Logging Action to Custom File

mvenkat_in · December 1, 2015, 8:02am

Hi
Is there any way to configure the Watcher to write the alerts to a custom file instead of elasticsearch log file.

Thanks

spinscale · December 1, 2015, 9:30am

Hey,

I think the simplest solution here is to use logstash and the http input. You can use this logstash configuration file

input {
  http {
    host => "127.0.0.1"
    port => 1234
  }
}

output {
  stdout {
    codec => rubydebug
  }
  file {
    path => "/Users/alr/Downloads/elasticsearch/logstash-watcher.log"
  }
}

This starts logstash and a HTTP server on port 1234, which in turn writes every event that is received to stdout and into a file (please check the file output documentation for more info)

Next step is to create a watch that writes to the input

PUT _watcher/watch/logstash_event_watch
{
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": "test-index",
        "body": {
          "query": {
            "match_all": {}
          }
        }
      }
    }
  },
  "actions": {
    "logstash_logging": {
      "webhook": {
        "method": "POST",
        "host": "localhost",
        "port": 1234,
        "path": "/{{watch_id}}",
        "body": "Encountered {{ctx.payload.hits.total}} matches"
      }
    }
  }
}

Now, every 10 seconds you will get a new entry in the logstash-watcher.log file configured in the logstash configuration, that looks like this:

{"message":"Encountered 0 matches","@version":"1","@timestamp":"2015-12-01T09:26:20.423Z","host":"127.0.0.1","headers":{"content_type":"application/x-www-form-urlencoded","request_method":"POST","request_path":"/","request_uri":"/","http_version":"HTTP/1.1","http_accept_charset":"UTF-8","http_cache_control":"no-cache","http_pragma":"no-cache","http_user_agent":"Java/1.8.0_60","http_host":"localhost:1234","http_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","http_connection":"keep-alive","content_length":"21"}}
{"message":"Encountered 1 matches","@version":"1","@timestamp":"2015-12-01T09:26:30.005Z","host":"127.0.0.1","headers":{"content_type":"application/x-www-form-urlencoded","request_method":"POST","request_path":"/","request_uri":"/","http_version":"HTTP/1.1","http_accept_charset":"UTF-8","http_cache_control":"no-cache","http_pragma":"no-cache","http_user_agent":"Java/1.8.0_60","http_host":"localhost:1234","http_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","http_connection":"keep-alive","content_length":"21"}}
{"message":"Encountered 10 matches","@version":"1","@timestamp":"2015-12-01T09:26:40.079Z","host":"127.0.0.1","headers":{"content_type":"application/x-www-form-urlencoded","request_method":"POST","request_path":"/","request_uri":"/","http_version":"HTTP/1.1","http_accept_charset":"UTF-8","http_cache_control":"no-cache","http_pragma":"no-cache","http_user_agent":"Java/1.8.0_60","http_host":"localhost:1234","http_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","http_connection":"keep-alive","content_length":"22"}}

From here on you can go on and only check out more logstash options by only logging what you really need (maybe you can ditch all those headers)

Hope this helps.

--Alex

mvenkat_in · December 1, 2015, 9:33am

Thanks Alex. That was really very well explained and useful.

Cheers

richcollier · March 20, 2018, 1:55pm

Adding this info here because I wanted to do this very thing recently. In later versions of X-Pack (I used v6.2) you can add the following to ES_HOME/config/log4j2.properties:

logger.watcher.name = org.elasticsearch.xpack.watcher.actions.logging
logger.watcher.level = trace
logger.watcher.appenderRef.watcher_rolling.ref = watcher_rolling
logger.watcher.additivity = false

appender.watcher_rolling.type = RollingFile
appender.watcher_rolling.name = watcher_rolling
appender.watcher_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_watcher.log
appender.watcher_rolling.layout.type = PatternLayout
appender.watcher_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n
appender.watcher_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_watcher-%i.log.gz
appender.watcher_rolling.policies.type = Policies
appender.watcher_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.watcher_rolling.policies.size.size = 1GB
appender.watcher_rolling.strategy.type = DefaultRolloverStrategy
appender.watcher_rolling.strategy.max = 4

This will write output from Watches to a custom file.