Logstash output and multiple destinations (elasticsearch and local file)

somerandomguy · August 25, 2016, 6:58am

Hello.
I have a requirement to send beats to multiple locations, ES (which is workning fine) and to a local file (that will be processed by another system).
For the local file I might need to format it out of JSON format back to basic syslog style.
Is this possible?
Below is an extract of my output file with the relevant section.

output {
if [type] == "beats" {
elasticsearch {
hosts => ["es-node"]
sniffing => true
manage_template => false
index => "beats-%{+YYYY.MM.dd}"
document_type => "beats"
file {
path => ["/var/log/beat"]
codec => plain {
charset => "ISO-8859-1"
}
}
}
}

magnusbaeck · August 25, 2016, 7:24am

What you currently have should work fairly well. What are you currently getting in /var/log/beat and what would you like to see instead?

somerandomguy · August 25, 2016, 11:49pm

Getting nothing at all.
even stripped back output config to be basic:

But stil no output to a file. I am hoping to output my windows event logs to a flat file == /var/log/beats.

Anything else we can try?

magnusbaeck · August 26, 2016, 7:28am

Um, wait. You're not closing the elasticsearch output before the file output is opened. This is quite clear if the configuration is properly indented:

output {
  if [type] == "beats" {
    elasticsearch {
      hosts => ["es-node"]
      sniffing => true
      manage_template => false
      index => "beats-%{+YYYY.MM.dd}"
      document_type => "beats"
      file {
        path => ["/var/log/beat"]
        codec => plain {
        charset => "ISO-8859-1"
      }
    }
  }
}

Fix this first.

somerandomguy · August 27, 2016, 3:22am

Hi done but still no file output.
I have noticed that this output config file it not working now either?

else if [type] == "wineventlog" {
elasticsearch {
hosts => ["els03","els04"]
sniffing => true
manage_template => false
index => "xyz-wineventlog-%{+YYYY.MM.dd}"
document_type => "wineventlog-log01"
}
file {
path => "/var/log/wineventlog-log01"
}
}

Do I need to touch the file or something like that?

** I pasted it as indented but its not showing it correctly.. I can place it in pastebin if required.

magnusbaeck · August 27, 2016, 9:46am

Hi done but still no file output.

How do you know Logstash is getting input to process?

I pasted it as indented but its not showing it correctly..

Use the Preformatted text button on the toolbar.

jamesl · August 28, 2016, 4:49am

I have made some adjustments to my output file.
I have an input of TCP/1514 and output that currently goes to ES. When I have LS running I can Telnet to log01 on 1514 and then write something which LS then feeds to ES which I can then search for it with no problems.
I adjusted my output to be bare -->

} else if [type] == "esxi-log01" {
  file {
    path => "/var/log/esxi.log"

And running foreground mode it works!! (Enabled --verbose, so I could see what's going on).
I used this command:

/opt/logstash/bin/logstash -f /etc/logstash/conf.d/ --verbose

Opening file {:path=>"/var/log/esxi.log", :level=>:info}
Starting stale files cleanup cycle {:files=>{"/var/log/esxi.log"=>#<IOWriter:0x36bb512e @active=true, @io=#<File:/var/log/esxi.log>>}, :level=>:info}
Starting stale files cleanup cycle {:files=>{"/var/log/esxi.log"=>#<IOWriter:0x36bb512e @active=true, @io=#<File:/var/log/esxi.log>>}, :level=>:info}
Starting stale files cleanup cycle {:files=>{"/var/log/esxi.log"=>#<IOWriter:0x36bb512e @active=true, @io=#<File:/var/log/esxi.log>>}, :level=>:info}
Starting stale files cleanup cycle {:files=>{"/var/log/esxi.log"=>#<IOWriter:0x36bb512e @active=true, @io=#<File:/var/log/esxi.log>>}, :level=>:info}
Starting stale files cleanup cycle {:files=>{"/var/log/esxi.log"=>#<IOWriter:0x36bb512e @active=true, @io=#<File:/var/log/esxi.log>>}, :level=>:info}

I can see stuff in /var/log/esxi.log.

I then did a test of running it with 'systemctl start logstash' to see whats going on...
nothing.
I then chmod 777 esxi.log and then telneted into port 1514 and I can see my output.

So I think I have a permission issue but for now my workaround is to touch the file beforehand and 'fixup' the permission then start LS.. will also adjust my logrotate so when a new file is created it has the right permission.

I have put the file output with elasticsearch as per following:

} else if [type] == "esxi-log01" {
  file {
    path => "/var/log/esxi.log"
  }
  elasticsearch {
    hosts => ["els03","els04"]
    sniffing => true
    manage_template => false
    index => "esxi-%{+YYYY.MM.dd}"
    document_type => "esxi-log01"
  }

performed a config test -
/opt/logstash/bin/logstash --configtest -f /etc/logstash/conf.d/
came back with configuration OK.
restart LS and now I can see my output in both the log file and in ES

Happy !

magnusbaeck · August 28, 2016, 1:12pm

I then chmod 777 esxi.log

The file should not be world-writable and there's no point in setting the executable bit.

If you don't want to give Logstash write permissions to /var/log, why not create a logstash-owned subdirectory where you store the file? That would be less fragile then relying on the file to be pre-created.

somerandomguy · September 1, 2016, 11:52pm

Thanks Magnus. Will create a new folder, assign permissions accordingly and go from there.

Thank you again.

somerandomguy · September 3, 2016, 1:19am

Things are easy once you know what to do

Created a dir in /var/log/logstashfileoutput/
permissions of 775
like this:
drwxrwxr-x. 2 logstash root

Fixed up my output file ...

file {
path => "/var/log/logstashfileoutput/output.log"
}

And I kicked logstash.. once restarted the 'output.log' file was created !!