You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/asciidoc/static/getting-started-with-logstash.asciidoc
+32-36Lines changed: 32 additions & 36 deletions
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ Using Elasticsearch as a backend datastore, and kibana as a frontend reporting t
9
9
[float]
10
10
==== Prerequisite: Java
11
11
The only prerequisite required by Logstash is a Java runtime. You can check that you have it installed by running the command `java -version` in your shell. Here's something similar to what you might see:
12
-
[source,js]
12
+
[source,java]
13
13
----------------------------------
14
14
> java -version
15
15
java version "1.7.0_45"
@@ -32,15 +32,15 @@ Once you have verified the existence of Java on your system, we can move on!
32
32
[float]
33
33
==== Logstash in two commands
34
34
First, we're going to download the 'logstash' binary and run it with a very simple configuration.
Now you should have the file named 'logstash-%VERSION%.tar.gz' on your local filesystem. Let's unpack it:
40
-
[source,js]
39
+
Now you should have the file named 'logstash-{logstash_version}.tar.gz' on your local filesystem. Let's unpack it:
40
+
["source","sh",subs="attributes,callouts"]
41
41
----------------------------------
42
-
tar zxvf logstash-%VERSION%.tar.gz
43
-
cd logstash-%VERSION%
42
+
tar zxvf logstash-{logstash_version}.tar.gz
43
+
cd logstash-{logstash_version}
44
44
----------------------------------
45
45
Now let's run it:
46
46
[source,js]
@@ -55,16 +55,16 @@ hello world
55
55
2013-11-21T01:22:14.405+0000 0.0.0.0 hello world
56
56
----------------------------------
57
57
58
-
OK, that's interesting... We ran Logstash with an input called "stdin", and an output named "stdout", and Logstash basically echoed back whatever we typed in some sort of structured format. Note that specifying the *-e* command line flag allows Logstash to accept a configuration directly from the command line. This is especially useful for quickly testing configurations without having to edit a file between iterations.
58
+
OK, that's interesting... We ran Logstash with an input called `stdin`, and an output named `stdout`, and Logstash basically echoed back whatever we typed in some sort of structured format. Note that specifying the `-e` command line flag allows Logstash to accept a configuration directly from the command line. This is especially useful for quickly testing configurations without having to edit a file between iterations.
59
59
60
-
Let's try a slightly fancier example. First, you should exit Logstash by issuing a 'CTRL-C' command in the shell in which it is running. Now run Logstash again with the following command:
61
-
[source,js]
60
+
Let's try a slightly fancier example. First, you should exit Logstash by issuing a `CTRL-C` command in the shell in which it is running. Now run Logstash again with the following command:
And then try another test input, typing the text "goodnight moon":
67
-
[source,js]
67
+
[source,ruby]
68
68
----------------------------------
69
69
goodnight moon
70
70
{
@@ -75,21 +75,21 @@ goodnight moon
75
75
}
76
76
----------------------------------
77
77
78
-
So, by re-configuring the "stdout" output (adding a "codec"), we can change the output of Logstash. By adding inputs, outputs and filters to your configuration, it's possible to massage the log data in many ways, in order to maximize flexibility of the stored data when you are querying it.
78
+
So, by re-configuring the `stdout` output (adding a "codec"), we can change the output of Logstash. By adding inputs, outputs and filters to your configuration, it's possible to massage the log data in many ways, in order to maximize flexibility of the stored data when you are querying it.
79
79
80
80
[float]
81
81
=== Storing logs with Elasticsearch
82
82
Now, you're probably saying, "that's all fine and dandy, but typing all my logs into Logstash isn't really an option, and merely seeing them spit to STDOUT isn't very useful." Good point. First, let's set up Elasticsearch to store the messages we send into Logstash. If you don't have Elasticearch already installed, you can http://www.elasticsearch.org/download/[download the RPM or DEB package], or install manually by downloading the current release tarball, by issuing the following four commands:
tar zxvf elasticsearch-{elasticsearch_version}.tar.gz
88
+
cd elasticsearch-{elasticsearch_version}/
89
89
./bin/elasticsearch
90
90
----------------------------------
91
91
92
-
NOTE: This tutorial is running Logstash %VERSION% with Elasticsearch %ELASTICSEARCH_VERSION%, although you can use it with a cluster running 1.0.0 or later. Each release of Logstash has a *recommended* version of Elasticsearch to pair with. Make sure they match based on the http://www.elasticsearch.org/overview/logstash[Logstash version] you're running!
