Logstash send logs to monitoring cluster

caseydm · February 21, 2022, 5:43pm

Hi all. I'm using logstash to send data from redshift to Elasticsearch. I monitor my pipelines with metricbeats, and am able to see general statistics about logstash within my monitoring cluster. What I can't see is logs. Is there a simple way to send logs from logstash into Elasticsearch?

leandrojmp · February 21, 2022, 7:34pm

You should use a Filebeat to read the logstash logs and send it to your monitoring cluster.

rugenl · February 21, 2022, 10:21pm

Also see filebeat module enable logstash

caseydm · February 22, 2022, 2:09pm

Thank you! I tried it out but I'm not seeing any log data in Kibana. I'm using elastic cloud. I wonder what I am doing wrong? My metricbeats works properly, and I can see that filebeat has started successfully.

Here is my configuration:

docker compose

version: "3"
services:
  logstash:
    image: docker.elastic.co/logstash/logstash:7.15.1
    environment:
      - NODE_NAME=concepts
      - XPACK_MONITORING_ENABLED=false
      - "LS_JAVA_OPTS=-Xmx3g -Xms3g"
    env_file:
      - .env
    volumes:
      - ./jars/:/usr/share/jars/
      - ./pipeline/:/usr/share/logstash/pipeline/
      - ./sql_last_value.yml:/usr/share/sql_last_value.yml
    command: logstash
  metricbeat:
    image: docker.elastic.co/beats/metricbeat:7.15.1
    depends_on:
      - logstash
    env_file:
      - .env
    volumes:
      - ./metricbeat.yml:/usr/share/metricbeat/metricbeat.yml

  filebeat:
    image: docker.elastic.co/beats/filebeat:7.15.1
    depends_on:
      - logstash
    env_file:
      - .env
    volumes:
      - ./filebeat.yml:/usr/share/filebeat/filebeat.yml

filebeat.yml

filebeat.modules:
- module: logstash
  log:
    enabled: true

output:
  elasticsearch:
    hosts: ["${ES_HOST_MONITORING_PROD}"]
    username: "${ES_USER_MONITORING_PROD}"
    password: "${ES_PASSWORD_MONITORING_PROD}"

metricbeat.yml

metricbeat.modules:
- module: logstash
  metricsets:
    - node
    - node_stats
  period: 10s
  hosts: ["logstash:9600"]
  xpack.enabled: true
  strict.perms: false

output:
  elasticsearch:
    hosts: ["${ES_HOST_MONITORING_PROD}"]
    username: "${ES_USER_MONITORING_PROD}"
    password: "${ES_PASSWORD_MONITORING_PROD}"

leandrojmp · February 22, 2022, 2:19pm

Filebeat needs to have access to the Logstash logs, you are running filebeat on a different container, this won't work.

I do not use docker, so I can't help further, but you need to look on how to configure filebeat to read docker logs.

Topic		Replies	Views
Can't monitor Logstash with Metricbeat Logstash elastic-stack-monitoring	4	747	October 29, 2020
Logstash output for filebeat xpack monitoring Beats filebeat	5	1055	November 28, 2018
Metricbeat/K8s connect directly to elasticsearch or logstash what is best practices here? Beats metricbeat	2	436	February 4, 2021
Monitoring of logstash not working in elasticsearch/kibana Logstash elastic-stack-monitoring	1	633	March 18, 2019
Send Filebeat Internal Monitoring Via Logstash Beats elastic-stack-monitoring , filebeat	5	597	December 17, 2021

Logstash send logs to monitoring cluster

docker compose

filebeat.yml

metricbeat.yml

Related topics