Getting logs from systemd unit into flat files and logstash

logstashsystemd

I'm running an application under systemd within CentOS 7. It logs to stdout and systemd is capturing that into journalctl just fine. I'd like to also:

get a rotated text log file also saved to the local filesystem for familiarity to our sysadmins
Get this data cleanly into logstash, ideally just the application logs, not all of syslog which also includes the OS messages, other applications, etc

I was initially researching using multilog from djb's daemontools but given systemd unit files don't like shell pipelines in ExecStart, plus there's no official RPM for daemontools that's part of CentOS, I'm hoping there's a less-cludgey approach.

I currently have logstash-forwarder reading syslog from /var/log/messages and /var/log/secure but I'd rather not include messages other than from this particular application.

Best Answer

~~A third party input plugin for logstash that reads the systemd journal directly is available. Adding support directly to logstash remains an open issue.~~

Logstash now includes a systemd journal input plugin.

Related Solutions

Centos – Logstash Forwarder doesn’t start up with chkconfig in CentOS 5

I ended up posting about the issue on the github page for the project, and I got quite a speedy response pointing me to another issue which came along with another init script, which I have now implemented. This seems to work correctly.

Thanks to TrevorH in the CentOS IRC channel for the assitance, as well as driskell on github for getting me to the new init script, I'll copy it below for reference in case anyone has the same problem I have with that script above:

#!/bin/bash
# chkconfig: 345 80 20
# description: Logstash Forwarder
# processname: logstash-forwarder
# config: /etc/logstash-forwarder
# pidfile: /var/run/logstash-forwarder.pid

### BEGIN INIT INFO
# Provides: logstash-forwarder
# Required-Start: $local_fs $network $remote_fs
# Required-Stop: $local_fs $network $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop logstash-forwarder
# Description: Logstash Forwarder
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

PATH=/sbin:/usr/sbin:/bin:/usr/bin

prog=logstash-forwarder
DAEMON=/opt/logstash-forwarder/bin/logstash-forwarder
pidfile=/var/run/$prog.pid
lockfile=/var/lock/subsys/$prog

# load defaults

[ -e /etc/default/$prog ] && . /etc/default/$prog
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog

DAEMON_ARGS="${DAEMON_ARGS:--config /etc/logstash-forwarder -spool-size 100 -log-to-syslog}"

start()
{
    echo -n $"Starting $prog: "
    nohup $DAEMON $DAEMON_ARGS </dev/null >/dev/null 2>&1 &
    retval=$?
    pid=$!
    echo $pid > $pidfile
    if [ rh_status_q ]; then
        touch $lockfile
        success
        echo
    fi
    return $retval
}

stop()
{
    echo -n $"Stopping $prog: "
    killproc -p "$pidfile" $prog
    retval=$?
    [ -f "$pidfile" ] && rm -f $pidfile
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}

restart() {
    stop
    start
}

reload() {
    restart
}

force_reload() {
    restart
}

rh_status() {
    status -p $pidfile $prog
}

rh_status_q() {
    rh_status >/dev/null 2>&1
}

case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
        restart
        ;;
    status)
        rh_status
        ;;
    *)
        echo "Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 2
esac
exit $?

This has been modified slightly as the original script had .conf in the DAEMON_ARGS statement which wasn't needed on CentOS 5 or 6

EDIT

There were some issues with the init script, but the commiter has updated it today, for my instance I also needed either of the following files:

/etc/defaults/logstash-forwarder
/etc/sysconfig/logstash-forwarder

Content:

DAEMON_ARGS="${DAEMON_ARGS:--config /etc/logstash-forwarder/logstash-forwarder.conf -spool-size 100}"

How to escape spaces in systemd unit files

The correct way to generate paths in systemd is to use systemd-escape.

i.e.

~$ systemd-escape --path "/home/cobra/my service/start.sh"
home-cobra-my\x20service-start.sh

Yes / gets replaced with -

Best Answer

Related Solutions

Centos – Logstash Forwarder doesn’t start up with chkconfig in CentOS 5

How to escape spaces in systemd unit files

Related Topic