SlideShare a Scribd company logo

Using Logstash, elasticsearch & kibana

Download as ODP, PDF
A
Alejandro E Brito Monedero

A tale of my adventures to process logs in a production environment. Soon I will link the demo video (in spanish)

TechnologyEducation
1 of 21
Using Logstash, ElasticSearch and Kibana Alejandro E Brito Monedero @ae_bm 2013 / 05 / 23
Business as usual
So many hosts to check Is there life out there? http://upload.wikimedia.org/wikipedia/commons/a/aa/ESO-The_Milky_Way_above_La_Silla-phot-27-04-hires.jpg
Time to play whack a log http://i102.photobucket.com/albums/m109/niceperson907/121331d1253497450-animated-gif-thre.gif
http://brotality.com/wp-content/uploads/2012/12/madness.jpg
I need a new toy http://www.youtube.com/watch?v=8L6Dpq5kY_A Video time
Logstash ✔ collects logs ✔ parses logs ✔ stores logs ✔ indexes logs ✔ searches logs ✔ and fixes timestamps You only need ● JVM ● logstash.jar
$ log_producer | grep ... | sed … | awk … | tee output | sort | uniq -c | sort -n Log source Logstash Logstash (optional) ElasticSearch DB statsd Pipes
Inputs Filters Outputs File Redis Syslog Lumberjack Rabbitmq SQS … Alter Date Grok Multiline Grep ... AMQP Cloudwatch Elasticsearch Mongodb Redis File ... Plugins Not here yet? JRuby to the rescue
ElasticSearch Distributed RESTful search server ● Near real-time search ● RESTful API ● Easy to scale horizontally ● HA ● Full text search ● YAML config file / JSON format!! ● Document oriented JSON Getting started: Logstash JAR includes it / download and set cluster.name This is where it will be worth to spend some time tuning
Kibana ✔ Nice UI ✔ Better than the old frontend logstash included ✔ Ruby / framework Sinatra Web frontend to search / graph and more
Original plan Apache (ligthweight shipper) Tomcat (ligthweight shipper) broker logstash ElasticSearch Kibana
After a few workarounds Apache (logstash shipper) Tomcat (logstash shipper) Logstash ElasticSearch Kibana SSH tunnels
Example config 1/3 Logstash-httpd.conf input { file { type => "httpd" path => ["/var/log/httpd/*-logstash.log"] exclude => ["*.gz"] start_position => "beginning" format => "json_event" } } output { tcp { host => "0.0.0.0" mode => "server" port => 1666 } } Logstash-server.conf input { tcp { type => "httpd" format => "json_event" host => "127.0.0.1" mode => "client" port => "1666" } tcp { type => "app" format => "json_event" host => "127.0.0.1" mode => "client" port => "2666" } } output { elasticsearch { cluster => "logstash" } }
Example config 2/3 Logstash-tomcat.conf filter { # Tomcat # Remove blank lines grep { type => "tomcat" match => [ "@message", "(.+)" ] drop => true add_tag => [ "no_blank_lines" ] } # make the multilines be treated like a single line multiline { type => "tomcat" pattern => "^dddd" negate => true what => "previous" }
Example config 3/3 Logstash-tomcat.conf # mark the exceptions (multiline) grep { type => "tomcat" tags => [ "multiline" ] match => [ "@message", ".+Exception: .+" ] drop => false add_tag => [ "java_exception" ] } # get the log level, operation id, module and timestamp as separated fields grok { type => "tomcat" pattern => "%{TIMESTAMP_ISO8601:timestamp} [%{OPERATION_ID:operation_id}]..." add_tag => [ "groked" ] } # fix the timestamp date { type => "tomcat" match => [ "timestamp", "YYYY-MM-dd HH:mm:ss,SSSZZ" ] add_tag => [ "timestamp_fix" ] } }
I need a new toy Demo
Some remarks ● Don't forget about security ● The applications should be flexible enough for allowing to publish their logs using brokers or other methods beyond files and syslog ● Logging in JSON format is a nice to have ● Share the log visualization ● Use the brokers Luke ● If you develop internalize this http://www.masterzen.fr/2013/01/13/the-10- commandments-of-logging/
Extras ● http://logstash.net/ ● http://www.logstashbook.com/code/ only $10.09 ● https://github.com/logstash/logstash/blob/v1.1.12/patterns/grok-patterns ● http://grokdebug.herokuapp.com/ ● http://www.infoq.com/articles/review-the-logstash-book (better diagrams) ● http://www.elasticsearch.org/tutorials/using-elasticsearch-for-logs/ ● http://kibana.org/ ● https://lucene.apache.org/core/old_versioned_docs/versions/3_5_0/queryparsersyntax.html ● http://www.elasticsearch.org/tutorials/elasticsearch-on-ec2/ ● http://blog.lusis.org/blog/2012/01/31/load-balancing-logstash-with-amqp/
Do you want to join the <some fancy words here> team? I am not hiring, but I can tell you about some places where it is better to stay away Have a nice day All the images, videos and stuff are property of their respective owners, look at the cat and don't sue me http://stuffpoint.com/cats/image/41633/cute-cat-picture/

