SlideShare a Scribd company logo

From zero to hero - Easy log centralization with Logstash and Elasticsearch

Rafał Kuć
Rafał Kuć

Presentation I gave during DevOps Days Warsaw 2014 about combining Elasticsearch, Logstash and Kibana together or use our Logsene solution instead of Elasticsearch.

1 of 73
Download to read offline
From Zero to Hero Rafał Kuć – Sematext Group, Inc. @kucrafal @sematext sematext.com Easy log centralization with Logstash & Elasticsearch
About me… Sematext consultant & engineer Solr.pl co-founder Father and husband 
The problem
The problem Log Log Log Log Log Log Log Log Log
Let’s find something http://www.likesbooks.com/aarafterhours/?p=750
The solution Log Log Log Log Log Log Log Log
Available tools
Available tools …
But why search? Easy to find related data
But why search? Easy to find related data Fast and accurate
But why search? Easy to find related data Fast and accurate Real time data insight and analysis
Why Elasticsearch? Reasonable defaults Distributed by design http://www.dailypets.co.uk/2007/06/17/kittens-rest-at-half-time/
Installation $ wget --no-check-certificate https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.tar.gz
Installation $ wget --no-check-certificate https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.tar.gz $ tar –xvf elasticsearch-1.3.2.tar.gz $ elasticsearch-1.3.2/bin/elasticsearch
Installation $ wget --no-check-certificate https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.tar.gz $ tar –xvf elasticsearch-1.3.2.tar.gz $ elasticsearch-1.3.2/bin/elasticsearch
Scalable
Scalable
Scalable
Configuration - stability
Configuration - stability
Configuration - stability
Configuration - stability minimum_master_nodes = N/2 + 1
Configuration - stability Master only Master only Master only Data only Data only Data only Data only Data only Data only Client only Client only minimum_master_nodes = N/2 + 1
Thread pools
Thread pools Use fixed Set size Set queue
Thread pools threadpool.search.type threadpool.search.size threadpool.search.queue_size threadpool.index.type threadpool.index.size threadpool.index.queue_size threadpool.bulk.type threadpool.bulk.size threadpool.bulk.queue_size Use fixed Set size Set queue
Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead 40% Xmx 1
Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead 60% Xmx 1.03 40% Xmx 1
Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead indices.breaker.total.limit 70% Xmx 60% Xmx 1.03 40% Xmx 1
Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead indices.breaker.total.limit indices.fielddata.cache.size unbounded 70% Xmx 60% Xmx 1.03 40% Xmx 1
Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead indices.breaker.total.limit indices.fielddata.cache.size indices.cache.filter.size unbounded 10% 70% Xmx 60% Xmx 1.03 40% Xmx 1
Configuration - indexing Log
Configuration - indexing Log
Configuration - indexing Log Log Log Log Log Log Log Log Log Use Bulk! Or UDP Bulk!
Configuration - indexing Log Log Log Log Log Log Log Log Log index.translog.flush_threshold_ops index.translog.flush_threshold_size unlimited 200mb Use Bulk! Or UDP Bulk!
Refresh when needed 1s refresh -> 2K logs/sec http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/
Refresh when needed 1s refresh -> 2K logs/sec http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/ 5s refresh -> 2.5K logs/sec
Refresh when needed 1s refresh -> 2K logs/sec http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/ 5s refresh -> 2.5K logs/sec 30s refresh -> 3.4K logs/sec
Data volume under control 2014-09-24
Data volume under control 2014-09-24 TODAY
Data volume under control 2014-09-24 TODAY WEEK
Data volume under control 2014-09-24 2014-09-25 TODAY WEEK
Data volume under control 2014-09-24 2014-09-25 2014-09-26 TODAY WEEK
Monitoring
Monitoring
Monitoring
SPM http://sematext.com/spm/
SPM http://sematext.com/spm/
SPM http://sematext.com/spm/
SPM http://sematext.com/spm/
Here comes Logstash Unstructured
Here comes Logstash Unstructured
Here comes Logstash Unstructured Documents
Processing example 127.0.0.1 - - [05/Feb/2014:17:11:55 +0000] "GET /css/main.css HTTP/1.1" 200 140 "http://www.onet.pl" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
Processing example 127.0.0.1 - - [05/Feb/2014:17:11:55 +0000] "GET /css/main.css HTTP/1.1" 200 140 "http://www.onet.pl" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
Processing example 127.0.0.1 - - [05/Feb/2014:17:11:55 +0000] "GET /css/main.css HTTP/1.1" 200 140 "http://www.onet.pl" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" { "host" : "127.0.0.1", "@timestamp" : "2014-02-05T17:11:55+0000", ... "verb" : "GET" }
