Unable to differentiate logs

Raja1 · April 20, 2017, 8:56am

Hi All,

I have configured ELK in my server and able to see the logs in Kibana but i am unable to find out the environment wise logs in Kibana.I have different environments like DEV,INT,UAT and PROD. All environments has the logs.

how can be the logs be differentiated. For example one log entry is from DEV, one log entry is from INT. How can be marked the logs that it is DEV or INT or UAT or PROD environment.

Regards
Raja

warkolm · April 20, 2017, 9:01am

You need to attach a field in there that does that.

Raja1 · April 20, 2017, 9:04am

Hi Mark,

Thank you

can you please provide me some example config to refer.

Regards
Raja

warkolm · April 20, 2017, 9:05am

That depends entirely on how you send data to ES.

Raja1 · April 20, 2017, 9:07am

I am not filtering anything as of now. I want the environment wise logs as it is from server to Kibana.

warkolm · April 20, 2017, 9:09am

How do those logs get to ES?

Raja1 · April 20, 2017, 9:14am

I have logstash where i am doing the configuration to ship the logs to ES.My configuration looks like below. Here i have all environment logs under /etc/logs

input
{
file
{
path => "/etc/logs/*.log"
}
}
output
{
elasticsearch
{
hosts => "localhost:9200"
}
}

pablosan · April 20, 2017, 10:11am

I imagine you have a logstash in each different environment.
Add a field with the value of the environment.
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html#plugins-inputs-file-add_field

input
{
  file
  {
    path => "/etc/logs/*.log"
    add_field => {"environment": "production"}
  }
}
output
{
  elasticsearch
  {
    hosts => "localhost:9200"
  }
}

A_B · April 20, 2017, 10:24am

Hi Raja,

it looks like you just have one server and collect logs from only one location...

Personally I would maybe use Filebeat to read the log files although you can do it with Logstash as well.

You will probably have to define more than one path of you have all logs in the same location, something like

input
{
  file
  {
    path => "/etc/logs/*.prod.log"
    add_field => {"environment": "production"}
  }
  file
  {
    path => "/etc/logs/*.dev.log"
    add_field => {"environment": "DEV"}
  }
  file
  {
    path => "/etc/logs/*.int.log"
    add_field => {"environment": "INT"}
  }
}

Adjust according to your naming convention of log files

Cheers,
AB

Raja1 · April 20, 2017, 10:44am

Thanks Ab and Pablo

Raja1 · April 27, 2017, 4:51am

Hi Ab,

This is not working. I have done the similar way but its throwing an invalid configuration.

A_B · May 2, 2017, 8:59am

Hi Raja,
sorry, I haven't used logstash this way... Looking at https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html looks like I left out the input type from the second and third path. I edited my previous post to fix that.

Raja1 · May 2, 2017, 9:27am

I fixed finally. I have created different configuration files referring same elasticsearch output so that i was able to make it possible.

Anyway Thank you

Topic		Replies	Views
Beats Logs differentiation based on Environment in Kibana UI Beats filebeat	3	364	April 11, 2022
Configure logstash for dev and prod with different index pattern Logstash	6	1346	February 27, 2019
Seperate ES indexes or Add a new field in logstash Logstash	4	897	July 6, 2017
How to save multiple logs to separate ES index's Elasticsearch	3	395	May 15, 2020
Separate production logs - logstash Logstash	2	431	April 17, 2019

Unable to differentiate logs

Related topics