Recommended

Elk stack
Elk stackElk stack
Elk stackJilles van Gurp
 
Introduction to ELK
Introduction to ELKIntroduction to ELK
Introduction to ELKYuHsuan Chen
 
Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaAmazee Labs
 
Elk
Elk Elk
Elk Caleb Wang
 
ELK Stack
ELK StackELK Stack
ELK StackEberhard Wolff
 
Ansible Playbook
Ansible PlaybookAnsible Playbook
Ansible PlaybookKnoldus Inc.
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELKGeert Pante
 
Apache Flink Training: System Overview
Apache Flink Training: System OverviewApache Flink Training: System Overview
Apache Flink Training: System OverviewFlink Forward
 

Recommended

Elk stack
Elk stackElk stack
Elk stackJilles van Gurp
 
Introduction to ELK
Introduction to ELKIntroduction to ELK
Introduction to ELKYuHsuan Chen
 
Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaAmazee Labs
 
Elk
Elk Elk
Elk Caleb Wang
 
ELK Stack
ELK StackELK Stack
ELK StackEberhard Wolff
 
Ansible Playbook
Ansible PlaybookAnsible Playbook
Ansible PlaybookKnoldus Inc.
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELKGeert Pante
 
Apache Flink Training: System Overview
Apache Flink Training: System OverviewApache Flink Training: System Overview
Apache Flink Training: System OverviewFlink Forward
 
Elastic Stack Introduction
Elastic Stack IntroductionElastic Stack Introduction
Elastic Stack IntroductionVikram Shinde
 
Airflow 101
Airflow 101Airflow 101
Airflow 101SaarBergerbest
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agentIsmaeel Enjreny
 
ELK Stack
ELK StackELK Stack
ELK StackPhuc Nguyen
 
Centralised logging with ELK stack
Centralised logging with ELK stackCentralised logging with ELK stack
Centralised logging with ELK stackSimon Hanmer
 
Packet tracer 설치 및 사용법
Packet tracer 설치 및 사용법Packet tracer 설치 및 사용법
Packet tracer 설치 및 사용법Sehan Lee
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
Apache Iceberg - A Table Format for Hige Analytic Datasets
Apache Iceberg - A Table Format for Hige Analytic DatasetsApache Iceberg - A Table Format for Hige Analytic Datasets
Apache Iceberg - A Table Format for Hige Analytic DatasetsAlluxio, Inc.
 
How to build massive service for advance
How to build massive service for advanceHow to build massive service for advance
How to build massive service for advanceDaeMyung Kang
 
Introducing the Apache Flink Kubernetes Operator
Introducing the Apache Flink Kubernetes OperatorIntroducing the Apache Flink Kubernetes Operator
Introducing the Apache Flink Kubernetes OperatorFlink Forward
 
Elastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & KibanaElastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & KibanaSpringPeople
 
EKS workshop 살펴보기
EKS workshop 살펴보기EKS workshop 살펴보기
EKS workshop 살펴보기Jinwoong Kim
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
Logstash-Elasticsearch-Kibana
Logstash-Elasticsearch-KibanaLogstash-Elasticsearch-Kibana
Logstash-Elasticsearch-Kibanadknx01
 
The Elastic ELK Stack
The Elastic ELK StackThe Elastic ELK Stack
The Elastic ELK Stackenterprisesearchmeetup
 
