Presentation is loading. Please wait.

Presentation is loading. Please wait.

The ELK stack - get to know logs

Published byClaus Otto Modified over 5 years ago

Similar presentations

Presentation on theme: "The ELK stack - get to know logs"— Presentation transcript:

1 The ELK stack - get to know logs
Igor Rudyk DevOps / System Integrator

2 Agenda Introduction. What is ELK, and why do we need it? The ELK stack
Logstash ElasticSearch Kibana Architecture Demo

3 Can you check the errors from yesterday between 9:09 and 9:27

4 So what’s a log

5 Log = timestamp + data

6 Real Real Lifecycle of a log
Transmit Analyze Record Store Delete

7 Default problem Tools? Multiple log time formats
Apr 28 20:21:59 [27/Apr/2015:07:05: ] :27:32 Mon, 27-Apr-15 06:27:02 UTC :07: Starts not with timestamp or without timestamp Error messages with really unhelpful info No rotation No scaling Tools? grep awk / sed / cut less / tail vi / vim regular expression ...

8 Logging Solutions Solutions Collections Transport Parsing Storage
Analysis Alerting Visualizer Commercial Logstash Logstash shipper or logstash-forwarder (Lumberjack) RPM installation Logstash shipper or logstash-forwarder (Lumberjack, encrypted transport is the default) Output plugins Central server-master with a hot-standby in case of failure Codecs plugins Grok debugger ElasticSearch, MongoDB, AWS S3 and much more Kibana, graylog2 Riemann NO fluentd Input plugins Install from source or via gem Load-balance between multiple hosts or have a master with a hot-standby in case of failure Plugins Doesn’t provide any storage tier itself but allows you to easily configure where your logs should be collected splunk Splunk Universal Forwarder SSL security Splunk YES Graylog2 ElasticSearch loggly Hosted

9 What is ELK, and why do we need it?
ELK is a stack of programs that help dealing with logs. Includes: Aggregation of logs Search capabilities Aggregation of statistics Visualizations

10 Logstash Filters Outputs Unstructured Documents

11 Inputs Logs: Lumberjack - resilient, compressed, secure (logstash-forwarder) Remote syslog Files Devices: Event log, Collectd Netflow, WMI Event Queue: Redis, RabbitMQ Kafka, ZeroMQ Streaming APIs: Twitter (IMAP) Amazon S3, ganglia, sqs, varnishlog, etc Full list

12 Filters Why Do I like Logstash?
grep date json grok Full list Why Do I like Logstash? It uses Grok filter for parsing standard and non standard logs: Log Line: 27/10/14 07:39:28 [localhost-startStop-1] [] INFO com.vidmind.config.LoggingPropertyPlaceholderConfigurer - streams.limit.general = 0 Pattern: %{DATESTAMP} %{SYSLOG5424SD} ?? %{WORD:ErrorLevel} %{JAVACLASS}

13 Outputs Storage: ElasticSearch MongoDB Event Queue: S3 Redis, RabbitMQ
Graphite File ... Notification: Zabbix Nagios Riemann PagerDuty Event Queue: Redis, RabbitMQ Kafka, ZeroMQ tcp/udp SaaS: AWS CloudWatch Hipchat Jira Full list

14 Logstash - Forwarder (Shipper) Configuration file
{ "network": { "servers": [[logstash_indexers]] "timeout": 15, "ssl ca": "logstash-forwarder.crt" }, "files": [ "paths": [ "/usr/share/tomcat7/logs/*.json.log" ], "fields": { "type": "tomcat", "server_name": "[[logstash_hostname]]", "system": "[[system]]", "server_type" : "[[server_type]]" } "/usr/share/tomcat7/logs/*.activities.log" "fields": { "type": "activities", "server_name": "[[logstash_hostname]]", "system": "[[system]]", "server_type" : "[[server_type]]" } } ]

15 Logstash-Indexer Configuration file
input { lumberjack { codec => json{} port => 5000 type => "logs" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } output { elasticsearch { host => " " protocol => "http" cluster => "[[elasticsearch_cluster_name]]" manage_template => false index => "logstash-%{system}-%{type}-%{+YYYY.MM.dd}" }

