{"id":526,"date":"2014-10-10T22:06:16","date_gmt":"2014-10-10T20:06:16","guid":{"rendered":"http:\/\/blog.johannes-beck.name\/?p=526"},"modified":"2014-10-10T22:07:04","modified_gmt":"2014-10-10T20:07:04","slug":"logstash-forwarder-as-a-lightweight-log-shipper","status":"publish","type":"post","link":"https:\/\/blog.johannes-beck.name\/?p=526","title":{"rendered":"logstash-forwarder as a lightweight log shipper"},"content":{"rendered":"<p>This may be the first of a series of posts with my experiences around <a href=\"http:\/\/www.elasticsearch.org\">Elasticsearch<\/a> and <a href=\"http:\/\/logstash.net\">Logstash<\/a>, but it is kind of a piece in the middle. For me it was a missing link between a lot of very helpful and detailled tutorials you&#8217;ll find elsewhere. <\/p>\n<p>Logstash is great for managing events and logs, but kind of weak when it comes to shipping logs to the central hub. The default tool provided by logstash is a Java based client which needs to be installed on all client machines, but this comes with the drawback of memory and cpu consumption for the Java VM. <\/p>\n<p><a href=\"https:\/\/github.com\/elasticsearch\/logstash-forwarder\">logstash-forwarder<\/a> is an alternative which is more lightweight, but you&#8217;ll need to do some setup on your own. My experiences are based on Fedora 20, you&#8217;ll need to adapt some pieces on other Linux distributions. <\/p>\n<p>First we&#8217;ll need to build logstash-forwarder and package it as an RPM. This needs to be done only once, the setup is needed for all clients.<\/p>\n<p><code><br \/>\nyum install golang ruby ruby-devel rubygems<br \/>\ngit clone https:\/\/github.com\/elasticsearch\/logstash-forwarder.git<br \/>\ncd logstash-forwarder<br \/>\ngo build<br \/>\ngem install fpm<br \/>\nmake rpm<br \/>\n<\/code><\/p>\n<p>This should give you a RPM file with the latest release. Copy it to the client, and install it. The example files assume the logstash is running on my-logstash-server.example.com and the client is client01.example.com and runs an Apache HTTP.<\/p>\n<p><code><br \/>\nyum install logstash-forwarder-0.3.1-1.i686.rpm<br \/>\n<\/code><\/p>\n<p>Next we need a configuration file in \/opt\/logstash-forwarder\/logstash-forwarder.conf:<\/p>\n<p><code><br \/>\n{<br \/>\n&nbsp;\"network\": {<br \/>\n&nbsp;&nbsp;\"servers\": [ \"my-logstash-server.example.org:9998\" ],<br \/>\n&nbsp;&nbsp;&nbsp;\"ssl certificate\": \"\/etc\/pki\/tls\/certs\/client01.crt\",<br \/>\n&nbsp;&nbsp;&nbsp;\"ssl key\": \"\/etc\/pki\/tls\/private\/client01key\",<br \/>\n&nbsp;&nbsp;&nbsp;\"ssl ca\": \"\/etc\/pki\/CA\/cacert.pem\"<br \/>\n&nbsp;},<br \/>\n&nbsp;\"files\": [<br \/>\n&nbsp;&nbsp;{<br \/>\n&nbsp;&nbsp;&nbsp;\"paths\": [ \"\/var\/log\/httpd\/access.log\" ],<br \/>\n&nbsp;&nbsp;&nbsp;\"fields\": { \"type\": \"apache-access\" }<br \/>\n&nbsp;&nbsp;}<br \/>\n&nbsp;]<br \/>\n}<br \/>\n<\/code><\/p>\n<p>As you see you need to create a SSL certificate for the client. The init script which is provided by logstash-forwarder is useless for Fedora \/ Redhat \/ Centos based systems, so we will use <a href=\"http:\/\/supervisord.org\">supervisord<\/a> as a replacement.<\/p>\n<p><code><br \/>\nyum install supervisor<br \/>\nsystemctl enable supervisord<br \/>\n<\/code><\/p>\n<p>and place a control file at \/etc\/supervisord.d\/logstash-forwarder.ini<\/p>\n<p><code><br \/>\n[program:logstash-forwarder]<br \/>\ncommand=\/opt\/logstash-forwarder\/bin\/logstash-forwarder.sh -config=logstash-forwarder.conf<br \/>\nstdout_logfile=NONE<br \/>\nstderr_logfile=NONE<br \/>\nautorestart=true<br \/>\nautostart=true<br \/>\nuser=root<br \/>\ndirectory=\/opt\/logstash-forwarder<br \/>\n<\/code><\/p>\n<p>We can start this now with systemctl start supervisord, but we&#8217;ll need to configure the receiver at the server side too.<br \/>\nAssumption is that logstash and elasticsearch are already up and running at my-logstash-server.example.org.<br \/>\nPlace a new config file at \/etc\/logstash\/conf.d\/logstash-lumberjack.conf<\/p>\n<p><code><br \/>\ninput {<br \/>\n&nbsp;lumberjack {<br \/>\n&nbsp;&nbsp;# The port to listen on<br \/>\n&nbsp;&nbsp;port => 9998<br \/>\n&nbsp;&nbsp;# The paths to your ssl cert and key<br \/>\n&nbsp;&nbsp;ssl_certificate => \"\/etc\/logstash\/my-logstash-server.crt\"<br \/>\n&nbsp;&nbsp;ssl_key => \"\/etc\/logstash\/my-logstash-server.key\"<br \/>\n&nbsp;&nbsp;# Set this to whatever you want.<br \/>\n&nbsp;&nbsp;type => \"somelogs\"<br \/>\n&nbsp;}<br \/>\n}<br \/>\nfilter {<br \/>\n&nbsp;if [type] == \"apache-access\" {<br \/>\n&nbsp;&nbsp;grok {<br \/>\n&nbsp;&nbsp;&nbsp;match => {\"message\" => \"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}\" }<br \/>\n&nbsp;&nbsp;&nbsp;match => {\"message\" => \"%{COMMONAPACHELOG}\" }<br \/>\n&nbsp;&nbsp;}<br \/>\n&nbsp;}<br \/>\n}<br \/>\n<\/code><\/p>\n<p>Again you&#8217;ll need a SSL certificate and the private key should only be readable by logstash.<br \/>\nThe filter lines I used here work well for Apache HTTP and Apache Tomcat (how to configure this will be covered in another post).<\/p>\n<p>Now restart both supervisor on the client and logstash on the server, and you&#8217;ll see your logs incoming to the Elasticsearch.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This may be the first of a series of posts with my experiences around Elasticsearch and Logstash, but it is kind of a piece in the middle. For me it was a missing link between a lot of very helpful and detailled tutorials you&#8217;ll find elsewhere. Logstash is great for managing events and logs, but [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36,3],"tags":[54,53,51,52],"class_list":["post-526","post","type-post","status-publish","format-standard","hentry","category-linux","category-software-development","tag-elasticsearch","tag-httpd","tag-logstash","tag-supervisord"],"_links":{"self":[{"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=\/wp\/v2\/posts\/526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=526"}],"version-history":[{"count":8,"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=\/wp\/v2\/posts\/526\/revisions"}],"predecessor-version":[{"id":534,"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=\/wp\/v2\/posts\/526\/revisions\/534"}],"wp:attachment":[{"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.johannes-beck.name\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}