Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup

•

11 likes•6,933 views

Startit

Technology

Logstash + Elasticsearch + Kibana
Centralized Log server
(as Splunk replacement)

Marko Ojleski
DevOps Engineer

Check logs….?!?
10 network devices
40 servers
100 logs

$tail -10000 access_log | awk '{print $1}' | sort | uniq -c | sort -n$

1. collect data
2. parse/filter
3. send data

Logstash

written in JRuby
Author: Jordan Sissel

1. collect data
file

syslog

tcp

udp

zmq

redis

log4j
Logstash input

Log shippers

Logstash
Beaver (Python)
Lumberjack (Go)
Woodchuck (Ruby)
Nxlog (C)

Sample conf

input {
tcp {
type => “server1"
host => "192.168.1.1"
port => "5555"
}

2. parse/filter
grok

csv

grep

geoip

json
mutate

Logstash
filters

xml
key/value

Grok filter

(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2}))(?![0-9])

Grok filter

(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2}))(?![0-9])

IP

$`$=`;$_=%!;($_)=/(.)/;$==++$|;($.,$/,$,,$,$",$;,$^,$#,$~,$*,$:,@%)=( $!=~/(.)(.).(.)(.)(.)(.)..(.)(.)(.)..(.)......(.)/,$"),$=++;$.++;$.++; $_++;$_++;($_,$,$,)=($~.$"."$;$/$%[$?]$_$$,$:$%[$?]",$"&$~,$#,);$,++ ;$,++;$^|=$";`$_$$,$/$:$;$~$*$%[$?]$.$~$*${#}$%[$?]$;$$"$^$~$*.>&$=`$

Grok filter

120+ regex patterns
USERNAME
IP
HOSTNAME
SYSLOGTIMESTAMP
LOGLEVEL
etc…

$Grok filter 2.10.146.54 - 2013-12-01T13:37:57Z - some really boring message %{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message}$

Grok filter

client => 2.10.146.54
time => 2013-12-01T13:37:57Z
message = > some really boring message

$Grok filter input { tcp { type => “server1" host => "192.168.1.1" port => "5555" } filter { if [type] == “server1" { grok { match => { "message" => "%{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message} "} } }$

3. send data
Logstash
output
statsd

stdout
tcp

elastic

redis

mongo

zmq

1. RESTful api
2. JSON-oriented
3. Horizontal scale
4. HA
5. Full Text search
6. Based on Lucene

Elasticsearch
Distributed RESTful
search server

$Logstash => elasticsearch input { tcp { type => “server1" host => "192.168.1.1" port => "5555" } filter { if [type] == “server1" { grok { match => { "message" => "%{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message} "} } } output { elasticsearch {} }$

1. Clean and simple UI
2. Fully customizable
3. Bootstrap based
4. Old version running on Ruby
5. Milestone 3 fully rewritten in
HTML/Angular.js

Kibana
Awesome Elasticsearch
Web Frontend to
search/graph

Scenario 1
L2 switch

Cisco ASA

L3 switch

UDP

UDP

Elasticsearch

Syslog broker

(lightweight shipper)

UDP

Logstash

(main log server)

Kibana

Scenario 2
Apache

(lightweight shipper)

IIS

TCP

TCP

(lightweight shipper)

Jboss

(lightweight shipper)

Elasticsearch

Logstash

(main log server)

TCP

Kibana

What's hot

elk_stack_alexander_szalonnasAlexander Szalonnas

ELK Elasticsearch Logstash and Kibana Stack for Log ManagementEl Mahdi Benzekri

Elastic - ELK, Logstash & KibanaSpringPeople

Log management with ELKGeert Pante

Scaling an ELK stack at bol.comRenzo Tomà

Logstash-Elasticsearch-Kibanadknx01

'Scalable Logging and Analytics with LogStash'Cloud Elements

Elk stackJilles van Gurp

Logstash: Get to know your logsSmartLogic

ELK introductionWaldemar Neto

Introduction to ELKYuHsuan Chen

How ElasticSearch lives in my DevOps life琛琳饶

Central LogFile Storage. ELK stack Elasticsearch, Logstash and Kibana.Airat Khisamov

LogStash in actionManuj Aggarwal

Logs aggregation and analysisDivante

Logging logs with Logstash - Devops MK 10-02-2016Steve Howe

Elk scilifelabGuillermo Carrasco Hernández

Logstash琛琳饶

Interactive learning analytics dashboards with ELK (Elasticsearch Logstash Ki...Andrii Vozniuk

Elasticsearch, Logstash, Kibana. Cool search, analytics, data mining and more...Oleksiy Panchenko

What's hot (20)

elk_stack_alexander_szalonnas

ELK Elasticsearch Logstash and Kibana Stack for Log Management

Elastic - ELK, Logstash & Kibana

Log management with ELK

Scaling an ELK stack at bol.com

Logstash-Elasticsearch-Kibana

'Scalable Logging and Analytics with LogStash'

Elk stack

Logstash: Get to know your logs

ELK introduction

Introduction to ELK

How ElasticSearch lives in my DevOps life

Central LogFile Storage. ELK stack Elasticsearch, Logstash and Kibana.

