CODEWITHSUNDEEP
loggingelasticsearchlogstashkibana
nucandrei
nucandrei

Reputation: 951

ElasticSearch services own logs

I Installed ELK (ElasticSearch + Kibana + Logstash) on Ubuntu machines following the steps described in https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-and-visualize-logs-on-ubuntu-14-04 .

All works fine when using /var/log/syslog file as a log source. If I change to another file, no data appear in Kibana interface. I tried to debug the applications but no helpful information was found in:

/var/log/elasticsearch
/var/log/logstash/logstash.log
/var/log/syslog

Does anybody know where can I find detailed logging for ElasticSearch, Logstash and Logstash-Forwarder beside previous specified files?

TLDR; Where ElasticSearch, Logstash and Logstash-Forwarder output their logs beside /var/log/elasticsearch; /var/log/logstash/logstash.log; /var/log/syslog?

Upvotes: 1

Views: 2491

Answers (2)

Idgoo
Idgoo

Reputation: 43

That is the location of the logs, not much detailed information to be found in there regarding missing entries into elasticsearch.

You can do the following to see if you are passing logs into ES:

Check the permissions on the other log sources you are using, ensure logstash has permissions to read these files.

Add this output to your logstash config:

output {
   stdout { codec => rubydebug }

Run logstash from the commandline, see if you can see logs getting parsed:

bin/logstash -f logstash.conf -l logstash.log -e

Check the ES count api to see if the number of documents is increasing in ES:

curl -XGET 'localhost:9200/_cat/count?v'

Upvotes: 0

Gary Rogers
Gary Rogers

Reputation: 405

You'd want to set up a handler in LogStash to consume ElasticSearch's logs. I threw together a Pattern to help out with this (detailed below). Something like:

input {
  file {
    type => "elasticsearch-log"
    path => ["/var/log/elasticsearch/*.log"]
    sincedb_path => "/opt/logstash/sincedb-access"
    discover_interval => 10
  }
}

filter {
  if [type] == "elasticsearch-log" {
    grok {
      match       => [ "message", "%{ELASTICSEARCHLOG}" ]
    }
  }
}

output {
  elasticsearch {
    host => "localhost"
  }
}

The pattern file would go in /opt/logstash/patterns/elasticsearch

ELASTICSEARCHTIME \[%{TIMESTAMP_ISO8601:timestamp}\]
ELASTICSEARCHLEVEL \[%{LOGLEVEL:level}\s+\]
ELASTICSEARCHSERVICE \[%{DATA:service}\s+\]
ELASTICSEARCHVERSION \[%{DATA:version}\]
ELASTICSEARCHLOG %{ELASTICSEARCHTIME}%{ELASTICSEARCHLEVEL}%{ELASTICSEARCHSERVICE} %{ELASTICSEARCHVERSION} %{GREEDYDATA:mymessage}

Upvotes: 1

Related Questions