92
+
NOTE: This tutorial is running running Logstash {logstash_version} with Elasticsearch {elasticsearch_version}, although you can use it with a cluster running 1.0.0 or later. Each release of Logstash has a *recommended* version of Elasticsearch to pair with. Make sure they match based on the http://www.elasticsearch.org/overview/logstash[Logstash version] you're running!
93
93
94
94
More detailed information on installing and configuring Elasticsearch can be found on http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/index.html[The Elasticsearch reference pages]. However, for the purposes of Getting Started with Logstash, the default installation and configuration of Elasticsearch should be sufficient.
95
95
@@ -163,7 +163,7 @@ Typing a phrase will now echo back to your terminal, as well as save in Elastics
163
163
164
164
[float]
165
165
==== Default - Daily Indices
166
-
You might notice that Logstash was smart enough to create a new index in Elasticsearch... The default index name is in the form of 'logstash-YYYY.MM.DD', which essentially creates one index per day. At midnight (UTC), Logstash will automagically rotate the index to a fresh new one, with the new current day's timestamp. This allows you to keep windows of data, based on how far retroactively you'd like to query your log data. Of course, you can always archive (or re-index) your data to an alternate location, where you are able to query further into the past. If you'd like to simply delete old indices after a certain time period, you can use the https://github.com/elasticsearch/curator[Elasticsearch Curator tool].
166
+
You might notice that Logstash was smart enough to create a new index in Elasticsearch... The default index name is in the form of `logstash-YYYY.MM.DD`, which essentially creates one index per day. At midnight (UTC), Logstash will automagically rotate the index to a fresh new one, with the new current day's timestamp. This allows you to keep windows of data, based on how far retroactively you'd like to query your log data. Of course, you can always archive (or re-index) your data to an alternate location, where you are able to query further into the past. If you'd like to simply delete old indices after a certain time period, you can use the https://github.com/elasticsearch/curator[Elasticsearch Curator tool].
167
167
168
168
[float]
169
169
=== Moving On
@@ -177,7 +177,7 @@ Inputs, Outputs, Codecs and Filters are at the heart of the Logstash configurati
177
177
===== Inputs
178
178
Inputs are the mechanism for passing log data to Logstash. Some of the more useful, commonly-used ones are:
179
179
180
-
* *file*: reads from a file on the filesystem, much like the UNIX command "tail -0a"
180
+
* *file*: reads from a file on the filesystem, much like the UNIX command `tail -0a`
181
181
* *syslog*: listens on the well-known port 514 for syslog messages and parses according to RFC3164 format
182
182
* *redis*: reads from a redis server, using both redis channels and also redis lists. Redis is often used as a "broker" in a centralized Logstash installation, which queues Logstash events from remote Logstash "shippers".
183
183
* *lumberjack*: processes events sent in the lumberjack protocol. Now called https://github.com/elasticsearch/logstash-forwarder[logstash-forwarder].
@@ -201,7 +201,7 @@ Outputs are the final phase of the Logstash pipeline. An event may pass through
201
201
* *statsd*: a service which "listens for statistics, like counters and timers, sent over UDP and sends aggregates to one or more pluggable backend services". If you're already using statsd, this could be useful for you!
202
202
[float]
203
203
===== Codecs
204
-
Codecs are basically stream filters which can operate as part of an input, or an output. Codecs allow you to easily separate the transport of your messages from the serialization process. Popular codecs include 'json', 'msgpack' and 'plain' (text).
204
+
Codecs are basically stream filters which can operate as part of an input, or an output. Codecs allow you to easily separate the transport of your messages from the serialization process. Popular codecs include `json`, `msgpack` and `plain` (text).
205
205
206
206
* *json*: encode / decode data in JSON format
207
207
* *multiline*: Takes multiple-line text events and merge them into a single event, e.g. java exception and stacktrace messages
@@ -216,7 +216,7 @@ For the complete list of (current) configurations, visit the Logstash <<plugin_c
216
216
217
217
Specifying configurations on the command line using '-e' is only so helpful, and more advanced setups will require more lengthy, long-lived configurations. First, let's create a simple configuration file, and invoke Logstash using it. Create a file named "logstash-simple.conf" and save it in the same directory as Logstash.