How does it look?
Of course you can scale
Logstash input input { file { path => "/var/log/apache/apache.log" type => "access_apache_log" start_position => "beginning" } }
Grok filter { if [type] == "access_apache_log" { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } } }
Logstash output output { elasticsearch { host => "localhost" port => 9200 index => "logs_%{+YYYY.MM.dd}" protocol => "http" manage_template => true } }
Sample Logstash-forwarder config { "network": { "servers": [ "localhost:5043" ], "timeout": 15 }, "files": [ { "paths": [ "/var/log/apache/apache*.log" ], "fields": { "type": "access_apache_log" } } ] }
Sample Logstash-forwarder config { "network": { "servers": [ "localhost:5043" ], "timeout": 15 }, "files": [ { "paths": [ "/var/log/apache/apache*.log" ], "fields": { "type": "access_apache_log" } } ] } Logstash side: input { lumberjack { port => 5043 type => "access_apache_log" } }
Let’s try it $ bin/logstash –f logstash-filter.conf
Let’s try it $ bin/logstash –f logstash-filter.conf $ curl 'localhost:9200/logs_2014-09-26/_search?pretty'
Let’s try it $ bin/logstash –f logstash-filter.conf $ curl 'localhost:9200/logs_2014-09-26/_search?pretty' { "took" : 3, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 3, "max_score" : 1.0, "hits" : [ { "_index" : "logs", "_type" : "access_apache_log", "_id" : "SI0BZw8BQ0uQNPtk9zfoOQ", "_score" : 1.0, "_source":{"message":"71.141.244.242 - kurt [18/May/2011:01:48:10 -0700] "GET /admin HTTP/1.1" 301 566 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"","@version":"1","@timestamp":"2014-09-11T10:21:04.403Z","type":"access_apache_log","host":"developer-vb","path":"/home/gro/devops/apache3.log","clientip":"71.141.244.242","ident":"- ","auth":"kurt","timestamp":"18/May/2011:01:48:10 -0700","verb":"GET","request":"/admin","httpversion":"1.1","response":"301","bytes":"566","referrer":""-"","agent":""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3""} }, { "_index" : "logs", "_type" : "access_apache_log", "_id" : "zyOc53uwQkegOQr-a3hwIQ", "_score" : 1.0, "_source":{"message":"98.83.179.51 - - [18/May/2011:19:35:08 -0700] "GET /css/main.css HTTP/1.1" 200 1837 "http://www.safesand.com/information.htm" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"","@version":"1","@timestamp":"2014-09-11T10:21:04.405Z","type":"access_apache_log","host":"developer- vb","path":"/home/gro/devops/apache3.log","clientip":"98.83.179.51","ident":"-","auth":"-","timestamp":"18/May/2011:19:35:08 - 0700","verb":"GET","request":"/css/main.css","httpversion":"1.1","response":"200","bytes":"1837","referrer":""http://www.safesand.com/information.htm"","agent":""Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1""} }, { "_index" : "logs", "_type" : "access_apache_log", "_id" : "evP0I--3TWOlDsQzalQtAw", "_score" : 1.0, "_source":{"message":"134.39.72.245 - - [18/May/2011:12:40:18 -0700] "GET /favicon.ico HTTP/1.1" 200 1189 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)"","@version":"1","@timestamp":"2014-09-11T10:21:04.404Z","type":"access_apache_log","host":"developer- vb","path":"/home/gro/devops/apache3.log","clientip":"134.39.72.245","ident":"-","auth":"-","timestamp":"18/May/2011:12:40:18 - 0700","verb":"GET","request":"/favicon.ico","httpversion":"1.1","response":"200","bytes":"1189","referrer":""-"","agent":""Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)""} } ] } }
Here comes Kibana
Looking for SaaS – Go Logsene http://sematext.com/logsene
Looking for SaaS – Go Logsene http://sematext.com/logsene
Logstash + Logsene in action output { elasticsearch { host => "logsene-receiver.sematext.com" port => 80 index => "YOUR_TOKEN" protocol => "http" manage_template => false } } http://sematext.com/logsene
Short summary http://www.soothetube.com/2013/12/29/thats-all-folks/
We Are Hiring ! Dig Search ? Dig Analytics ? Dig Big Data ? Dig Performance ? Dig Logging ? Dig working with and in open – source ? We’re hiring world – wide ! http://sematext.com/about/jobs.html
Rafał Kuć @kucrafal rafal.kuc@sematext.com Sematext @sematext http://sematext.com http://blog.sematext.com Thank You !

Recommended

Battle of the Giants round 2
Battle of the Giants round 2Battle of the Giants round 2
Battle of the Giants round 2
Rafał Kuć
 
Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)
Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)
Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)Sematext Group, Inc.
 
