Save search results as a file. Which is continually updated

sharbich · February 27, 2024, 5:21pm

Hello,
i capture logs from a Docker container according to the following pattern.

routes:
  - multiline+logstash+tcp://logstash.intern.example.com:50000
env:
  - name: SYSLOG_HOSTNAME
    value: homeassistant
  - name: INACTIVITY_TIMEOUT
    value: 1m
  - name: MULTILINE_PATTERN
    value: >-
      (\d\d(\d\d)?[-/]\d\d[-/]\d\d[T
      ]\d\d:\d\d:\d\d)|(^s6-rc:)|(^\[\d\d:\d\d:\d\d\])|(\d\d:\d\d:\d\d\
      -)|(^[TDIWEF]:)
  - name: MULTILINE_MATCH
    value: first
  - name: INCLUDE_CONTAINERS
    value: homeassistant
  - name: LOGSTASH_FIELDS
    value: source=hame01

Here the logstash config:

root@dsme01:~# cat /etc/logstash/conf.d/syslog/syslog_hame01.conf 
input {
  tcp {
    host => "logstash.intern.example.com"
    port => 50000
    codec => json
  }
}
## Add your filters / logstash plugins configuration here
filter {
  if ([source] == "my-home-assistant") {
    if ([docker][name] == "/homeassistant") {
      grok {
        patterns_dir => ["/usr/share/logstash/pipeline/patterns"]
        match => { "message" => "%{LOGLEVEL:log_level}%{SPACE}\(%{GREEDYDATA:log_thread}\)%{SPACE}\[%{LOGGER_NAME:log_name}\]%{SPACE}%{GREEDYDATA:log_message}" }
      }
      mutate {
        gsub => [ "log_message", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|M|K]", "" ]
      }
        if [log_message] =~ /\n/ {
          mutate {
            copy => { "log_message" => "log_trace" }
          }
          mutate {
            gsub => [ "log_message", "(?m)^([^\n]*)$.*", "\1" ]
          }
        }
      } else {
      drop { }
    }
  }
}
output {
  elasticsearch {
    hosts => "elasticsearch.intern.example.com:9200"
    user => "elastic"
    password => "elastic"
    ssl => true
    cacert => "/etc/logstash/config/certs/HarbichCA.crt"
    index => "syslog_hame01-%{+YYYY.MM.dd}"
  }
}

I see the Information in Kibana.
Can I also see the messages in a file on the ELK host in order to search for the contents with another program (fail2ban)?
Greetings from Stefan Harbich

Rios · February 27, 2024, 8:22pm

Well, it's easier to search in Kibana-Discovery

In order to see what LS will send to ES, you can add in the output:
file { path => "/path/syslog_%{+YYYY-MM-dd}.txt" " }

sharbich · February 27, 2024, 10:07pm

Hello,
Unfortunately that does not work. Here is my adjusted configuration:

    file {
      path => "/var/log/homeassistant/syslog_hame01.log"
    }

and the error in the log:

[2024-02-27T23:00:40,970][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:hame01, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 42, column 10 (byte 1127) after output {\n  elasticsearch {\n    hosts => \"elasticsearch.intern.example.com:9200\"\n    user => \"elastic\"\n    password => \"elastic\"\n    ssl => true\n    cacert => \"/etc/logstash/config/certs/HarbichCA.crt\"\n    index => \"syslog_hame01-%{+YYYY.MM.dd}\"\n    file ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:239:in `initialize'", "org/logstash/execution/AbstractPipelineExt.java:173:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:49:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}

Where is the mistake?

Greetings from Stefan Harbich

Rios · February 27, 2024, 10:23pm

at line 42, column 10 <-- You have an issue here.
Try with this:

output {
  elasticsearch {
    hosts => "elasticsearch.intern.example.com:9200"
    user => "elastic"
    password => "pass"
    ssl => true
    cacert => "/etc/logstash/config/certs/HarbichCA.crt"
    index => "syslog_hame01-%{+YYYY.MM.dd}"
  }

    file { path => "/var/log/homeassistant/syslog_hame01.log"  }
}

sharbich · February 28, 2024, 10:08am

It just doesn't work. I checked the permissions. From my point of view everything is fine. I even set the permission to 777. The following users are authorized to write to the directory (elasticsearch, logstash or root). I created the file. Nothing helps. it just doesn't work. no log file is written. Do I have to install a plugin so that the file can be created? What else can I do?

Rios · February 28, 2024, 10:37am

No, you don't have to install file plugin, it's already included in LS installation.

Error: "line 42, column 10" means your .conf file is not OK, most likely brackets are no closed.

Again, if you run LS as servicectl, your user is "logstash:logstash" and you should change the ownership. If you ran as a process from the command line, then that user needs write permissions.

Basically, "file { path ..." will write the same data which goes to ES to local disk.

sharbich · February 28, 2024, 11:48am

I've tried everything. Permissions checked. Tried all variants. No file is created under "/var/log/homeassistant/". I just don't know why????
Here my config:

root@dsme01:~# cat /etc/logstash/conf.d/syslog/syslog_hame01.conf 
input {
  tcp {
    host => "logstash.intern.example.com"
    port => 50000
    codec => json
  }
}
## Add your filters / logstash plugins configuration here
filter {
  if ([source] == "my-home-assistant") {
    if ([docker][name] == "/homeassistant") {
      grok {
        patterns_dir => ["/usr/share/logstash/pipeline/patterns"]
        match => { "message" => "%{LOGLEVEL:log_level}%{SPACE}\(%{GREEDYDATA:log_thread}\)%{SPACE}\[%{LOGGER_NAME:log_name}\]%{SPACE}%{GREEDYDATA:log_message}" }
      }
      mutate {
        gsub => [ "log_message", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|M|K]", "" ]
      }
        if [log_message] =~ /\n/ {
          mutate {
            copy => { "log_message" => "log_trace" }
          }
          mutate {
            gsub => [ "log_message", "(?m)^([^\n]*)$.*", "\1" ]
          }
        }
      } else {
      drop { }
    }
  }
}
output {
  elasticsearch {
    hosts => "elasticsearch.intern.example.com:9200"
    user => "elastic"
    password => "elastic"
    ssl => true
    cacert => "/etc/logstash/config/certs/HarbichCA.crt"
    index => "syslog_hame01-%{+YYYY.MM.dd}"
  }
  file { path => "/var/log/homeassistant/syslog_hame01.log" }
}

Badger · February 28, 2024, 6:02pm

What error message do you get after you changed the .conf file?

sharbich · February 28, 2024, 8:16pm

Hello,
i found my error. My "logspout addon" has ended. Therefore no data was provided. Now everything works. Many thanks for the help.
Greetings from Stefan Harbich

system · March 27, 2024, 8:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to capture docker logs Logstash	1	542	December 8, 2017
Configuration in Logstash don't match logging of docker container Logstash	6	550	July 4, 2020
Logstash in Docker + syslog + preserving source IP's Logstash	3	4934	January 10, 2018
Logstash vs rsyslog java stack multiline issue Logstash	13	1390	September 18, 2017
Logstash.conf for Docker, Logspout, journal, syslog? Logstash	2	2865	July 6, 2017

Save search results as a file. Which is continually updated

Related topics