LogStash in action

Logs aggregation and analysis

Logging logs with Logstash - Devops MK 10-02-2016

Elk scilifelab

Logstash

Interactive learning analytics dashboards with ELK (Elasticsearch Logstash Ki...

Elasticsearch, Logstash, Kibana. Cool search, analytics, data mining and more...

Similar to Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup

ELK stack at weibo.com琛琳饶

Elk with OpenstackArun prasath

Log AggregationAhmed Gaber

(Fios#02) 2. elk 포렌식 분석INSIGHT FORENSIC

Tuning Elasticsearch Indexing Pipeline for LogsSematext Group, Inc.

ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf Conference

Application Logging in the 21st century - 2014.keyTim Bunce

Logs managementMantas Klasavicius

Introducing redisNuno Caneco

"How about no grep and zabbix?". ELK based alerts and metrics.Vladimir Pavkin

Journée DevOps : Des dashboards pour tous avec ElasticSearch, Logstash et KibanaPublicis Sapient Engineering

Real World ServerlessPetr Zapletal

Using akka streams to access s3 objectsMikhail Girkin

あなたのScalaを爆速にする７つの方法x1 ichi

Infrastructure coders logstashDavid Lutz

37562259 top-consuming-processskumner

Master tuningThomas Kejser

Keeping Spark on Track: Productionizing Spark for ETLDatabricks

"ClojureScript journey: from little script, to CLI program, to AWS Lambda fun...Julia Cherniak

Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...PROIDEA

Similar to Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup (20)

ELK stack at weibo.com

Elk with Openstack

Log Aggregation

(Fios#02) 2. elk 포렌식 분석

Tuning Elasticsearch Indexing Pipeline for Logs

ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...

Application Logging in the 21st century - 2014.key

Logs management

Introducing redis

"How about no grep and zabbix?". ELK based alerts and metrics.

Journée DevOps : Des dashboards pour tous avec ElasticSearch, Logstash et Kibana

Real World Serverless

Using akka streams to access s3 objects

あなたのScalaを爆速にする７つの方法

Infrastructure coders logstash

37562259 top-consuming-process

Master tuning

Keeping Spark on Track: Productionizing Spark for ETL

"ClojureScript journey: from little script, to CLI program, to AWS Lambda fun...

Atmosphere 2014: Centralized log management based on Logstash and Kibana - ca...

Recently uploaded

Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro

Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar

Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm

Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson

How to write a Business Continuity PlanDatabarracks

DevEX - reference for building teams, processes, and platformsSergiu Bodiu

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos

CloudStudio User manual (basic edition):comworks

DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy

TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc

What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett

Powerpoint exploring the locations used in television show Time Clashcharlottematthew16

Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation

Anypoint Exchange: It’s Not Just a Repo!Manik S Magar

The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech

Commit 2024 - Secret Management made easyAlfredo García Lavilla

Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren

SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal

Recently uploaded (20)

Unraveling Multimodality with Large Language Models.pdf

Unleash Your Potential - Namagunga Girls Coding Club

Streamlining Python Development: A Guide to a Modern Project Setup

Are Multi-Cloud and Serverless Good or Bad?

How to write a Business Continuity Plan

DevEX - reference for building teams, processes, and platforms

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

CloudStudio User manual (basic edition):

DevoxxFR 2024 Reproducible Builds with Apache Maven

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy

What's New in Teams Calling, Meetings and Devices March 2024

Powerpoint exploring the locations used in television show Time Clash

Connect Wave/ connectwave Pitch Deck Presentation

Anypoint Exchange: It’s Not Just a Repo!