Elasticsearch - Devoxx France 2012 - English version
Elasticsearch - Devoxx France 2012 - English versionElasticsearch - Devoxx France 2012 - English version
Elasticsearch - Devoxx France 2012 - English version
David Pilato
 
Scaling massive elastic search clusters - Rafał Kuć - Sematext
Scaling massive elastic search clusters - Rafał Kuć - SematextScaling massive elastic search clusters - Rafał Kuć - Sematext
Scaling massive elastic search clusters - Rafał Kuć - Sematext
Rafał Kuć
 
Solr vs ElasticSearch
Solr vs ElasticSearchSolr vs ElasticSearch
Solr vs ElasticSearch
Dikshant Shahi
 
Battle of the giants: Apache Solr vs ElasticSearch
Battle of the giants: Apache Solr vs ElasticSearchBattle of the giants: Apache Solr vs ElasticSearch
Battle of the giants: Apache Solr vs ElasticSearch
Rafał Kuć
 
Solr vs. Elasticsearch - Case by Case
Solr vs. Elasticsearch - Case by CaseSolr vs. Elasticsearch - Case by Case
Solr vs. Elasticsearch - Case by Case
Alexandre Rafalovitch
 
Building a CRM on top of ElasticSearch
Building a CRM on top of ElasticSearchBuilding a CRM on top of ElasticSearch
Building a CRM on top of ElasticSearch
Mark Greene
 

Recommended

Battle of the Giants round 2
Battle of the Giants round 2Battle of the Giants round 2
Battle of the Giants round 2
Rafał Kuć
 
Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)
Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)
Battle of the Giants - Apache Solr vs. Elasticsearch (ApacheCon)Sematext Group, Inc.
 
Elasticsearch - Devoxx France 2012 - English version
Elasticsearch - Devoxx France 2012 - English versionElasticsearch - Devoxx France 2012 - English version
Elasticsearch - Devoxx France 2012 - English version
David Pilato
 
Scaling massive elastic search clusters - Rafał Kuć - Sematext
Scaling massive elastic search clusters - Rafał Kuć - SematextScaling massive elastic search clusters - Rafał Kuć - Sematext
Scaling massive elastic search clusters - Rafał Kuć - Sematext
Rafał Kuć
 
Solr vs ElasticSearch
Solr vs ElasticSearchSolr vs ElasticSearch
Solr vs ElasticSearch
Dikshant Shahi
 
Battle of the giants: Apache Solr vs ElasticSearch
Battle of the giants: Apache Solr vs ElasticSearchBattle of the giants: Apache Solr vs ElasticSearch
Battle of the giants: Apache Solr vs ElasticSearch
Rafał Kuć
 
Solr vs. Elasticsearch - Case by Case
Solr vs. Elasticsearch - Case by CaseSolr vs. Elasticsearch - Case by Case
Solr vs. Elasticsearch - Case by Case
Alexandre Rafalovitch
 
Building a CRM on top of ElasticSearch
Building a CRM on top of ElasticSearchBuilding a CRM on top of ElasticSearch
Building a CRM on top of ElasticSearch
Mark Greene
 
Scaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch ClustersScaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch ClustersSematext Group, Inc.
 
Solr and Elasticsearch, a performance study
Solr and Elasticsearch, a performance studySolr and Elasticsearch, a performance study
Solr and Elasticsearch, a performance study
Charlie Hull
 
Workshop: Learning Elasticsearch
Workshop: Learning ElasticsearchWorkshop: Learning Elasticsearch
Workshop: Learning Elasticsearch
Anurag Patel
 
Elasticsearch - Dynamic Nodes
Elasticsearch - Dynamic NodesElasticsearch - Dynamic Nodes
Elasticsearch - Dynamic Nodes
Scott Davis
 
ElasticSearch for .NET Developers
ElasticSearch for .NET DevelopersElasticSearch for .NET Developers
ElasticSearch for .NET Developers
Ben van Mol
 
ElasticSearch AJUG 2013
ElasticSearch AJUG 2013ElasticSearch AJUG 2013
ElasticSearch AJUG 2013
Roy Russo
 
ElasticSearch in action
ElasticSearch in actionElasticSearch in action
ElasticSearch in action
Codemotion
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2
Sematext Group, Inc.
 
[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화
NAVER D2
 
Your Data, Your Search, ElasticSearch (EURUKO 2011)
Your Data, Your Search, ElasticSearch (EURUKO 2011)Your Data, Your Search, ElasticSearch (EURUKO 2011)
Your Data, Your Search, ElasticSearch (EURUKO 2011)
Karel Minarik
 
Query DSL In Elasticsearch
Query DSL In ElasticsearchQuery DSL In Elasticsearch
Query DSL In Elasticsearch
Knoldus Inc.
 
