How to send multiple log files to Kibana through logstash?

tashinfrus · May 16, 2016, 8:02am

I am new to ELK and I want to send multiple files to Kibana using Logstash like apache access logs of different servers. How can I do that?

magnusbaeck · May 17, 2016, 6:57pm

What part are you finding hard to understand? A single Logstash instance can have multiple inputs that listens on multiple ports or reads multiple files or whatever you use Logstash for. Nothing special needs to be done for reading multiple files. Without further details about your situation it's impossible to give more specific help.

tashinfrus · May 18, 2016, 5:29am

I am able to get the single input file readings into Kibana from Logstash. But as I add another file into the configuration file of Logstash, it didn't work and it shows only logs of only single file. Please find the below configuration file for the same.

input {
file {
type => "app01_apache_access_log"
path => "/apps_data/logs/app01/apache2/access.log"
start_position => "end"
}
file {
type => "app02_apache_access_log"
path => "/apps_log/logs/app02/apache2/access.log"
}
}
filter {
if [type] == "app01_apache_access_log" {
grok{
match => [ "message", "(?<session_id>[A-Z0-9]{32}-[a-z0-9]+.[a-z0-9]+)" ]
remove_tag => ["_grokparsefailure"]
named_captures_only => true
}
grok{
match => [ "message", "%{WORD:method} %{URIPATH:request}" ]
remove_tag => ["_grokparsefailure"]
named_captures_only => true
}

            grok{
                    match => [ "message", "%{NUMBER:duration}" ]
                    remove_tag => ["_grokparsefailure"]
                    named_captures_only => true
            }
    }
    if [type] == "app02_apache_access_log" {
            grok{
                    match => [ "message", "(?<session_id>[A-Z0-9]{32}-[a-z0-9]+\.[a-z0-9]+)" ]
                    remove_tag => ["_grokparsefailure"]
                    named_captures_only => true
            }
            grok{
                    match => [ "message", "%{WORD:method} %{URIPATH:request}" ]
                    remove_tag => ["_grokparsefailure"]
                    named_captures_only => true
            }

            grok{
                    match => [ "message", "%{NUMBER:duration}" ]
                    remove_tag => ["_grokparsefailure"]
                    named_captures_only => true
            }

    }

}

output {
elasticsearch {
hosts => "search-test-elk-qrxqhiyz6vqwck2xnyu3qhdjsu.us-east-1.es.amazonaws.com:443"
ssl => true
}
stdout {
codec => rubydebug
}
}

magnusbaeck · May 18, 2016, 5:33am

But as I add another file into the configuration file of Logstash, it didn't work and it shows only logs of only single file.

What does "show only logs of only single file" mean, exactly? And what makes you reach that conclusion? Since you've configured Logstash to tail both access.log files, is data actually being appended to both files?

I strongly suggest that you leave out the elasticsearch output for now and use the stdout output you have to debug things.

tashinfrus · May 18, 2016, 5:51am

Hi,
I can see logs from "/apps_data/logs/app01/apache2/access.log" file which is my first input file. I see no output from another file. Also, I am using the stdout output only for this.

Also, I would like to mention that I am using Elastic Search Service of AWS so using multiple ports for Elastic search is kind of not applicable to me.

Please help me tackle this situation.

magnusbaeck · May 18, 2016, 6:17am

Again, since you've configured Logstash to tail both access.log files, is data actually being appended to both files? As currently configured Logstash will not read the files from the beginning.

tashinfrus · May 18, 2016, 7:37am

How to confirm whether the data is appended or not? I think it is not appended as I see only the first log file data into Kibana. The logstash server is an EC2 instance on AWS and we are using ElasticSearch service of AWS cloud.

magnusbaeck · May 18, 2016, 8:31pm

How to confirm whether the data is appended or not?

I think you're missing the point. We're talking about the file that Logstash is reading from. But as you've configured Logstash it's tailing the fail, i.e. it's reading data from the end of the file. Unless new data is added to the end of the file Logstash won't pick up anything. So, is some other application writing data to that file?

tashinfrus · May 19, 2016, 10:50am

No other application is writing the data to that file as it is a file of access logs of one server of my product which is being copied to the logfile I give as input to Kibana. Also, I added the stat_position as "end" to reduce the reading of whole log file from the beginning and processing of the whole file. Would you please tell me how I can confirm the data appended or not? Please help me.

magnusbaeck · May 19, 2016, 1:04pm

I'm not sure what you expect from Logstash. You're deliberately tailing the file but you're also not adding any new lines, correct? So why would you expect Logstash to read anything from the file and pass on to ES?

tashinfrus · May 19, 2016, 1:14pm

I am adding new lines to the files using rsync for log files are being continuously copied from webservers to Logstash server. So, I thought that would make logstash configuration take up new changes only as we are tailing the file. But only one file is being read and not other. As per the convention, both the files should be concatenated to make a whole new file so that logstash reads it. But here I don't think that is happening.

magnusbaeck · May 19, 2016, 1:18pm

When rsyncing files I'd assume that the existing file isn't updated in-place but that a new file is created and renamed into place. When that happens the original file gets a new inode number and Logstash will consider it new, and with start_position => end it'll start tailing it from the current end.

tashinfrus · May 20, 2016, 5:51am

Nope. The same file with the same inode number is updated in rsync. So I see the inode number is same as the first file. So, only the new logs which are there in the original log file are updated to the file on Logstash server. The question is, why is the second file not being picked up for processing by Logstash server which is access_log from another apache server?

magnusbaeck · May 20, 2016, 5:55am

Start Logstash with --verbose so that the file input logs more details about what it's doing.

tashinfrus · May 20, 2016, 7:28am

starting the logstash in verbose mode showed nothing different usual stuff

magnusbaeck · May 20, 2016, 7:34am

Sure, but it will tell you which files were discovered and which sincedb positions they were at. That information should help here.

tashinfrus · May 23, 2016, 6:12am

I couldn't see any such thing on the terminal. Instead, I saw the following thing,
starting agent {:level=>:info}
starting pipeline {:id=>"main", :level=>:info}
Settings: Default pipeline workers: 1
Starting pipeline {:id=>"main", :pipeline_workers=>1, :batch_size=>125, :batch_delay=>5, :max_inflight=>125, :level=>:info}
Pipeline main started..
What can i get from these?

magnusbaeck · May 23, 2016, 6:18am

If you start Logstash with --verbose and have a file input in your configuration you should get a lot more than that. What if you start with --debug? You should get an avalanche of logs.

tashinfrus · May 23, 2016, 6:33am

I got the same reply for --debug mode.
I noticed that level:info there..
How can I change it to debug?? I tried from terminal but no luck.