ELK Stack Elasticsearch, Logstash, Kibana

Size: px

Start display at page:

Download "ELK Stack Elasticsearch, Logstash, Kibana"

Eustacia Samantha Clarke
5 years ago
Views:

1 ELK Stack Elasticsearch, Logstash, Kibana Munich

2 INTRODUCTION

3 Bernd Erk CEO at NETWAYS GmbH Co-Founder

4 NETWAYS GmbH Open Source Service Provider Located in Nuremberg About 45 employees right now Technical areas Open Source Systems Management Open Source Datacenter Custom Open Source solutions

5 NETWAYS Products We love Open Source

6 INTRODUCTION LOGS & EVENTS

7 Logs Logs -> Flow of unstructured data Oct 4 16:57:24 web sshd[25828]: Received disconnect from : 11: disconnected by user Consists of timestamp and message

8 Events Event -> Flow off structured data Event { Time: Oct 4 16:57:24 Process: sshd State: Received disconnect from Client: consists of detailed attributes

9 Log & Eventmanagement Logs > Event > Analyse (Correlation) > Action

10 Tools Nagios & Icinga Addons Check_logfiles EventDB Check_MK Event Console Logmanagement-Tools ELK-Stack Graylog Fluentd ELK Stack

11 ARCHITECTURE & INSTALLATION

12 Overview Shipper Shipper Shipper Broker Indexer Search & Storage Webinterface

13 Logstash Logmanagement based on JRuby Configurable Pipe Flexible Plugin-Architecture for Input Filter Output Single File Deployment

14 Logstash - IO Outputs amqp boundary circonus cloudwatch datadog datadog_metrics elasticsearch elasticsearch_http elasticsearch_river exec file ganglia gelf gemfire google_cloud_storage graphite graphtastic relp s3 snmptrap sqlite sqs stdin stomp syslog tcp twitter udp unix varnishlog websocket wmi xmpp zenoss zeromq Inputs amqp http drupal_dblog irc elasticsearch jira eventlog juggernaut exec librato file loggly ganglia lumberjack gelf metriccatcher gemfire mongodb generator nagios graphite nagios_nsca heroku null imap opentsdb irc pagerduty log4j pipe lumberjack rabbitmq pipe redis s3 sns sqs statsd stdout stomp syslog tcp udp websocket xmpp zabbix zeromq hipchat rabbitmq redis riak riemann

15 Logstash - Installation Download - bin/logstash agent -f <config-file>

16 Redis NoSQL in memory based on C Support for various Datatypes Strings / Hashes / Lists Sets and Sorted Sets Support for various replication scenarious Very high performance $./redis-benchmark -r n t get,set,lpush,lpop -q SET: requests per second GET: requests per second LPUSH: requests per second LPOP: requests per second

17 Redis - Installation Download - make make test make install /usr/local/bin/redis-server

18 Elasticsearch Schema free RESTful server based on Java Based on Lucene Core Comparable with Apache Solr Distributed Architecture using Shards Replicas Gateways Realtime search base for Kibana

19 Elasticsearch Installation Download Unpack the archive Run bin/elasticsearch

20 INPUT OFF LOGS

21 Overview - Logshipping Shipper Shipper Shipper Broker Indexer Search & Storage Webinterface

22 Logstash - Shipper Shipment of logs to Logstash Logstash Logstash Forwarder Syslog Log4J Gelf File-Read Many more Shipper Shipper Shipper Broker Indexer Search & Storage Webinterface

23 Logstash Shipper - Configuration Configuration Shipper Shipper input { file { path => "/root/demodata/access.log.1 type => "apache-access" output { stdout { debug => true redis { host => " " data_type => "list" key => "logstash.apache" bin/logstash agent f logstash_shipper.conf Shipper Broker Indexer Search & Storage Webinterface

24 EVENT INDEXING

25 Overview - Indexing Shipper Shipper Shipper Broker Indexer Search & Storage Webinterface

26 Broker Indexer Search & Storage Webinterface We love Open Source Logstash - Indexer Configuration Shipp er Shipp er input { redis { host => " " type => "redis-input" # these settings should match the output of the agent data_type => "list" key => "logstash.apache output { stdout { debug => true elasticsearch_http { host => " " Shipp er

27 Bring your stuff in order We need more then a timestamp and message We need structured and queryable information We need grok

Grok - Example 55.3.244.1 GET /index.html 15824 0.