Click-Through Example for Flink’s KafkaConsumer Checkpointing
Click-Through Example for Flink’s KafkaConsumer CheckpointingClick-Through Example for Flink’s KafkaConsumer Checkpointing
Click-Through Example for Flink’s KafkaConsumer CheckpointingRobert Metzger
 
Common issues with Apache Kafka® Producer
Common issues with Apache Kafka® ProducerCommon issues with Apache Kafka® Producer
Common issues with Apache Kafka® Producerconfluent
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotExactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotFlink Forward
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석INSIGHT FORENSIC
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupBadoo Development
 

More Related Content

What's hot

Elastic Stack Introduction
Elastic Stack IntroductionElastic Stack Introduction
Elastic Stack IntroductionVikram Shinde
 
Centralised logging with ELK stack
Centralised logging with ELK stackCentralised logging with ELK stack
Centralised logging with ELK stackSimon Hanmer
 
Packet tracer 설치 및 사용법
Packet tracer 설치 및 사용법Packet tracer 설치 및 사용법
Packet tracer 설치 및 사용법Sehan Lee
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
Apache Iceberg - A Table Format for Hige Analytic Datasets
Apache Iceberg - A Table Format for Hige Analytic DatasetsApache Iceberg - A Table Format for Hige Analytic Datasets
Apache Iceberg - A Table Format for Hige Analytic DatasetsAlluxio, Inc.
 
How to build massive service for advance
How to build massive service for advanceHow to build massive service for advance
How to build massive service for advanceDaeMyung Kang
 
Introducing the Apache Flink Kubernetes Operator
Introducing the Apache Flink Kubernetes OperatorIntroducing the Apache Flink Kubernetes Operator
Introducing the Apache Flink Kubernetes OperatorFlink Forward
 
Elastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & KibanaElastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & KibanaSpringPeople
 
EKS workshop 살펴보기
EKS workshop 살펴보기EKS workshop 살펴보기
EKS workshop 살펴보기Jinwoong Kim
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
Logstash-Elasticsearch-Kibana
Logstash-Elasticsearch-KibanaLogstash-Elasticsearch-Kibana
Logstash-Elasticsearch-Kibanadknx01
 
Click-Through Example for Flink’s KafkaConsumer Checkpointing
Click-Through Example for Flink’s KafkaConsumer CheckpointingClick-Through Example for Flink’s KafkaConsumer Checkpointing
Click-Through Example for Flink’s KafkaConsumer CheckpointingRobert Metzger
 
Common issues with Apache Kafka® Producer
Common issues with Apache Kafka® ProducerCommon issues with Apache Kafka® Producer
Common issues with Apache Kafka® Producerconfluent
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotExactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotFlink Forward
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 

What's hot (20)

Elastic Stack Introduction
Elastic Stack IntroductionElastic Stack Introduction
Elastic Stack Introduction
 
Airflow 101
Airflow 101Airflow 101
Airflow 101
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
 
ELK Stack
ELK StackELK Stack
ELK Stack
 
Centralised logging with ELK stack
Centralised logging with ELK stackCentralised logging with ELK stack
Centralised logging with ELK stack
 
Packet tracer 설치 및 사용법
Packet tracer 설치 및 사용법Packet tracer 설치 및 사용법
Packet tracer 설치 및 사용법
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
Apache Iceberg - A Table Format for Hige Analytic Datasets
Apache Iceberg - A Table Format for Hige Analytic DatasetsApache Iceberg - A Table Format for Hige Analytic Datasets
Apache Iceberg - A Table Format for Hige Analytic Datasets
 
How to build massive service for advance
How to build massive service for advanceHow to build massive service for advance
How to build massive service for advance
 
Introducing the Apache Flink Kubernetes Operator
Introducing the Apache Flink Kubernetes OperatorIntroducing the Apache Flink Kubernetes Operator
Introducing the Apache Flink Kubernetes Operator
 
Elastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & KibanaElastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & Kibana
 
EKS workshop 살펴보기
EKS workshop 살펴보기EKS workshop 살펴보기
EKS workshop 살펴보기
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elk
 
