as you would if you ran Logstash on the app servers directly.

Now, depending on your log volume, you might find that you need to increase the number of workers for LS to handle grokking your data effectively.

What I do to handle such things is very similar to your option 2, but instead of just having two LS instances ("Broker" and a "Parser"), I have 3.

                            +-------------------+
                           +-------------------+|
                          +-------------------+||
                          |    App Servers    |||
                          |    +----------+   ||+
                          |    | FileBeat |   |+
                          +----+----------+---+
                               /
                             /       
                           /        
        +----------------/----------------------------------------+
        |              /      Collecting Server                   |
        | +----------/-+  +---------------------+  +------------+ |
        | |  Logstash  |  |      Logstash       |  |  Logstash  | |
        | |   Broker   |  |Multi-line Pre-Parser|  |   Parser   | |
        | +------------+  +---^-----------------+  +-----^---V--+ |
        |     |               |             |            |   |    |
        |     |               |    Redis    |            |   |    |
        |     V       +---------------------V------+     |   |    |
        |     +------->     DB0      |      DB1    + --->+   |    |
        |             +----------------------------+        /     |
        +-------------------------------------------------/-------+
                                                        /
                                                      /
                                                    /
                           +-------------------+  /
                          +-------------------+|/
                         +-------------------+||
                         |   ElasticSearch   ||+
                         |      Cluster      |+
                         +-------------------+

All the Pre-Parser instance does is transform multi-line log entries into a single line so that the Parser can do it's job properly. And even then, I'm checking type and tags to see if there's even a possibility that the line(s) will be multi-line, so the overhead is minimal.

I'm easily able to push 1000 events a second through it (barely hitting 20% CPU). Further, the system is an ELK stack-in-a-box, so with dedicated nodes for both LS and ES, it should be easy.

Why not just crank up the workers on the Parser instance? Well, this stems from the fact that the multiline filter in LS doesn't support multiple workers.

multiline
This filter will collapse multiline messages from a single source into one Logstash event.

The original goal of this filter was to allow joining of multi-line messages from files into a single event. For example - joining java exception and stacktrace messages into a single event.

Note: This filter will not work with multiple worker threads -w 2 on the Logstash command line.

Related Solutions

Scaling Logstash (with redis/elasticsearch)

Your post doesn't describe much in the way of specs (memory on the LS indexer, log volume or much else) but I'll try and answer your questions best I can first. Disclaimer: I'm one of the logstash devs -

Apache going nuts was likely a side effect of the logstash process acting up. I'd put that aside for now.
The sane way to make ES f/b/s is add more ES nodes. It's seriously that easy. They even autodiscover each other depending on network topology. After 17 years in this industry I've never seen anything scale horizontally as easy as ElasticSearch.
To f/b/s Redis, don't use any redis clustering. Newer versions of Logstash can do Redis loadbalancing internally. The Redis output supports a list of Redis hosts in the plugin config and support is about to be added to the input side as well to match that. In the interim you can use multiple Redis input definitions on the indexer/consumer side.
I can't answer this beyond saying that it sounds like you're trying to do to much with a single (possibly underpowered host).

Any good scaling process starts with breaking collocated components into distinct systems. I don't see your configs gist'd anywhere but the places where logstash 'bottlenecks' are in filters. Depending on how many transformations you're doing it can have an impact on the memory usage of Logstash processes.

Logstash works a lot like legos. You can either use a 2x4 brick or you can use two 2x2 bricks to accomplish the same task. Except in the case of logstash, it's actually sturdier to use smaller bricks than a single big brick.

Some general advice we normally give is:

ship logs as quickly as possible from the edge If you can use pure network transport instead of writing to disk, that's nice but not required. Logstash is JVM-based and that has good and bad implications. Use an alternate shipper. I wrote a python based one ( https://github.com/lusis/logstash-shipper ) but I would suggest that folks use Beaver instead ( https://github.com/josegonzalez/beaver ).
generate your logs in a format that requires as little filtering as possible (json or optimally json-event format) This isn't always possible. I wrote a log4j appender to do this ( https://github.com/lusis/zmq-appender ) and eventually broke out the pattern layout into its own repo ( https://github.com/lusis/log4j-jsonevent-layout ). This means I don't have to do ANY filtering in logstash for those logs. I just set the type on input to 'json-event'

For apache, you can try this approach: http://cookbook.logstash.net/recipes/apache-json-logs/

break things into multiple components In every talk I've done about logstash, I describe it as a unix pipe on steroids. You can make the pipeline as long or as short as you like. You scale logstash by shifting around responsibilities horizontally. This might mean making the pipeline longer but we're not talking about anything statistically relevant in terms of latency overhead. If you have greater control over your network (i.e. NOT on EC2) you can do some amazing things with standard traffic isolation.

Also note that the logstash mailing list is VERY active so you should always start there. Sanitize and gist your configs as that's the best place to start.

There are companies (like Sonian) scaling ElasticSearch to petabyte levels and companies (like Mailchimp and Dreamhost) scaling Logstash to insane levels as well. It can be done.

Logstash shipper & server on the samebox

I'm not sure if I understood the question correctly, but I do know that Syslog-NG can ship directly to Logstash without the need for an additional shipper as an intermediary. You could define a destination in syslog-ng.conf similar to this example:

destination d_logstash { 
  tcp("10.0.0.1" port(5514)); 
};

And then define a log action to send Syslog messages from source s_src to destination:

log {
  source(s_src);
  destination(d_logstash);
};

Which should enable the message transmission. Don't forget to restart the syslog-ng service to apply the changes.

source: The Logstash Book

Best Answer

Related Solutions

Scaling Logstash (with redis/elasticsearch)

Logstash shipper & server on the samebox

Related Topic