28 Grok - Example GET /index.html %{IP:client %{WORD:method %{URIPATHPARAM:request %{NUMBER:bytes %{NUMBER:duration client: method: GET request: /index.html bytes: duration: 0.043

29 Demo

30 Broker Indexer Search & Storage Webinterface We love Open Source Logstash Indexer- Apache Configuration for Apache-Logs input { redis { host => " " type => "apache-access data_type => "list" key => "logstash.apache format => "json_event" filter { if [type] == "apache-access" { grok { match => [ "message", "%{COMBINEDAPACHELOG" ] output { elasticsearch_http { host => " Shipp er Shipp er Shipp er

31 Broker Indexer Search & Storage Webinterface We love Open Source Logstash Indexer - GEOIP Configuration for Geo-Data input { redis { host => " " type => "apache-access data_type => "list" key => "logstash.apache filter { grok { type => "apache-access" pattern => "%{COMBINEDAPACHELOG" geoip { source => "clientip" add_tag => ["geotag"] output { elasticsearch_http {host => " Shipp er Shipp er Shipp er

32 INTERFACES & API

33 Overview Interfaces Shipper Shipper Shipper Broker Indexer Search & Storage Webinterface

34 Kibana We love Open Source

35 DEMO

36 MONITORING ELK-STACK

37 Monitoring of the ELK-Stack Availabillity of services and resources Shipment Caching and Indexing Storage Realtime monitor for Elasticsearch

38 NODE PING { "status" : 200, "name" : "Richard Fisk", "cluster_name" : "elasticsearch", "version" : { "number" : "1.4.5", "build_hash" : "2aaf797f2a571dcb779a3b61180afe8390ab61f9", "build_timestamp" : " T08:06:06Z", "build_snapshot" : false, "lucene_version" : "4.10.4, "tagline" : "You Know, for Search

39 ElasticHQ We love Open Source

40 DEMO

41 INTEGRATION NAGIOS, ICINGA AND CHECK_MK

42 Realtime Loganalysis Analyse various in sources in realtime Check for patters and states Facilitites Regex Programs Submission as passive events

43 Overview Logstash and Nagios Indexer Search & Storage Webinterface Icinga Web Commandpipe

44 Logstash - Nagios Configuration for Nagios-Alert input { filter { if [type] == "syslog" { grok {match => [ "message", "%{SYSLOGBASE" ] grep { match => [ "message", "Error" ] drop => false add_tag => "nagios-update" add_field => [ # "nagios_host", "%{@source_host", "nagios_host", "localhost", "nagios_service", "Logstash", "nagios_level", "2 ] output { elasticsearch {host => " nagios { commandfile => "/var/lib/icinga/rw/icinga.cmd"

45 Overview Check_MK Indexer Search & Storage Webinterface Multisite

46 Using the integrated Syslog-Server Enable the integrated Syslog server omd config set MKEVENTD_SYSLOG on Since version 1.2.3i2 TCP is also available

47 Logstash -> Syslog Configuration for Syslog output input { filter { if [type] == "syslog" { grok {match => [ "message", "%{SYSLOGBASE" ] grep { match => [ "message", "Error" ] drop => false add_tag => checkmk output { elasticsearch {host => " syslog{ facility => local0 host => port => tcp severity => critical

48 CONCLUSION

49 Conclusion ELK-Stack Support for a huge number of APIs and programs Scalable storage backend with Elasticsearch Flexible Query-Interface with Kibana Highly integrable in all popular stacks Collect everything and analyse later!

50 Q&A

51 THANK YOU blog.netways.de netways netways netways

The State Of Open Source Logging

The State Of Open Source Logging Rashid Khan (@rashidkpc) Shay Banon (@kimchy) Rashid Khan Developer @ elasticsearch Operations guy Logging Nerd Kibana project IRC/Twitter: rashidkpc Logs suck. 3am What