16 ElasticSearch Configuration file (yaml-based configuration)
cluster.name: [[elasticsearch_cluster_name]] node.name: "[[node_name]]" node.master: false / true node.data: false / true index.number_of_replicas: 1 #Security discovery.zen.ping.multicast.enabled: false discovery.zen.ping.unicast.hosts: [[elasticsearch_servers]] action.disable_close_all_indices: true action.disable_delete_all_indices: true action.disable_shutdown: true script.disable_dynamic: true

17 The ELK stack General Architecture
Logstash ElasticSearch Kibana

18 The ELK stack Our Scaled Architecture
Logstash-Indexer ElasticSearch Kibana Logstash-Forwarder Logstash-Indexer ElasticSearch Kibana Logstash-Indexer ElasticSearch Kibana

19 DEMO

Download ppt "The ELK stack - get to know logs"

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
MONITORING TOOLS Open Source Security Tools to monitor your network.

MONITORING TOOLS Open Source Security Tools to monitor your network.
1 Vic Hargrave |

1 Vic Hargrave |
Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.

Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.
Log Monitoring, Management and Analysis with Nagios

Log Monitoring, Management and Analysis with Nagios
Loupe /loop/ noun a magnifying glass used by jewelers to reveal flaws in gems. a logging and error management tool used by.NET teams to reveal flaws in.

Loupe /loop/ noun a magnifying glass used by jewelers to reveal flaws in gems. a logging and error management tool used by.NET teams to reveal flaws in.
Creating a Defensive Raspberry Pi

Creating a Defensive Raspberry Pi
Clemens Düpmeier (KIT / IAI)

Clemens Düpmeier (KIT / IAI)
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Pakiti.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Pakiti.
Demystifying Data Analytics & Visualization Make Your Data Dance.

Demystifying Data Analytics & Visualization Make Your Data Dance.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Streamlining Monitoring Infrastructure in IT-DB-IMS Charles Newey › 19.08.2015.

Streamlining Monitoring Infrastructure in IT-DB-IMS Charles Newey ›
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t IT Monitoring WG IT/CS Monitoring System Virginie Longo September 14th 2011.

CERN IT Department CH-1211 Genève 23 Switzerland t IT Monitoring WG IT/CS Monitoring System Virginie Longo September 14th 2011.
Protocol for I2RS I2RS WG IETF #89 London, UK Dean Bogdanovic v0.1.

Protocol for I2RS I2RS WG IETF #89 London, UK Dean Bogdanovic v0.1.
DAM-Alarming Data Analytics from Monitoring, for alarming Summer Student Project 2015 A. Martin, C. Cristovao, G. Domenico thanks to Luca Magnoni IT-SDC-MI.

DAM-Alarming Data Analytics from Monitoring, for alarming Summer Student Project 2015 A. Martin, C. Cristovao, G. Domenico thanks to Luca Magnoni IT-SDC-MI.
Carlos Fernando Gamboa RACF, BNL HEPiX

Carlos Fernando Gamboa RACF, BNL HEPiX
CERN IT Department CH-1211 Geneva 23 Switzerland t CF Computing Facilities Agile Infrastructure Monitoring CERN IT/CF.

CERN IT Department CH-1211 Geneva 23 Switzerland t CF Computing Facilities Agile Infrastructure Monitoring CERN IT/CF.
XROOTD AND FEDERATED STORAGE MONITORING CURRENT STATUS AND ISSUES A.Petrosyan, D.Oleynik, J.Andreeva Creating federated data stores for the LHC CC-IN2P3,

XROOTD AND FEDERATED STORAGE MONITORING CURRENT STATUS AND ISSUES A.Petrosyan, D.Oleynik, J.Andreeva Creating federated data stores for the LHC CC-IN2P3,
Centralized Logfile Search (a.k.a. Tracing) Vito Baggiolini with Gergo Horanyi, Felix Ehm, Stephen Page.

Centralized Logfile Search (a.k.a. Tracing) Vito Baggiolini with Gergo Horanyi, Felix Ehm, Stephen Page.

Similar presentations

Ads by Google