LogStash is a tool for ingesting, processing, and storing data from various sources into Elasticsearch. It includes plugins for input, filter, and output functionality. Common uses of LogStash include parsing log files, enriching events, and loading data into Elasticsearch for search and analysis. The document provides an overview of LogStash and demonstrates how to install it, configure input and output plugins, and create simple and advanced processing pipelines.
4. Data ingestion workhorse
Events enrichment and transformation
Extensible plugin ecosystem
Pluggable pipeline architecture
Horizontally scalable data processing pipeline
Strong Elasticsearch and Kibana synergy
Handles data of all shapes and sizes
Key Features of LogStash
What’s In It for You?
6. The Pre-requisites
Installation and Configuration
Prerequisites
requires Java 7 or higher
Installation steps
Download from elastic.co web site
Use Linux package manager to install
LogStash
Install LogStash as a service
10. The Service Commands
Installation and Configuration
Start or stop service commands :
sudo /etc/init.d/logstash start
sudo /etc/init.d/logstash stop
sudo /etc/init.d/logstash restart
sudo /etc/init.d/logstash status
11. Simple Pipeline
Installation and Configuration
Verify LogStash installation
with a simple pipeline
Will take input from command
line and output it back to the
command line
Pipeline configuration
information is passed as text on
command line
Takes input from standard
input “stdin”
Outputs to standard output
“stdout” in a structured format
16. Advanced Pipeline
Installation and Configuration
Real world pipelines contain one or
more input, filter and outputs
Is generally provided in a
configuration file rather than command
line
Supplied to LogStash with –f
command line argument
Test the configuration using --
configtest argument
17. Skeleton LogStash Configuration
Installation and Configuration
4 # The # character at the beginning of
5 # a line indicates comment
6 # Use the comments to describe your configuration
7 input {
8 input1 { }
9 input2 { }
10 }
11
12 # The filter part of this file is
13 # commented out to indicate that
14 # it is optional.
15
16 # filter {
17 # }
18
19 output {
20 output1 { }
21 output2 { }
22 }
18. LogStash Plugins
Installation and Configuration
LogStash Instance
Data Source ElasticSearch
Filter
Plugin
Output
Plugin
Input
Plugin
26. 4 # TCP input
5
6 Input {
7
8 # Read all events over TCP socket
9
10 tcp {
11 port => “ 5000 “
12 type => “ syslog “
13 }
14
15 }
Input-tcp
Installation and Configuration
27. 4 # UDP input
5
6 input {
7
8 # Read all events over UDP port
9
10 udp {
11 port => “5001”
12 type => “netflow”
13 }
14
15 }
16
Input-udp
Installation and Configuration
28. Filter-csv
Installation and Configuration
2
3 # CSV filter
4 filter {
5
6 csv {
7
8 # List of columns as they appear in csv
9 column => [ “column_1” , “column_2” ]
10 column => { “column_3” => “integer” , “column_4” => “boolean” }
11 type => “syslog”
12
13 }
14
15 }
16
29. 2
3 # date filter
4
5 filter {
6
7
8 date {
9
10 match => [ “logdate” , “MMM dd HH:mm:ss” ]
11 # Default for target is @timestamp
12 target => “logdate_modified”
13
14 }
15 }
Filter-date
Installation and Configuration
• Used for parsing dates and use as LogStash event timestamp in ISO8601 format
• For example “Jan 01 10:40:01” can be parsed using the pattern “MMM dd HH:mm:ss”
30. Filter-drop
Installation and Configuration
2
3 # drop filter
4
5 filter {
6
7 # drop the events of their loglevel is debug
8 drop {
9 if [ loglevel ] = = “debug” {
10 drop { }
11 }
12 }
13 }
14
15
32. Filter-grok
Installation and Configuration
Grok is one of the most
widely used plugin
It is instrumental in parsing
arbitrary and unstructured text
into structed and queryable
data field
It is widely used to parse
syslog, apache logs, mySQL
logs, custom application logs,
postfix logs etc.
Grok works based on
patterns
Syntax for grok pattern is
%{SYNTAX:SEMANTIC}
Custom patterns can be
added