Solr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for YouSolr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for You
Sematext Group, Inc.
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache Solr
Christos Manios
 
High Performance Solr
High Performance SolrHigh Performance Solr
High Performance Solr
Shalin Shekhar Mangar
 
Apache Solr/Lucene Internals by Anatoliy Sokolenko
Apache Solr/Lucene Internals by Anatoliy SokolenkoApache Solr/Lucene Internals by Anatoliy Sokolenko
Apache Solr/Lucene Internals by Anatoliy Sokolenko
Provectus
 
Side by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and SolrSide by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and Solr
Sematext Group, Inc.
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
Ruslan Zavacky
 
Elasticsearch Basics
Elasticsearch BasicsElasticsearch Basics
Elasticsearch Basics
Shifa Khan
 
Lucene Introduction
Lucene IntroductionLucene Introduction
Lucene Introduction
otisg
 
Tuning Elasticsearch Indexing Pipeline for Logs
Tuning Elasticsearch Indexing Pipeline for LogsTuning Elasticsearch Indexing Pipeline for Logs
Tuning Elasticsearch Indexing Pipeline for Logs
Sematext Group, Inc.
 
Administering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersAdministering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud Clusters
Rafał Kuć
 
Solr Anti - patterns
Solr Anti - patternsSolr Anti - patterns
Solr Anti - patterns
Rafał Kuć
 

More Related Content

What's hot

Scaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch ClustersScaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch ClustersSematext Group, Inc.
 
Solr and Elasticsearch, a performance study
Solr and Elasticsearch, a performance studySolr and Elasticsearch, a performance study
Solr and Elasticsearch, a performance study
Charlie Hull
 
Workshop: Learning Elasticsearch
Workshop: Learning ElasticsearchWorkshop: Learning Elasticsearch
Workshop: Learning Elasticsearch
Anurag Patel
 
Elasticsearch - Dynamic Nodes
Elasticsearch - Dynamic NodesElasticsearch - Dynamic Nodes
Elasticsearch - Dynamic Nodes
Scott Davis
 
ElasticSearch for .NET Developers
ElasticSearch for .NET DevelopersElasticSearch for .NET Developers
ElasticSearch for .NET Developers
Ben van Mol
 
ElasticSearch AJUG 2013
ElasticSearch AJUG 2013ElasticSearch AJUG 2013
ElasticSearch AJUG 2013
Roy Russo
 
ElasticSearch in action
ElasticSearch in actionElasticSearch in action
ElasticSearch in action
Codemotion
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2
Sematext Group, Inc.
 
[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화
NAVER D2
 
Your Data, Your Search, ElasticSearch (EURUKO 2011)
Your Data, Your Search, ElasticSearch (EURUKO 2011)Your Data, Your Search, ElasticSearch (EURUKO 2011)
Your Data, Your Search, ElasticSearch (EURUKO 2011)
Karel Minarik
 
Query DSL In Elasticsearch
Query DSL In ElasticsearchQuery DSL In Elasticsearch
Query DSL In Elasticsearch
Knoldus Inc.
 
Solr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for YouSolr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for You
Sematext Group, Inc.
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache Solr
Christos Manios
 
High Performance Solr
High Performance SolrHigh Performance Solr
High Performance Solr
Shalin Shekhar Mangar
 
Apache Solr/Lucene Internals by Anatoliy Sokolenko
Apache Solr/Lucene Internals by Anatoliy SokolenkoApache Solr/Lucene Internals by Anatoliy Sokolenko
Apache Solr/Lucene Internals by Anatoliy Sokolenko
Provectus
 
Side by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and SolrSide by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and Solr
Sematext Group, Inc.
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
Ruslan Zavacky
 
Elasticsearch Basics
Elasticsearch BasicsElasticsearch Basics
Elasticsearch Basics
Shifa Khan
 
Lucene Introduction
Lucene IntroductionLucene Introduction
Lucene Introduction
otisg
 

What's hot (19)

Scaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch ClustersScaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch Clusters
 
Solr and Elasticsearch, a performance study
Solr and Elasticsearch, a performance studySolr and Elasticsearch, a performance study
Solr and Elasticsearch, a performance study
 
Workshop: Learning Elasticsearch
Workshop: Learning ElasticsearchWorkshop: Learning Elasticsearch
Workshop: Learning Elasticsearch
 
Elasticsearch - Dynamic Nodes
Elasticsearch - Dynamic NodesElasticsearch - Dynamic Nodes
Elasticsearch - Dynamic Nodes
 
