Logstash to redirect output to icingaweb2 and elasticsearch simultaneously

Hello Team,

I want to create single logstash.conf file that must redirect nginx log to elasticsearch and in case of any http error (e.g. 500) , it must redirect nginx error to icingaweb2 as well as elasticsearch simultaneously.

What I have achieved so far?
I am able to configure logstash.conf that redirects nginx log to elasticsearch.

And now I need help from you
to configure the same logstash.conf - if I get nginx http error message then I will redirect the error message to icingaweb2 as an alert simultaneously

Thanks,
Bai

current logstash.conf file is as below

input {
tcp {
type => syslog
port => 5000
add_field => { "[@metadata][input]" => "tcp"}
}
}

filter {
grok {
match => { "message" => "%{IPORHOST:remote_ip} - %{DATA:user_name} [%{HTTPDATE:access_time}] "%{WORD:http_method} %{DATA:url} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} "%{DATA:referrer}" "%{DATA:agent}"" }
}
mutate{
add_field => {
"actual_host_is" => "${ACTUAL_HOST}"
}
}
}

output {
elasticsearch{
hosts=>["elasticsearch:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}

@admlko if you have some time and kindly have a look, that would be really great. thanks kindly.

Please don't ping me, I don't get paid for this :slight_smile:

So what's the problem?
If you don't know how to start, maybe you can check if the nginx log line has http error value of 500, then tag it, and outputs check if it has that tag and create new output to icinga?
Or just bypass tagging and check the field value in outputs?

1 Like

Dear admlko, oh I didn't know this concern :disappointed_relieved:

nginx, logstash, icingaweb2, kibana, elasticsearch all are up and running and I can see nginx log in kibana console.

my requirement is that if i get any nginx error 500 or more, then additionally I want logstash to redirect this error to icingaweb2 so that customer knows if there is any server level error. because icingaweb2 console is monitored by customer.

I guess I have to write if condition in output section of logstash.conf but not getting any tutorial for this. I am doing trial and error method but no luck. If you have any link known to similar issues please provide which would really help me, else , I will keep doing trial and error :grin: thanks again.

Well, it is very very very common case. Tutorials are all over the web and Elastic site :wink:

Something like:

output {
  if [type] == "nginx" and [http_code] == 400 {
    someplugin {
      bal bla bla
    }
  }
}

If Logstash considers http_code or whatever it is called as integer, this works. If it considers it as string, you have to quote the value.

I have no idea what APIs does the icingaweb2 provide, if you can send alarm as a HTTP request, use output-http plugin. If it supports syslog - use output-syslog plugin... you get the idea.
Personally, I use Check_MK and its Event Console supports Syslog and SNMP Traps, so that's how I use my monitoring system.

1 Like

Thank you admlko for your expert comments, this would really help me. Let me try.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.