Logstash-Elasticsearch-Kibana
Logstash-Elasticsearch-KibanaLogstash-Elasticsearch-Kibana
Logstash-Elasticsearch-Kibana
 
The Elastic ELK Stack
The Elastic ELK StackThe Elastic ELK Stack
The Elastic ELK Stack
 
Click-Through Example for Flink’s KafkaConsumer Checkpointing
Click-Through Example for Flink’s KafkaConsumer CheckpointingClick-Through Example for Flink’s KafkaConsumer Checkpointing
Click-Through Example for Flink’s KafkaConsumer Checkpointing
 
Common issues with Apache Kafka® Producer
Common issues with Apache Kafka® ProducerCommon issues with Apache Kafka® Producer
Common issues with Apache Kafka® Producer
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and PinotExactly-Once Financial Data Processing at Scale with Flink and Pinot
Exactly-Once Financial Data Processing at Scale with Flink and Pinot
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 

Similar to Using Logstash, elasticsearch & kibana

(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석INSIGHT FORENSIC
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupBadoo Development
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Shrimp: A Rather Practical Example Of Application Development With RESTinio a...
Shrimp: A Rather Practical Example Of Application Development With RESTinio a...Shrimp: A Rather Practical Example Of Application Development With RESTinio a...
Shrimp: A Rather Practical Example Of Application Development With RESTinio a...Yauheni Akhotnikau
 
Machine Learning Game Changer for IT - Maartens Lourens
Machine Learning Game Changer for IT - Maartens LourensMachine Learning Game Changer for IT - Maartens Lourens
Machine Learning Game Changer for IT - Maartens LourensOpenCredo
 
Troubleshooting real production problems
Troubleshooting real production problemsTroubleshooting real production problems
Troubleshooting real production problemsTier1 app
 
Elk devops
Elk devopsElk devops
Elk devopsIdeato
 
Why you should be using structured logs
Why you should be using structured logsWhy you should be using structured logs
Why you should be using structured logsStefan Krawczyk
 
#OOP_D_ITS - 9th - Template
#OOP_D_ITS - 9th - Template#OOP_D_ITS - 9th - Template
#OOP_D_ITS - 9th - TemplateHadziq Fabroyir
 
Troubleshooting performanceavailabilityproblems (1)
Troubleshooting performanceavailabilityproblems (1)Troubleshooting performanceavailabilityproblems (1)
Troubleshooting performanceavailabilityproblems (1)Tier1 app
 
Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존동수 장
 
Undelete (and more) rows from the binary log
Undelete (and more) rows from the binary logUndelete (and more) rows from the binary log
Undelete (and more) rows from the binary logFrederic Descamps
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
 
Fixing Web Data in Production
Fixing Web Data in ProductionFixing Web Data in Production
Fixing Web Data in ProductionAaron Knight
 
Hartwarming lightning talk in winter Sapporo
Hartwarming lightning talk in winter SapporoHartwarming lightning talk in winter Sapporo
Hartwarming lightning talk in winter SapporoJun OHWADA
 
Introduction of RiotJS
Introduction of RiotJSIntroduction of RiotJS
Introduction of RiotJSRyo Iinuma
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com琛琳 饶
 
Rooted 2010 ppp
Rooted 2010 pppRooted 2010 ppp
Rooted 2010 pppnoc_313
 

Similar to Using Logstash, elasticsearch & kibana (20)

(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Shrimp: A Rather Practical Example Of Application Development With RESTinio a...
Shrimp: A Rather Practical Example Of Application Development With RESTinio a...Shrimp: A Rather Practical Example Of Application Development With RESTinio a...
Shrimp: A Rather Practical Example Of Application Development With RESTinio a...
 