ElasticSearch for .NET Developers
ElasticSearch for .NET DevelopersElasticSearch for .NET Developers
ElasticSearch for .NET Developers
 
ElasticSearch AJUG 2013
ElasticSearch AJUG 2013ElasticSearch AJUG 2013
ElasticSearch AJUG 2013
 
ElasticSearch in action
ElasticSearch in actionElasticSearch in action
ElasticSearch in action
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2
 
[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화
 
Your Data, Your Search, ElasticSearch (EURUKO 2011)
Your Data, Your Search, ElasticSearch (EURUKO 2011)Your Data, Your Search, ElasticSearch (EURUKO 2011)
Your Data, Your Search, ElasticSearch (EURUKO 2011)
 
Query DSL In Elasticsearch
Query DSL In ElasticsearchQuery DSL In Elasticsearch
Query DSL In Elasticsearch
 
Solr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for YouSolr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for You
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache Solr
 
High Performance Solr
High Performance SolrHigh Performance Solr
High Performance Solr
 
Apache Solr/Lucene Internals by Anatoliy Sokolenko
Apache Solr/Lucene Internals by Anatoliy SokolenkoApache Solr/Lucene Internals by Anatoliy Sokolenko
Apache Solr/Lucene Internals by Anatoliy Sokolenko
 
Side by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and SolrSide by Side with Elasticsearch and Solr
Side by Side with Elasticsearch and Solr
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
 
Elasticsearch Basics
Elasticsearch BasicsElasticsearch Basics
Elasticsearch Basics
 
Lucene Introduction
Lucene IntroductionLucene Introduction
Lucene Introduction
 

Viewers also liked

Tuning Elasticsearch Indexing Pipeline for Logs
Tuning Elasticsearch Indexing Pipeline for LogsTuning Elasticsearch Indexing Pipeline for Logs
Tuning Elasticsearch Indexing Pipeline for Logs
Sematext Group, Inc.
 
Administering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersAdministering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud Clusters
Rafał Kuć
 
Solr Anti - patterns
Solr Anti - patternsSolr Anti - patterns
Solr Anti - patterns
Rafał Kuć
 
PLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak świat
PLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak światPLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak świat
PLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak świat
PROIDEA
 
Elasticsearch Data Analyses
Elasticsearch Data AnalysesElasticsearch Data Analyses
Elasticsearch Data AnalysesAlaa Elhadba
 
Ansible - Automatyzacja zadań IT
Ansible - Automatyzacja zadań ITAnsible - Automatyzacja zadań IT
Ansible - Automatyzacja zadań IT
Kamil Grabowski
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
Victor S. Recio
 
How to Run Solr on Docker and Why
How to Run Solr on Docker and WhyHow to Run Solr on Docker and Why
How to Run Solr on Docker and Why
Sematext Group, Inc.
 
Building Resilient Log Aggregation Pipeline with Elasticsearch & Kafka
Building Resilient Log Aggregation Pipeline with Elasticsearch & KafkaBuilding Resilient Log Aggregation Pipeline with Elasticsearch & Kafka
Building Resilient Log Aggregation Pipeline with Elasticsearch & Kafka
Sematext Group, Inc.
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Sematext Group, Inc.
 
Elasticsearch in Zalando
Elasticsearch in ZalandoElasticsearch in Zalando
Elasticsearch in ZalandoAlaa Elhadba
 
2013_Expanded_Employment_Law_Update_New_Developments_and_Trends
2013_Expanded_Employment_Law_Update_New_Developments_and_Trends2013_Expanded_Employment_Law_Update_New_Developments_and_Trends
2013_Expanded_Employment_Law_Update_New_Developments_and_Trends
Parsons Behle & Latimer
 
Communication skills (1)
Communication skills (1)Communication skills (1)
Communication skills (1)
ehab elbaz
 
사진 앨범
사진 앨범사진 앨범
사진 앨범net4you
 
MyRingCard #bigliettodavisitaelettronico
MyRingCard #bigliettodavisitaelettronicoMyRingCard #bigliettodavisitaelettronico
MyRingCard #bigliettodavisitaelettronico
Francesco Pieragostini
 
致明天的我们 20120606
致明天的我们 20120606致明天的我们 20120606
致明天的我们 20120606cash0430
 
To Compete or Not Compete? That is the Legislation
To Compete or Not Compete? That is the LegislationTo Compete or Not Compete? That is the Legislation
To Compete or Not Compete? That is the Legislation
Parsons Behle & Latimer
 
Freelance Workshop Lecture 2
Freelance Workshop Lecture 2Freelance Workshop Lecture 2
Freelance Workshop Lecture 2
Kareem Elzftawy
 

Viewers also liked (20)

Tuning Elasticsearch Indexing Pipeline for Logs
Tuning Elasticsearch Indexing Pipeline for LogsTuning Elasticsearch Indexing Pipeline for Logs
Tuning Elasticsearch Indexing Pipeline for Logs
 
Administering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersAdministering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud Clusters
 
Solr Anti - patterns
Solr Anti - patternsSolr Anti - patterns
Solr Anti - patterns
 
PLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak świat
PLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak światPLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak świat
PLNOG 18 - Dr Marek Michalewicz - InfiniCortex: Superkomputer wielki jak świat
 
Elasticsearch Data Analyses
Elasticsearch Data AnalysesElasticsearch Data Analyses
Elasticsearch Data Analyses
 
Ansible - Automatyzacja zadań IT
Ansible - Automatyzacja zadań ITAnsible - Automatyzacja zadań IT
Ansible - Automatyzacja zadań IT
 
Docker up and running
Docker up and runningDocker up and running
Docker up and running
 
How to Run Solr on Docker and Why
How to Run Solr on Docker and WhyHow to Run Solr on Docker and Why
How to Run Solr on Docker and Why
 
Building Resilient Log Aggregation Pipeline with Elasticsearch & Kafka
Building Resilient Log Aggregation Pipeline with Elasticsearch & KafkaBuilding Resilient Log Aggregation Pipeline with Elasticsearch & Kafka
Building Resilient Log Aggregation Pipeline with Elasticsearch & Kafka
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
 
Elasticsearch in Zalando
Elasticsearch in ZalandoElasticsearch in Zalando
Elasticsearch in Zalando
 
2013_Expanded_Employment_Law_Update_New_Developments_and_Trends
2013_Expanded_Employment_Law_Update_New_Developments_and_Trends2013_Expanded_Employment_Law_Update_New_Developments_and_Trends
2013_Expanded_Employment_Law_Update_New_Developments_and_Trends
 
World crimes
World crimesWorld crimes
World crimes
 
Doma natural: Esteban Labari i Lucy Rees
Doma natural: Esteban Labari i Lucy ReesDoma natural: Esteban Labari i Lucy Rees
Doma natural: Esteban Labari i Lucy Rees
 
Communication skills (1)
Communication skills (1)Communication skills (1)
Communication skills (1)
 
사진 앨범
사진 앨범사진 앨범
사진 앨범
 
MyRingCard #bigliettodavisitaelettronico
MyRingCard #bigliettodavisitaelettronicoMyRingCard #bigliettodavisitaelettronico
MyRingCard #bigliettodavisitaelettronico
 
致明天的我们 20120606
致明天的我们 20120606致明天的我们 20120606
致明天的我们 20120606
 
To Compete or Not Compete? That is the Legislation
To Compete or Not Compete? That is the LegislationTo Compete or Not Compete? That is the Legislation
To Compete or Not Compete? That is the Legislation
 
Freelance Workshop Lecture 2
Freelance Workshop Lecture 2Freelance Workshop Lecture 2
Freelance Workshop Lecture 2
 

Similar to From zero to hero - Easy log centralization with Logstash and Elasticsearch

(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-Obfuscation
Daniel Bohannon
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian Thilmany
Christian Thilmany
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
Composing re-useable ETL on Hadoop
Composing re-useable ETL on HadoopComposing re-useable ETL on Hadoop
Composing re-useable ETL on HadoopPaul Lam
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Jakub Hajek
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
PROIDEA
 
Logstash
LogstashLogstash
Logstash
琛琳 饶
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
Aman Kohli
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
soft-shake.ch
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and Kibana
Prajal Kulkarni
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log season
Eric Luellen
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
Sam Keen
 
Synapseindia dot net development web applications with ajax
Synapseindia dot net development web applications with ajaxSynapseindia dot net development web applications with ajax
Synapseindia dot net development web applications with ajax
Synapseindiappsdevelopment
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 

Similar to From zero to hero - Easy log centralization with Logstash and Elasticsearch (20)

(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-Obfuscation
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian Thilmany
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
gofortution
gofortutiongofortution
gofortution
 
Composing re-useable ETL on Hadoop
Composing re-useable ETL on HadoopComposing re-useable ETL on Hadoop
Composing re-useable ETL on Hadoop
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
Logstash
LogstashLogstash
Logstash
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and Kibana
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log season
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Synapseindia dot net development web applications with ajax
Synapseindia dot net development web applications with ajaxSynapseindia dot net development web applications with ajax
Synapseindia dot net development web applications with ajax
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
The Devil and HTML5
The Devil and HTML5The Devil and HTML5
The Devil and HTML5
 

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 

From zero to hero - Easy log centralization with Logstash and Elasticsearch

  • 1. From Zero to Hero Rafał Kuć – Sematext Group, Inc. @kucrafal @sematext sematext.com Easy log centralization with Logstash & Elasticsearch
  • 2. About me… Sematext consultant & engineer Solr.pl co-founder Father and husband 
  • 4. The problem Log Log Log Log Log Log Log Log Log
  • 5. Let’s find something http://www.likesbooks.com/aarafterhours/?p=750
  • 6. The solution Log Log Log Log Log Log Log Log
  • 9. But why search? Easy to find related data
  • 10. But why search? Easy to find related data Fast and accurate
  • 11. But why search? Easy to find related data Fast and accurate Real time data insight and analysis
  • 12. Why Elasticsearch? Reasonable defaults Distributed by design http://www.dailypets.co.uk/2007/06/17/kittens-rest-at-half-time/
  • 13. Installation $ wget --no-check-certificate https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.tar.gz
  • 14. Installation $ wget --no-check-certificate https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.tar.gz $ tar –xvf elasticsearch-1.3.2.tar.gz $ elasticsearch-1.3.2/bin/elasticsearch
  • 15. Installation $ wget --no-check-certificate https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.tar.gz $ tar –xvf elasticsearch-1.3.2.tar.gz $ elasticsearch-1.3.2/bin/elasticsearch
  • 22. Configuration - stability minimum_master_nodes = N/2 + 1
  • 23. Configuration - stability Master only Master only Master only Data only Data only Data only Data only Data only Data only Client only Client only minimum_master_nodes = N/2 + 1
  • 25. Thread pools Use fixed Set size Set queue
  • 26. Thread pools threadpool.search.type threadpool.search.size threadpool.search.queue_size threadpool.index.type threadpool.index.size threadpool.index.queue_size threadpool.bulk.type threadpool.bulk.size threadpool.bulk.queue_size Use fixed Set size Set queue
  • 27. Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead 40% Xmx 1
  • 28. Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead 60% Xmx 1.03 40% Xmx 1
  • 29. Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead indices.breaker.total.limit 70% Xmx 60% Xmx 1.03 40% Xmx 1
  • 30. Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead indices.breaker.total.limit indices.fielddata.cache.size unbounded 70% Xmx 60% Xmx 1.03 40% Xmx 1
  • 31. Circuit breakers, caches == no OOM indices.breaker.fielddata.limit indices.breaker.fielddata.overhead indices.breaker.request.limit indices.breaker.request.overhead indices.breaker.total.limit indices.fielddata.cache.size indices.cache.filter.size unbounded 10% 70% Xmx 60% Xmx 1.03 40% Xmx 1
  • 34. Configuration - indexing Log Log Log Log Log Log Log Log Log Use Bulk! Or UDP Bulk!
  • 35. Configuration - indexing Log Log Log Log Log Log Log Log Log index.translog.flush_threshold_ops index.translog.flush_threshold_size unlimited 200mb Use Bulk! Or UDP Bulk!
  • 36. Refresh when needed 1s refresh -> 2K logs/sec http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/
  • 37. Refresh when needed 1s refresh -> 2K logs/sec http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/ 5s refresh -> 2.5K logs/sec
  • 38. Refresh when needed 1s refresh -> 2K logs/sec http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/ 5s refresh -> 2.5K logs/sec 30s refresh -> 3.4K logs/sec
  • 39. Data volume under control 2014-09-24
  • 40. Data volume under control 2014-09-24 TODAY
  • 41. Data volume under control 2014-09-24 TODAY WEEK
  • 42. Data volume under control 2014-09-24 2014-09-25 TODAY WEEK
  • 43. Data volume under control 2014-09-24 2014-09-25 2014-09-26 TODAY WEEK
  • 51. Here comes Logstash Unstructured
  • 52. Here comes Logstash Unstructured
  • 53. Here comes Logstash Unstructured Documents
  • 54. Processing example 127.0.0.1 - - [05/Feb/2014:17:11:55 +0000] "GET /css/main.css HTTP/1.1" 200 140 "http://www.onet.pl" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
  • 55. Processing example 127.0.0.1 - - [05/Feb/2014:17:11:55 +0000] "GET /css/main.css HTTP/1.1" 200 140 "http://www.onet.pl" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
