File Mirroring via FileBeat or Logstash

shocko · October 6, 2022, 12:50pm

I have the following use case for several directories containing log files:

Tail these files and write out to another location with the same filename

For example, our app is creating files names myapp_.log and we need to copy the file in near real-time to another folder. rsync or the like won't do it so I was thinking of tailing it using filebeat or logstash and using the file output. I tried the file output in both and got tail several source logs and write out to one destination log but I need to keep the filenames the same and the source -> destination on a one-to-one basis.

Rios · October 6, 2022, 7:56pm

So you need: like this
/dir1/myapp_1.log -> mirror ->/dir2/myapp_1.log
/dir1/myapp_2.log -> mirror ->/dir2/myapp_2.log
etc.

Not sure how to get the current file name and path as runtime values in FB.
LS is capable for sure.

shocko · October 7, 2022, 10:33pm

I don't think the path/filename fields in filebeat support any kind of dynamic variables etc. I'll see if I can figure out how to do this in logstash.

Rios · October 8, 2022, 6:47pm

I have managed with LS with some limitation.

input {
  file {
   path => "/path/temp001.txt"
   start_position => beginning
   sincedb_path => "NUL" # you should have real file /path/sincedb.db
   mode => "tail"
  }
}
filter {

  mutate {
    add_field => { 
        "[@metadata][file]" => "%{[log][file][path]}"
   }
  }

  # get file name
  mutate { gsub => [ "[@metadata][file]", "^.*/", "" ] }

}
output {

    file { 
	codec => line { format =>"%{[message]}" }
	path => "/destpath/%{[@metadata][file]}" 
	flush_interval => 1
	#write_behavior => "append"
	}
}

Limitation:

You have to set pipeline.workers: 1 in logstash.yml or pipelines.yml to have lines appended in exact order. If the multithread is used, it will mix lines
Cannot use a field at begging of path in output
*If you use an absolute path you cannot start with a dynamic string. E.g: /%{myfield}/,/test-%{myfield}/are not valid paths*
I have tried to set the destination field [@metafield][destfile] in the filter, but not supported
If you use simple or plain codec in output, you have to remove fields included by default "log", @timestamp, "event"
The host field is always included in output so should be "", not null, but from some reason for every line is added a space. Default dump to file is: %{host}\s%{message}

output {
file { path => "/path/file.txt"}
}

At the end, it's simple, but not simple

shocko · October 9, 2022, 9:53am

This seems to work directly in logstatsh but I need to test further. It will generate a unique filename for the output based on the filename of the input:

f

ilter {
    grok {
      break_on_match => true
      match => {"[log][file][path]" => "(?<myfilename>[ \w-]+)\.log$"}
     
    }
}

output {
    file {
    path => "C:/logs/DirDest/%{myfilename}.log"
    codec => line { format => "%{message}" }
    }   
}

shocko · October 9, 2022, 9:56am

Thanks @Rios ! I'm a noob at ELK so wondering why you used mutate instead of grok? I seemed to get it working with grok but I need to test it under load.

Rios · October 9, 2022, 10:08am

Well grok is also regex in background. Why mutate? It's just need a file name not to parse fields.

shocko · October 9, 2022, 8:28pm

So likely more efficient to use mutate?

Rios · October 9, 2022, 9:45pm

Just easier.

Topic		Replies	Views
Can filebeat be configured to output dynamic file names? Beats filebeat	5	7158	January 10, 2017
Best practice for setting index names when using filebeats to logstash Beats filebeat	3	2218	March 4, 2018
Question on filebeat + logstash log filename Logstash	1	314	November 19, 2019
How To Make Logstash Read Entire File Every Time Which is from File Beat? Logstash	8	1120	July 7, 2018
Beat File Output Dynamic Naming Beats	4	2193	September 18, 2017

File Mirroring via FileBeat or Logstash

Related topics