Machine Learning Game Changer for IT - Maartens Lourens
Machine Learning Game Changer for IT - Maartens LourensMachine Learning Game Changer for IT - Maartens Lourens
Machine Learning Game Changer for IT - Maartens Lourens
 
Troubleshooting real production problems
Troubleshooting real production problemsTroubleshooting real production problems
Troubleshooting real production problems
 
Elk devops
Elk devopsElk devops
Elk devops
 
Why you should be using structured logs
Why you should be using structured logsWhy you should be using structured logs
Why you should be using structured logs
 
#OOP_D_ITS - 9th - Template
#OOP_D_ITS - 9th - Template#OOP_D_ITS - 9th - Template
#OOP_D_ITS - 9th - Template
 
Troubleshooting performanceavailabilityproblems (1)
Troubleshooting performanceavailabilityproblems (1)Troubleshooting performanceavailabilityproblems (1)
Troubleshooting performanceavailabilityproblems (1)
 
Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존
 
Undelete (and more) rows from the binary log
Undelete (and more) rows from the binary logUndelete (and more) rows from the binary log
Undelete (and more) rows from the binary log
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
 
Fixing Web Data in Production
Fixing Web Data in ProductionFixing Web Data in Production
Fixing Web Data in Production
 
Openstack 簡介
Openstack 簡介Openstack 簡介
Openstack 簡介
 
Kommons
KommonsKommons
Kommons
 
Hartwarming lightning talk in winter Sapporo
Hartwarming lightning talk in winter SapporoHartwarming lightning talk in winter Sapporo
Hartwarming lightning talk in winter Sapporo
 
Introduction of RiotJS
Introduction of RiotJSIntroduction of RiotJS
Introduction of RiotJS
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
 
Rooted 2010 ppp
Rooted 2010 pppRooted 2010 ppp
Rooted 2010 ppp
 

More from Alejandro E Brito Monedero

Así que pusiste MongoDB. Dime ¿cómo lo administras?
Así que pusiste MongoDB. Dime ¿cómo lo administras?Así que pusiste MongoDB. Dime ¿cómo lo administras?
Así que pusiste MongoDB. Dime ¿cómo lo administras?Alejandro E Brito Monedero
 

More from Alejandro E Brito Monedero (14)

Mad scalability (perfomance debugging)
Mad scalability (perfomance debugging)Mad scalability (perfomance debugging)
Mad scalability (perfomance debugging)
 
Tres historias
Tres historiasTres historias
Tres historias
 
AMQP vs GRAPHITE
AMQP vs GRAPHITEAMQP vs GRAPHITE
AMQP vs GRAPHITE
 
Sysdig
SysdigSysdig
Sysdig
 
Sysdig SRECon 16 Europe
Sysdig SRECon 16 EuropeSysdig SRECon 16 Europe
Sysdig SRECon 16 Europe
 
Funcional para trollear
Funcional para trollearFuncional para trollear
Funcional para trollear
 
Top Bug
Top BugTop Bug
Top Bug
 
Fabric más allá de lo básico
Fabric más allá de lo básicoFabric más allá de lo básico
Fabric más allá de lo básico
 
Experiencias con PostgreSQL en AWS
Experiencias con PostgreSQL en AWSExperiencias con PostgreSQL en AWS
Experiencias con PostgreSQL en AWS
 
Fabric Fast & Furious edition
Fabric Fast & Furious editionFabric Fast & Furious edition
Fabric Fast & Furious edition
 
Así que pusiste MongoDB. Dime ¿cómo lo administras?
Así que pusiste MongoDB. Dime ¿cómo lo administras?Así que pusiste MongoDB. Dime ¿cómo lo administras?
Así que pusiste MongoDB. Dime ¿cómo lo administras?
 
AWS Baby steps circa 2008
AWS Baby steps circa 2008AWS Baby steps circa 2008
AWS Baby steps circa 2008
 
Wireshark tips
Wireshark tipsWireshark tips
Wireshark tips
 
Mi experiencia con Amazon AWS EC2 y S3
Mi experiencia con Amazon AWS EC2 y S3Mi experiencia con Amazon AWS EC2 y S3
Mi experiencia con Amazon AWS EC2 y S3
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Using Logstash, elasticsearch & kibana