  • 56. Processing example 127.0.0.1 - - [05/Feb/2014:17:11:55 +0000] "GET /css/main.css HTTP/1.1" 200 140 "http://www.onet.pl" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" { "host" : "127.0.0.1", "@timestamp" : "2014-02-05T17:11:55+0000", ... "verb" : "GET" }
  • 57. How does it look?
  • 58. Of course you can scale
  • 59. Logstash input input { file { path => "/var/log/apache/apache.log" type => "access_apache_log" start_position => "beginning" } }
  • 60. Grok filter { if [type] == "access_apache_log" { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } } }
  • 61. Logstash output output { elasticsearch { host => "localhost" port => 9200 index => "logs_%{+YYYY.MM.dd}" protocol => "http" manage_template => true } }
  • 62. Sample Logstash-forwarder config { "network": { "servers": [ "localhost:5043" ], "timeout": 15 }, "files": [ { "paths": [ "/var/log/apache/apache*.log" ], "fields": { "type": "access_apache_log" } } ] }
  • 63. Sample Logstash-forwarder config { "network": { "servers": [ "localhost:5043" ], "timeout": 15 }, "files": [ { "paths": [ "/var/log/apache/apache*.log" ], "fields": { "type": "access_apache_log" } } ] } Logstash side: input { lumberjack { port => 5043 type => "access_apache_log" } }
  • 64. Let’s try it $ bin/logstash –f logstash-filter.conf
  • 65. Let’s try it $ bin/logstash –f logstash-filter.conf $ curl 'localhost:9200/logs_2014-09-26/_search?pretty'
  • 66. Let’s try it $ bin/logstash –f logstash-filter.conf $ curl 'localhost:9200/logs_2014-09-26/_search?pretty' { "took" : 3, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 3, "max_score" : 1.0, "hits" : [ { "_index" : "logs", "_type" : "access_apache_log", "_id" : "SI0BZw8BQ0uQNPtk9zfoOQ", "_score" : 1.0, "_source":{"message":"71.141.244.242 - kurt [18/May/2011:01:48:10 -0700] "GET /admin HTTP/1.1" 301 566 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"","@version":"1","@timestamp":"2014-09-11T10:21:04.403Z","type":"access_apache_log","host":"developer-vb","path":"/home/gro/devops/apache3.log","clientip":"71.141.244.242","ident":"- ","auth":"kurt","timestamp":"18/May/2011:01:48:10 -0700","verb":"GET","request":"/admin","httpversion":"1.1","response":"301","bytes":"566","referrer":""-"","agent":""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3""} }, { "_index" : "logs", "_type" : "access_apache_log", "_id" : "zyOc53uwQkegOQr-a3hwIQ", "_score" : 1.0, "_source":{"message":"98.83.179.51 - - [18/May/2011:19:35:08 -0700] "GET /css/main.css HTTP/1.1" 200 1837 "http://www.safesand.com/information.htm" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"","@version":"1","@timestamp":"2014-09-11T10:21:04.405Z","type":"access_apache_log","host":"developer- vb","path":"/home/gro/devops/apache3.log","clientip":"98.83.179.51","ident":"-","auth":"-","timestamp":"18/May/2011:19:35:08 - 0700","verb":"GET","request":"/css/main.css","httpversion":"1.1","response":"200","bytes":"1837","referrer":""http://www.safesand.com/information.htm"","agent":""Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1""} }, { "_index" : "logs", "_type" : "access_apache_log", "_id" : "evP0I--3TWOlDsQzalQtAw", "_score" : 1.0, "_source":{"message":"134.39.72.245 - - [18/May/2011:12:40:18 -0700] "GET /favicon.ico HTTP/1.1" 200 1189 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)"","@version":"1","@timestamp":"2014-09-11T10:21:04.404Z","type":"access_apache_log","host":"developer- vb","path":"/home/gro/devops/apache3.log","clientip":"134.39.72.245","ident":"-","auth":"-","timestamp":"18/May/2011:12:40:18 - 0700","verb":"GET","request":"/favicon.ico","httpversion":"1.1","response":"200","bytes":"1189","referrer":""-"","agent":""Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)""} } ] } }
  • 68. Looking for SaaS – Go Logsene http://sematext.com/logsene
  • 69. Looking for SaaS – Go Logsene http://sematext.com/logsene
  • 70. Logstash + Logsene in action output { elasticsearch { host => "logsene-receiver.sematext.com" port => 80 index => "YOUR_TOKEN" protocol => "http" manage_template => false } } http://sematext.com/logsene
  • 72. We Are Hiring ! Dig Search ? Dig Analytics ? Dig Big Data ? Dig Performance ? Dig Logging ? Dig working with and in open – source ? We’re hiring world – wide ! http://sematext.com/about/jobs.html
  • 73. Rafał Kuć @kucrafal rafal.kuc@sematext.com Sematext @sematext http://sematext.com http://blog.sematext.com Thank You !