The Ultimate Guide to Choosing WordPress Pros and Cons

Commit 2024 - Secret Management made easy

Advanced Test Driven-Development @ php[tek] 2024

SAP Build Work Zone - Overview L2-L3.pptx

Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup

1. Logstash + Elasticsearch + Kibana Centralized Log server (as Splunk replacement) Marko Ojleski DevOps Engineer

2. $plunk

3. Business as usual, untill…

4. #Outage @03:00AM

5. Check logs….?!? 10 network devices 40 servers 100 logs

6. Massive RAGE

7. tail cat grep sed awk sort uniq

8. and looots of |

9. tail -10000 access_log | awk '{print $1}' | sort | uniq -c | sort -n

10. it’s just too much

11. 1. collect data 2. parse/filter 3. send data Logstash written in JRuby Author: Jordan Sissel

12. input parse/filter output

13. 1. collect data 30+ inputs

14. 1. collect data file syslog tcp udp zmq redis log4j Logstash input

15. Log shippers Logstash Beaver (Python) Lumberjack (Go) Woodchuck (Ruby) Nxlog (C)

16. Sample conf input { tcp { type => “server1" host => "192.168.1.1" port => "5555" }

17. 2. parse/filter 40+ filters

18. 2. parse/filter grok csv grep geoip json mutate Logstash filters xml key/value

19. Grok filter REGEX pattern collection

20. Grok filter

21. Grok filter (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2}))(?![0-9])

22. Grok filter (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[09]{1,2}))(?![0-9]) IP

23.

24. `$=`;$_=%!;($_)=/(.)/;$==++$|;($.,$/,$,,$,$",$;,$^,$#,$~,$*,$:,@%)=( $!=~/(.)(.).(.)(.)(.)(.)..(.)(.)(.)..(.)......(.)/,$"),$=++;$.++;$.++; $_++;$_++;($_,$,$,)=($~.$"."$;$/$%[$?]$_$$,$:$%[$?]",$"&$~,$#,);$,++ ;$,++;$^|=$";`$_$$,$/$:$;$~$*$%[$?]$.$~$*${#}$%[$?]$;$$"$^$~$*.>&$=`

25. `$=`;$_=%!;($_)=/(.)/;$==++$|;($.,$/,$,,$,$",$;,$^,$#,$~,$*,$:,@%)=( $!=~/(.)(.).(.)(.)(.)(.)..(.)(.)(.)..(.)......(.)/,$"),$=++;$.++;$.++; $_++;$_++;($_,$,$,)=($~.$"."$;$/$%[$?]$_$$,$:$%[$?]",$"&$~,$#,);$,++ ;$,++;$^|=$";`$_$$,$/$:$;$~$*$%[$?]$.$~$*${#}$%[$?]$;$$"$^$~$*.>&$=` Just another Perl hacker.

26. Grok filter 120+ regex patterns USERNAME IP HOSTNAME SYSLOGTIMESTAMP LOGLEVEL etc…

27. Grok filter 2.10.146.54 - 2013-12-01T13:37:57Z - some really boring message

28. Grok filter 2.10.146.54 - 2013-12-01T13:37:57Z - some really boring message %{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message}

29. Grok filter client => 2.10.146.54 time => 2013-12-01T13:37:57Z message = > some really boring message

30. Grok filter input { tcp { type => “server1" host => "192.168.1.1" port => "5555" } filter { if [type] == “server1" { grok { match => { "message" => "%{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message} "} } }

31. 3. send data 50+ outputs

32. 3. send data Logstash output statsd stdout tcp elastic redis mongo zmq

33. 1. RESTful api 2. JSON-oriented 3. Horizontal scale 4. HA 5. Full Text search 6. Based on Lucene Elasticsearch Distributed RESTful search server

34. Logstash => elasticsearch input { tcp { type => “server1" host => "192.168.1.1" port => "5555" } filter { if [type] == “server1" { grok { match => { "message" => "%{IP:client} - %{TIMESTAMP_ISO8601:time} - %{GREEDYDATA:message} "} } } output { elasticsearch {} }

35. 1. Clean and simple UI 2. Fully customizable 3. Bootstrap based 4. Old version running on Ruby 5. Milestone 3 fully rewritten in HTML/Angular.js Kibana Awesome Elasticsearch Web Frontend to search/graph

36. Real Life Scenarios

37. Scenario 1 L2 switch Cisco ASA L3 switch UDP UDP Elasticsearch Syslog broker (lightweight shipper) UDP Logstash (main log server) Kibana

38. Scenario 2 Apache (lightweight shipper) IIS TCP TCP (lightweight shipper) Jboss (lightweight shipper) Elasticsearch Logstash (main log server) TCP Kibana

Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup

Similar to Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup (20)

More from Startit

More from Startit (20)

Recently uploaded

Recently uploaded (20)

Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup