Hi Everybody!
I'm newbie with the ELK stack, but I found it's quite versatile and I'm love with it!
Unfortunately, I was trying to replace some ecosystem based on other tool, and despite I was successful on the first steps, now I'm facing an issue that i'm unable to solve.
This is how I'm using ELK:
I have several application servers, sending transaction information to a central monitoring solution. That info is shipped on JMS format, so, i'm using logstash to consume a central JMS Queue, and send information to elastic cluster. That was quite easy, but, one of my needs is to send transactions on ERROR o Terminated state to Nagios, using an intermediate soap webservice.
To accomplish that objective, I'm reading from my elasticsearch cluster with this configuration:
input {
elasticsearch {
id => "nagios_out_pipeline"
hosts => ["elknode1","elknode2"]
index => "nagios"
query => '{"query":{"bool":{"should":[{"term":{"estado_transaccion.keyword":"ERROR"}},{"term":{"estado_transaccion.keyword":"Terminated"}}]}}}'
schedule => "* * * * *"
}
}
output {
http {
id => "nagios"
url => "http://serverX/Common/SnmpAdapterService"
http_method => "post"
content_type => "text/xml;charset=UTF-8"
headers => {"SOAPAction" => "http://xmlns.xxxx.zzz/Common/SnmpFriendlyAlert"}
format => "message"
message => 'xxxxx'
}
}
My issue is that my querys return, as per day basis, more than 300k hits, but reviewing the webservice log, hits from my logstash server are less than 15%, so, I'm missing around 85% percent of calls.
I'm using Elasticsearch and logstash at 6.7.1 version.
But, I'm not sure if i'm missing something at configuration level, or some good practice.
Any hekp would be appreciated!
Thanks!!!!!