Correlation of log events in a distributed environment

Question

We are using a ELK(ElasticSearch+Logstash+Kibana) stack, for out log management, but the problem is that kibana shows the stats of each component individually. I want to have a correlation of events in multiple components, for instance, an exception in tomcat server, resulted in a HTTP 404 for the customer.

Please suggest how it can be achieved, If not possible through ELK suggest some other opensource solution.

Answer 1

You need to add a connection between the particular events. There is nothing that just works out of the box. You have to add it by your self and it depends on what kind of system you operate.

PHP

You can use mod_unique_id to create an unique request id, created by your Apache server. This id can be used in your PHP environment for logging ($_SERVER['UNIQUE_ID']). See also [1]

Java

If you use Java, I prefer a slightly different approach. Generate a request id in your application that is used to identify the particular request. You can add the request id into your MDC (Message Diagnostic Context). The MDC can be submitted by various GELF connectors together with the log messages towards logstash. Use the request id also in your HTTP response as header for Apache. You can log the response header in your Apache access log. See [2] for the Java part.

In general, if your environment consists of more than an Apache and Application server it's worth to pass the RequestId (and maybe a SessionId) across all calls within your systems. This way you can correlate all activity within a request/session.

Links

• [1] How can I access Unique ID in apache?
• [2] http://www.paluch.biz/blog/91-tracking-requests-in-a-distributed-environment.html