  • 1. Using Logstash, ElasticSearch and Kibana Alejandro E Brito Monedero @ae_bm 2013 / 05 / 23
  • 3.
  • 4. So many hosts to check Is there life out there? http://upload.wikimedia.org/wikipedia/commons/a/aa/ESO-The_Milky_Way_above_La_Silla-phot-27-04-hires.jpg
  • 5. Time to play whack a log http://i102.photobucket.com/albums/m109/niceperson907/121331d1253497450-animated-gif-thre.gif
  • 7. I need a new toy http://www.youtube.com/watch?v=8L6Dpq5kY_A Video time
  • 8. Logstash ✔ collects logs ✔ parses logs ✔ stores logs ✔ indexes logs ✔ searches logs ✔ and fixes timestamps You only need ● JVM ● logstash.jar
  • 9. $ log_producer | grep ... | sed … | awk … | tee output | sort | uniq -c | sort -n Log source Logstash Logstash (optional) ElasticSearch DB statsd Pipes
  • 11. ElasticSearch Distributed RESTful search server ● Near real-time search ● RESTful API ● Easy to scale horizontally ● HA ● Full text search ● YAML config file / JSON format!! ● Document oriented JSON Getting started: Logstash JAR includes it / download and set cluster.name This is where it will be worth to spend some time tuning
  • 12. Kibana ✔ Nice UI ✔ Better than the old frontend logstash included ✔ Ruby / framework Sinatra Web frontend to search / graph and more
  • 13. Original plan Apache (ligthweight shipper) Tomcat (ligthweight shipper) broker logstash ElasticSearch Kibana
  • 14. After a few workarounds Apache (logstash shipper) Tomcat (logstash shipper) Logstash ElasticSearch Kibana SSH tunnels
  • 15. Example config 1/3 Logstash-httpd.conf input { file { type => "httpd" path => ["/var/log/httpd/*-logstash.log"] exclude => ["*.gz"] start_position => "beginning" format => "json_event" } } output { tcp { host => "0.0.0.0" mode => "server" port => 1666 } } Logstash-server.conf input { tcp { type => "httpd" format => "json_event" host => "127.0.0.1" mode => "client" port => "1666" } tcp { type => "app" format => "json_event" host => "127.0.0.1" mode => "client" port => "2666" } } output { elasticsearch { cluster => "logstash" } }
  • 16. Example config 2/3 Logstash-tomcat.conf filter { # Tomcat # Remove blank lines grep { type => "tomcat" match => [ "@message", "(.+)" ] drop => true add_tag => [ "no_blank_lines" ] } # make the multilines be treated like a single line multiline { type => "tomcat" pattern => "^dddd" negate => true what => "previous" }
  • 17. Example config 3/3 Logstash-tomcat.conf # mark the exceptions (multiline) grep { type => "tomcat" tags => [ "multiline" ] match => [ "@message", ".+Exception: .+" ] drop => false add_tag => [ "java_exception" ] } # get the log level, operation id, module and timestamp as separated fields grok { type => "tomcat" pattern => "%{TIMESTAMP_ISO8601:timestamp} [%{OPERATION_ID:operation_id}]..." add_tag => [ "groked" ] } # fix the timestamp date { type => "tomcat" match => [ "timestamp", "YYYY-MM-dd HH:mm:ss,SSSZZ" ] add_tag => [ "timestamp_fix" ] } }
  • 18. I need a new toy Demo
  • 19. Some remarks ● Don't forget about security ● The applications should be flexible enough for allowing to publish their logs using brokers or other methods beyond files and syslog ● Logging in JSON format is a nice to have ● Share the log visualization ● Use the brokers Luke ● If you develop internalize this http://www.masterzen.fr/2013/01/13/the-10- commandments-of-logging/
  • 20. Extras ● http://logstash.net/ ● http://www.logstashbook.com/code/ only $10.09 ● https://github.com/logstash/logstash/blob/v1.1.12/patterns/grok-patterns ● http://grokdebug.herokuapp.com/ ● http://www.infoq.com/articles/review-the-logstash-book (better diagrams) ● http://www.elasticsearch.org/tutorials/using-elasticsearch-for-logs/ ● http://kibana.org/ ● https://lucene.apache.org/core/old_versioned_docs/versions/3_5_0/queryparsersyntax.html ● http://www.elasticsearch.org/tutorials/elasticsearch-on-ec2/ ● http://blog.lusis.org/blog/2012/01/31/load-balancing-logstash-with-amqp/
  • 21. Do you want to join the <some fancy words here> team? I am not hiring, but I can tell you about some places where it is better to stay away Have a nice day All the images, videos and stuff are property of their respective owners, look at the cat and don't sue me http://stuffpoint.com/cats/image/41633/cute-cat-picture/