In this example tutorial, you’ll use an ingest pipeline to parse server logs in the Common Log Format before indexing. Before starting, check the prerequisites for ingest pipelines. The logs you want to parse look similar to this: 212.87.37.154 -30/May/2099:16:21:15 +0000 'GET /favicon.ico. The term 'MAC-10' is commonly used in unofficial parlance. citation needed Military Armament Corporation never used the nomenclature MAC-10 on any of its catalogs or sales literature, but because 'MAC-10' became so frequently used by Title II dealers, gun writers, and collectors, it is used more frequently than 'M10' to identify the gun.
- Mmm (shakalcks) Mac Os X
- Mmm (shakalcks) Mac Os Download
- Mmm (shakalcks) Mac Os 11
- Mmm (shakalcks) Mac Os Catalina
Mmm (shakalcks) Mac Os X
The following examples illustrate how you can configure Logstash to filter events, process Apache logs and syslog messages, and use conditionals to control what events are processed by a filter or output.
If you need help building grok patterns, try out theGrok Debugger. The Grok Debugger is anX-Pack feature under the Basic License and is therefore free to use.
Mmm (shakalcks) Mac Os Download
Configuring Filtersedit
Filters are an in-line processing mechanism that provide the flexibility to slice and dice your data to fit your needs. Let’s take a look at some filters in action. The following configuration file sets up the grok
and date
filters.
Mmm (shakalcks) Mac Os 11
Run Logstash with this configuration:
Now, paste the following line into your terminal and press Enter so it will beprocessed by the stdin input:
You should see something returned to stdout that looks like this:
As you can see, Logstash (with help from the grok
filter) was able to parse the log line (which happens to be in Apache 'combined log' format) and break it up into many different discrete bits of information. This is extremely useful once you start querying and analyzing our log data. For example, you’ll be able to easily run reports on HTTP response codes, IP addresses, referrers, and so on. There are quite a few grok patterns included with Logstash out-of-the-box, so it’s quite likely if you need to parse a common log format, someone has already done the work for you. For more information, see the list of Logstash grok patterns on GitHub.
The other filter used in this example is the date
filter. This filter parses out a timestamp and uses it as the timestamp for the event (regardless of when you’re ingesting the log data). You’ll notice that the @timestamp
field in this example is set to December 11, 2013, even though Logstash is ingesting the event at some point afterwards. This is handy when backfilling logs. It gives you the ability to tell Logstash 'use this value as the timestamp for this event'.
Processing Apache Logsedit
Let’s do something that’s actually useful: process apache2 access log files! We are going to read the input from a file on the localhost, and use a conditional to process the event according to our needs. First, create a file called something like logstash-apache.conf with the following contents (you can change the log’s file path to suit your needs):
Then, create the input file you configured above (in this example, '/tmp/access_log') with the following log entries (or use some from your own webserver):
Now, run Logstash with the -f flag to pass in the configuration file:
Now you should see your apache log data in Elasticsearch! Logstash opened and read the specified input file, processing each event it encountered. Any additional lines logged to this file will also be captured, processed by Logstash as events, and stored in Elasticsearch. As an added bonus, they are stashed with the field 'type' set to 'apache_access' (this is done by the type ⇒ 'apache_access' line in the input configuration).
In this configuration, Logstash is only watching the apache access_log, but it’s easy enough to watch both the access_log and the error_log (actually, any file matching *log
), by changing one line in the above configuration:
When you restart Logstash, it will process both the error and access logs. However, if you inspect your data (using elasticsearch-kopf, perhaps), you’ll see that the access_log is broken up into discrete fields, but the error_log isn’t. That’s because we used a grok
filter to match the standard combined apache log format and automatically split the data into separate fields. Wouldn’t it be nice if we could control how a line was parsed, based on its format? Well, we can…
Note that Logstash did not reprocess the events that were already seen in the access_log file. When reading from a file, Logstash saves its position and only processes new lines as they are added. Neat!
Using Conditionalsedit
You use conditionals to control what events are processed by a filter or output. For example, you could label each event according to which file it appeared in (access_log, error_log, and other random files that end with 'log').
This example labels all events using the type
field, but doesn’t actually parse the error
or random
files. There are so many types of error logs that how they should be labeled really depends on what logs you’re working with.
Mmm (shakalcks) Mac Os Catalina
Similarly, you can use conditionals to direct events to particular outputs. For example, you could:
- alert nagios of any apache events with status 5xx
- record any 4xx status to Elasticsearch
- record all status code hits via statsd
To tell nagios about any http event that has a 5xx status code, youfirst need to check the value of the type
field. If it’s apache, then you cancheck to see if the status
field contains a 5xx error. If it is, send it to nagios. If it isn’ta 5xx error, check to see if the status
field contains a 4xx error. If so, send it to Elasticsearch.Finally, send all apache status codes to statsd no matter what the status
field contains:
Processing Syslog Messagesedit
Syslog is one of the most common use cases for Logstash, and one it handles exceedingly well (as long as the log lines conform roughly to RFC3164). Syslog is the de facto UNIX networked logging standard, sending messages from client machines to a local file, or to a centralized log server via rsyslog. For this example, you won’t need a functioning syslog instance; we’ll fake it from the command line so you can get a feel for what happens.
First, let’s make a simple configuration file for Logstash + syslog, called logstash-syslog.conf.
Run Logstash with this new configuration:
Normally, a client machine would connect to the Logstash instance on port 5000 and send its message. For this example, we’ll just telnet to Logstash and enter a log line (similar to how we entered log lines into STDIN earlier). Open another shell window to interact with the Logstash syslog input and enter the following command:
Copy and paste the following lines as samples. (Feel free to try some of your own, but keep in mind they might not parse if the grok
filter is not correct for your data).
Now you should see the output of Logstash in your original shell as it processes and parses messages!