Setup questions for custom logs from application into logstash

TsuWeiQuan · May 30, 2019, 5:35am

Hello,
I am very new to ELK stack and have successfully setup one. Currently, i am learning how to parse custom application logs into Logstash pipeline then to elasticsearch and hope to see these data on kibana.
Hence I have a few questions if my process/way of implementing is ideal/correct.

Just for reference, one of my sample log data is:

2019-05-28 04:19:01.355 DEBUG - [SPLOC, 00082] [common_template.c,App_endTransaction,822] [Time to Commit Trans=1.223000]
2019-05-28 04:19:01.355 INFO - [SPLOC, 00082] [common_msg_hdlr.c,CommonMsgHdlr,153] [END_TRANS, Status: STATUS_OK]
2019-05-28 04:19:01.355 INFO - [SPLOC, 00082] [common_msg_hdlr.c,CommonMsgHdlr,212] End transaction. [Time Taken=1.764000].

Please advice/correct me if i am wrong.

Create a pipeline on logstash
Filebeat this file from an host into logstash with the same port as the pipeline in (1)
At /usr/share/logstash/config/conf.d/test.conf, configure the filter to grok the data in
Output to elasticsearch host with an index

However i am stuck at step 3. I am unable to start my pipeline (testpipe). Starting the logstash service always creates the default main pipeline.
How can i start my customized pipeline?

What i did:
Edit pipelines.yml

- pipeline.id: testpipe
  path.config: "/usr/share/logstash/config/conf.d/test.conf"

Edit test.conf (this configuration is wrong but i am unable to start this pipe)

input {
  stdin {}
  #beats {
  #  port => 5044
  #}
}

# The filter part of this file is commented out to indicate that it is
# optional.
filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
    remove_field => "message"
  }
  date {
    match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
    locale => en
    remove_field => ["timestamp"]
  }
  geoip {
    source => "clientip"
  }
  useragent {
    source => "agent"
    target => "useragent"
  }
}

output {
    stdout { codec => rubydebug }
    elasticsearch {
     hosts => ["http://esnode1:9200", "http://esnode2:9200", "http://esnode3:9200"]
     index => "testpipe-%{+YYYY.MM.dd}"
    }
}

then i ran this

../bin/logstash -f conf.d/test.conf --config.test_and_exit
 ../bin/logstash -f conf.d/test.conf --config.reload.automatic

warkolm · May 30, 2019, 5:46am

Rather than deleting your question, it would be better if you could share your solution, as it may help others in the future with a similar problem

TsuWeiQuan · May 30, 2019, 6:31am

Sure!
The solution to starting my own pipe is to place the pipeline configuration file at /etc/logstash/conf.d/<here>

My mistake was that i place it at the /usr/share/logstash/ directory.
I found this solution after carefully reading the documentation here

On deb and rpm, you place the pipeline configuration files in the /etc/logstash/conf.d directory. Logstash tries to load only files with .conf extension in the /etc/logstash/conf.d directory and ignores all other files.

warkolm · May 30, 2019, 6:32am

Awesome, thank you very much for sharing that

Topic		Replies	Views
How to set input filter logstash? Logstash	4	745	November 28, 2018
Logstash pipeline problem Logstash	4	1381	November 21, 2019
Custom grok filter Logstash	4	254	September 20, 2021
Elk custome log Kibana	3	246	February 5, 2021
How to configure ELK (Elasticsearch, Logstash,Kibana) for different application log files and display each application separately in Kibana? Logstash	16	9062	February 3, 2017

Setup questions for custom logs from application into logstash

Related topics