218
218
219
-
[source,js]
219
+
[source,ruby]
220
220
----------------------------------
221
221
input { stdin { } }
222
222
output {
@@ -227,7 +227,7 @@ output {
227
227
228
228
Then, run this command:
229
229
230
-
[source,js]
230
+
[source,ruby]
231
231
----------------------------------
232
232
bin/logstash -f logstash-simple.conf
233
233
----------------------------------
@@ -238,7 +238,7 @@ Et voilà! Logstash will read in the configuration file you just created and run
238
238
==== Filters
239
239
Filters are an in-line processing mechanism which provide the flexibility to slice and dice your data to fit your needs. Let's see one in action, namely the *grok filter*.
240
240
241
-
[source,js]
241
+
[source,ruby]
242
242
----------------------------------
243
243
input { stdin { } }
244
244
@@ -258,20 +258,20 @@ output {
258
258
----------------------------------
259
259
Run Logstash with this configuration:
260
260
261
-
[source,js]
261
+
[source,ruby]
262
262
----------------------------------
263
263
bin/logstash -f logstash-filter.conf
264
264
----------------------------------
265
265
266
266
Now paste this line into the terminal (so it will be processed by the stdin input):
267
-
[source,js]
267
+
[source,ruby]
268
268
----------------------------------
269
269
127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] "GET /xampp/status.php HTTP/1.1" 200 3891 "http://cadenza/xampp/navi.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0"
270
270
----------------------------------
271
271
272
272
You should see something returned to STDOUT which looks like this:
273
273
274
-
[source,js]
274
+
[source,ruby]
275
275
----------------------------------
276
276
{
277
277
"message" => "127.0.0.1 - - [11/Dec/2013:00:01:45 -0800] \"GET /xampp/status.php HTTP/1.1\" 200 3891 \"http://cadenza/xampp/navi.php\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\"",
@@ -369,7 +369,7 @@ Also, you might have noticed that Logstash did not reprocess the events which we
369
369
==== Conditionals
370
370
Now we can build on the previous example, where we introduced the concept of a *conditional*. A conditional should be familiar to most Logstash users, in the general sense. You may use 'if', 'else if' and 'else' statements, as in many other programming languages. Let's label each event according to which file it appeared in (access_log, error_log and other random files which end with "log").
371
371
372
-
[source,js]
372
+
[source,ruby]
373
373
----------------------------------
374
374
input {
375
375
file {
@@ -407,7 +407,7 @@ OK, now we can move on to another incredibly useful example: *syslog*. Syslog is
407
407
408
408
First, let's make a simple configuration file for Logstash + syslog, called 'logstash-syslog.conf'.
409
409
410
-
[source,js]
410
+
[source,ruby]
411
411
----------------------------------
412
412
input {
413
413
tcp {
@@ -441,21 +441,21 @@ output {
441
441
----------------------------------
442
442
Run it as normal:
443
443
444
-
[source,js]
444
+
[source,ruby]
445
445
----------------------------------
446
446
bin/logstash -f logstash-syslog.conf
447
447
----------------------------------
448
448
449
449
Normally, a client machine would connect to the Logstash instance on port 5000 and send its message. In this simplified case, we're simply going to telnet to Logstash and enter a log line (similar to how we entered log lines into STDIN earlier). First, open another shell window to interact with the Logstash syslog input and type the following command:
450
450
451
-
[source,js]
451
+
[source,ruby]
452
452
----------------------------------
453
453
telnet localhost 5000
454
454
----------------------------------
455
455
456
456
You can copy and paste the following lines as samples (feel free to try some of your own, but keep in mind they might not parse if the grok filter is not correct for your data):
457
457
458
-
[source,js]
458
+
[source,ruby]
459
459
----------------------------------
460
460
Dec 23 12:11:43 louis postfix/smtpd[31499]: connect from unknown[95.75.93.154]
461
461
Dec 23 14:42:56 louis named[16000]: client 199.48.164.7#64817: query (cache) 'amsterdamboothuren.com/MX/IN' denied
@@ -465,7 +465,7 @@ Dec 22 18:28:06 louis rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-
465
465
466
466
Now you should see the output of Logstash in your original shell as it processes and parses messages!
@@ -488,7 +488,3 @@ Now you should see the output of Logstash in your original shell as it processes
488
488
----------------------------------
489
489
490
490
Congratulations! You're well on your way to being a real Logstash power user. You should be comfortable configuring, running and sending events to Logstash, but there's much more to explore.
0 commit comments