Categories
access-log aws elasticsearch elk filter grok grok-debugger gui input kibana log-format logging logrotate logstash monitoring nginx optimization output s3 webbrowser

ELK : Configure Elasticsearch, Logstash, Kibana to visualize and analyze the logs.

This is about how to configure elasticsearch, logstash, kibana together to visualize and analyze the logs. There are situations when you want to see whats happening on your server, so you switch on your access log. Of course you can tail -f from there or grep from that, but I tell you that it is real cumbersome to analyze the logs through that log file.

What if I told you there is a super cool tool, Kibana, which lets you analyze your logs, gives all kind of information in just clicks.   Kibana is a gui tool designed for the purpose to analyze the large log files which when used properly with logstash and elasticsearch(configure elasticsearch, logstash and kibana together) can be a boon for developers.

Now, logstash is a tool which is used to move logs from one file or storage(s3) to another. Elasticsearch is a search server which is used to store the logs in some format.

Now, here is the picture in short, Logstash will bring logs from s3, formatize them and send them to elasticsearch. Kibana will fetch logs from elasticsearch and show it to you. With that lets see the actual thing which matters, the code. I assume you everything installed, ELK, and s3 as the source of our logs(why?).

So first we configure our Logstash. There are mainly three blocks in logstash, input, filter, output. In input, we specify the source of the log file, in filter block, we format the logs the way we want it to be stored in elastic search, in output block we specify the destination for the output.

Code :

open up terminal

nano /etc/logstash/conf.d/logstash.conf

edit it for the following code,

input {

s3 {

bucket => “bucket_name_containing_logs”

credentials => [“ACCESS_KEY”, “SECRET_KEY”]

region_endpoint => “whichever_probably_us-east-1”

codec => json {

charset => “ISO-8859-1”

}

}

}

filter {

grok {

match => {“message” => “grok_pattern”}

}

}

output {

#stdout {

#codec =>json

#}

elasticsearch_http {

host => “localhost”

port => “9200”

codec => json {

charset => “ISO-8859-1”

}

}

}

Explanation :

In input block, we specify that our log comes from s3. We provide necessary credentials to access the s3 bucket. We specify the charset for the input.

In filter block, we use grok tool to create custom fields in kibana by making proper pattern for the input logs. You can use grokdebugger to debug your pattern for a given input.

In output block, we specify the destination for output as elasticsearch, its address. We also specify the charset for the output.

You can uncomment the stdout block in output block to print data on to console.

Elasticsearch

We don’t need to change anything for elasticsearch configuration for now. Though if curious you can find it at /etc/elasticsearch/elasticsearch.yml . One thing which we should keep in mind that we need high configuration machine for this ELK system, otherwise, you might encounter different errors when elasticsearch gets full. One workaround that can be done for that whenever your elasticsearch is full, clear it out.

The following command will remove all index and bring elasticsearch to its initial state.

curl -XDELETE ‘ http://localhost:9200/_all/ ‘

You can read here to optimize elastic search for memory.

Kibana

You don’t have to do much here in its configuration file, just make sure its listening to the correct port number. You can find its configuration file at /opt/kibana/config/kibana.yml

Now go ahead and enter the ip of the machine wherever the kibana is setup and port number or whatever url you specified in kibana.yml into the browser.

Now you can see something like thisconfigure elasticsearch

You can now explore a lot of things from here, visualize logs, compare fields. Go ahead check out different settings in kibana.

That’s it for now.

Welcome and do let me know when you configure elasticsearch, logstash, kibana combo pack.

Cheerio 🙂

Categories
access-log configuration custom-log error-log log-format logging monitoring nginx web-server

Monitoring : How to customize the error log in nginx?

Well, recently I came around a task in which I had to format the error log for nginx web server. I googled and I managed to use log_format directive to format access logs. Being lazy, I went for the same way to customize error log(I did it on live machine) and bang. It was giving error, and I just couldn’t believe why it won’t work as it was, a while ago, and now it it isn’t. After some time I realized, that there is difference in type of logs. It worked for access logs but not for error logs.

I then looked in detail, that, it indeed works for only for access logs and we can not customize the error logs in nginx.

Yes, I was puzzled when I saw following.

Capture

I was like what to do now.

Then I thought wait, I have a work around.

When we go through back, we note that, 1- we can format access logs, 2-we know that we have a directive called error_page, so why not create access log only when error occurs. Yes this is the work around.

This is how we can do it.

http {
...
  log_format custom_combined "...";
  server {
    ...
    error_page 50x @create_custom_error50x;
    ...
    location @create_custom_error50x {
      access_log path custom_combined;
      return 50x;
    }
  }
}

Explanation

1 – log_format defines a format for the logs in http context.

2 – error_page directive internally redirect to create_custom_error50x named location on 50x error.

3 – inside create_custom_error50x location we create formatted access log using access_log directive.

4 – it returns the respective error(otherwise it will 404 error and we won’t know the error type occured) using return directive.

So, we can similarly write different location blocks and error_page statements for different errors. If the error code doesn’t matter, then all of them combined as well.

SO YEAH, GO AHEAD WITH YOUR CUSTOMIZED ERROR LOG. 🙂

Links : The same search result in screenshot with one more answer.

Read about log_format, error_page.