Using Logstash as shipper

elasticsearchlogginglogstashmonitoringredis

We are shipping logs from servers and using THE logstash on each server for shipping.

So we read logs from the glob "/root/Desktop/Logstash-Input/**/*_log".

 input {
            file{
                    path => "/root/Desktop/Logstash-Input/**/*_log"
                    start_position => "beginning"
            }
    }

From this glob we extract fields from the path which we want added to the event. Eg: from the directory path extract the server, logtype, etc. We do this:

filter {

grok {

        match => ["path", "/root/Desktop/Logstash-Input/(?<server>[^/]+)/(?<logtype>[^/]+)/(?<logdate>[\d]+.[\d]+.[\d]+)/(?<logfilename>.*)_log"]
}
}

And then we output these logs to the central logstash server using lumberjack output plugin.

output {

        lumberjack {
                hosts => ["xx.xx.xx.xx"]
                port => 4545
                ssl_certificate => "./logstash.pub"
    }

        stdout { codec => rubydebug }
}

Problem is that logs shipped to the central server loose the fields added using grok. Eg server, logtype, etc are not present on central server. However, client machine console shows the fields added but on central logstash server only message, timestamp , version is present.

Client (from where logs are shipped) console:

output received {:event=>{"message"=>"2014-05-26T00:00:01+05:30 host crond[268]: (root) CMD (2014/05/31/server2/cron/log)", "@version"=>"1", "@timestamp"=>"2014-07-16T06:07:21.927Z", "host"=>"host", "path"=>"/root/Desktop/Logstash-Input/Server2/CronLog/2014.05.31/cron_log", "server"=>"Server2", "logtype"=>"CronLog", "logdate"=>"2014.05.31", "logfilename"=>"cron"}, :level=>:debug, :file=>"(eval)", :line=>"37"}
    {
              "message" => "2014-05-26T00:00:01+05:30 bx920as1 crond[268]: (root) CMD (2014/05/31/server2/cron/log)",
             "@version" => "1",
           "@timestamp" => "2014-07-16T06:07:21.927Z",
                 "host" => "host",
                 "path" => "/root/Desktop/Logstash-Input/Server2/CronLog/2014.05.31/cron_log",
               "server" => "Server2",
              "logtype" => "CronLog",
              "logdate" => "2014.05.31",
          "logfilename" => "cron"
    }

Central Server (where logs are shipped to) console:

{
       "message" => "2014-07-16T05:33:17.073+0000 host 2014-05-26T00:00:01+05:30 bx920as1 crond[288]: (root) CMD (2014/05/31/server2/cron/log)",
      "@version" => "1",
    "@timestamp" => "2014-07-16T05:34:02.370Z"
}

So the grokked fields are dropped while shipping. Why is it so??

How can I retain the fields??

Best Answer

SOLVED:

I solved it by adding codec => "json" to my lumberjack output and input.

Output:

output {

    lumberjack {
            hosts => ["xx.xx.xx.xx"]
            port => 4545
            ssl_certificate => "./logstash.pub"
            codec => "json"
}

Input:

input { 
    lumberjack {
        port => 4545
        ssl_certificate => "/etc/ssl/logstash.pub"
        ssl_key => "/etc/ssl/logstash.key"  
        codec => "json"
  }
}

Related Solutions

Scaling Logstash (with redis/elasticsearch)

Your post doesn't describe much in the way of specs (memory on the LS indexer, log volume or much else) but I'll try and answer your questions best I can first. Disclaimer: I'm one of the logstash devs -

Apache going nuts was likely a side effect of the logstash process acting up. I'd put that aside for now.
The sane way to make ES f/b/s is add more ES nodes. It's seriously that easy. They even autodiscover each other depending on network topology. After 17 years in this industry I've never seen anything scale horizontally as easy as ElasticSearch.
To f/b/s Redis, don't use any redis clustering. Newer versions of Logstash can do Redis loadbalancing internally. The Redis output supports a list of Redis hosts in the plugin config and support is about to be added to the input side as well to match that. In the interim you can use multiple Redis input definitions on the indexer/consumer side.
I can't answer this beyond saying that it sounds like you're trying to do to much with a single (possibly underpowered host).

Any good scaling process starts with breaking collocated components into distinct systems. I don't see your configs gist'd anywhere but the places where logstash 'bottlenecks' are in filters. Depending on how many transformations you're doing it can have an impact on the memory usage of Logstash processes.

Logstash works a lot like legos. You can either use a 2x4 brick or you can use two 2x2 bricks to accomplish the same task. Except in the case of logstash, it's actually sturdier to use smaller bricks than a single big brick.

Some general advice we normally give is:

ship logs as quickly as possible from the edge If you can use pure network transport instead of writing to disk, that's nice but not required. Logstash is JVM-based and that has good and bad implications. Use an alternate shipper. I wrote a python based one ( https://github.com/lusis/logstash-shipper ) but I would suggest that folks use Beaver instead ( https://github.com/josegonzalez/beaver ).
generate your logs in a format that requires as little filtering as possible (json or optimally json-event format) This isn't always possible. I wrote a log4j appender to do this ( https://github.com/lusis/zmq-appender ) and eventually broke out the pattern layout into its own repo ( https://github.com/lusis/log4j-jsonevent-layout ). This means I don't have to do ANY filtering in logstash for those logs. I just set the type on input to 'json-event'

For apache, you can try this approach: http://cookbook.logstash.net/recipes/apache-json-logs/

break things into multiple components In every talk I've done about logstash, I describe it as a unix pipe on steroids. You can make the pipeline as long or as short as you like. You scale logstash by shifting around responsibilities horizontally. This might mean making the pipeline longer but we're not talking about anything statistically relevant in terms of latency overhead. If you have greater control over your network (i.e. NOT on EC2) you can do some amazing things with standard traffic isolation.

Also note that the logstash mailing list is VERY active so you should always start there. Sanitize and gist your configs as that's the best place to start.

There are companies (like Sonian) scaling ElasticSearch to petabyte levels and companies (like Mailchimp and Dreamhost) scaling Logstash to insane levels as well. It can be done.

Logstash shipper & server on the samebox

I'm not sure if I understood the question correctly, but I do know that Syslog-NG can ship directly to Logstash without the need for an additional shipper as an intermediary. You could define a destination in syslog-ng.conf similar to this example:

destination d_logstash { 
  tcp("10.0.0.1" port(5514)); 
};

And then define a log action to send Syslog messages from source s_src to destination:

log {
  source(s_src);
  destination(d_logstash);
};

Which should enable the message transmission. Don't forget to restart the syslog-ng service to apply the changes.

source: The Logstash Book

Best Answer

Related Solutions

Scaling Logstash (with redis/elasticsearch)

Logstash shipper & server on the samebox

Related Topic