Ive been tasked with researching ELK (Kibana, Elasticsearch, and logstash) stack to possibly use for our new project. I think I have a pretty good grip on it so far but need help answering one question that I havent been able to seem to find through research. Ill try to be as complete as possible describing our use case ! Thanks a head of time!
Question: Can Kibana or a remote client out of the box turn on some sort of additional logging to remote logstash/filebeats?
Use Case: User sees a Fatal error on Kibanas dashboard. user wants to see now all logs even debug/info logs (these logs have not been sent off to elasticsearch).
Reasoning:
I know normally we could just filter out on Kibana so the user wont get flooded with logs and only see whats important. But one of the locations of the client that is logging has extremely limited bandwidth. As a requirement we have to keep the network usage at a minimum, sending logs along the pipeline constantly doesnt seem like an option.
The idea is to log locally and only send logs of importance to logstash. Until a user requests the logs, then could logstash/fileabeat change its configuration to send the additional logs up?
I realize that this most likely wont have an out of box solution, but is there some sort of solution possible with custom written plugins etc?
Can Kibana or a remote client out of the box turn on some sort of additional logging to remote logstash/filebeats?
Not out of the box, no.
The idea is to log locally and only send logs of importance to logstash. Until a user requests the logs, then could logstash/fileabeat change its configuration to send the additional logs up?
If you have two sets of log files, one with normal logging (info-level and up, or whatever) and another log with only debug logs. A simple configuration change could make Filebeat or Logstash read the debug logs too, but triggering that configuration change would be up to you.
Note that things will be easier if you can configure your logging framework to only log debug messages in the debug log files. If that's impossible one would have to implement some duplicate elimination so you won't get the info-level messages twice.
A simple configuration change could make Filebeat or Logstash read the debug logs too, but triggering that configuration change would be up to you.
What do you mean by triggering the update? Can I trigger the configuration change from kibana? Or would I have to possibly write a custom rest call to trigger the change?
Can I trigger the configuration change from kibana?
Maybe with a Kibana plugin.
Or would I have to possibly write a custom rest call to trigger the change?
Somehow you need to run a piece of code on the machine where Logstash or Filebeat runs. There are a million ways of doing that. Writing a small HTTP service that you can call would be one way.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.