<\/div> <\/div><\/p>\n
grok {\n match => {\n \"path\" => \"\/%{FILE_VERSION:version}_%{BU_ID:id}\\.csv$\"\n }\n patterns_dir => [\"\/elasticsearch\/logstash\/example\/patterns\"]\n}<\/pre>\nThere’s also a way of having the files in a different folder and then declare this in the config file.<\/p>\n
The contents of the file have to follow the pattern of PATTERN_NAME regex<\/code>, so you would end with something like:<\/p>\nFILE_VERSION \\w+\\d{6}(?=_)\nBU_ID \\d{3}(?=\\.)<\/pre>\nIf you are not planning to reuse the regex and want to inline it, you can do that too:<\/p>\n
%{DATESTAMP:timestamp} (?<mti_before>\\w{46})(?<mti>\\w{4})%{GREEDYDATA}<\/pre>\nLike a regex group you use parenthesis to specify what you want to group, then you start with a question mark to inform that you are going to use a regex. Then you add the name of the field that you are going to parse the data to and finally, you can add the regex.<\/p>\n
Grok will also allow conversions to int<\/code> and float<\/code>. You just have to add as an extra parameter in the match<\/code>. E.g.: %{IP:client:int}<\/code><\/p>\nWhen using the grok plugin take care to not duplicate the message that you are sending by adding the pattern:<\/p>\n
grok {\n match { message => \"%{GREEDYDATA:message}\" }\n}<\/pre>\nThis would add a new message to the message field instead of replacing.<\/p>\n
JSON<\/h3>\n
You might be in a better situation and have structured your logs in a format like JSON. For that Logstash<\/code> will give you free parsing.<\/p>\njson {\n source => \"message\"\n target => \"payload\"\n}<\/pre>\nThat’s everything you have to do for Logstash<\/code> to parse all the JSON messages and set the proper data type for the fields.<\/p>\nKey-Value<\/h4>\n
Another filter that might be useful is Key-Value or kv<\/code>. It is used to split data based on two keys. So if we have a logline that looks like:<\/p>\ntimestamp=10\/09\/2019 10:10:50, level=INFO, message=Something wrong might not be right<\/pre>\nWe can use the kv filter like this:<\/p>\n
filter {\n kv {\n source => \"message\"\n field_split => \",\"\n value_split => \"=\"\n target => \"summary\"\n }\n}<\/pre>\nSo we can parse the data from the message using the kv<\/code> filter. The only problem with this filter is that you can’t set the data type during the filter step.<\/p>\nMutate<\/h4>\n
You might want to change the log that you are receiving, I’m not talking about full parsing of a logline but small changes. There’s the mutate<\/code> filter to do that and there are multiple commands that can be used to change your log.<\/p>\nSome examples of what you can do with the mutate filter:<\/p>\n
\nconvert<\/code>: You might have parsed a field but you need that field to be more than just a string. The convert<\/code> command allows you to convert to integer<\/code>, float<\/code>, string<\/code>, or boolean<\/code>.<\/li>\n<\/ul>\nfilter {\n mutate {\n convert => {\n \"quantity\" => \"integer\"\n \"is_paid\" => \"boolean\"\n }\n }\n}<\/pre>\n\nremove_field<\/code>: You might want to drop some sensitive data from your logs, so you can use this command to remove it.<\/li>\n<\/ul>\nfilter {\n mutate {\n remove_field => [\"sensitive_data\"]\n }\n}<\/pre>\n\ngsub<\/code>: This is an option to replace values using a regex, you might want to obfuscate some data that isn’t relevant, you can use this option for that.<\/li>\n<\/ul>\nfilter {\n mutate {\n gsub => [\n # field regex result\n \"transaction_reference\", \"\\d{4}-\\d{4}-\\d{4}-\\d{4}\", \"XXXX-XXXX-XXXX-XXXX\"\n ]\n }\n}<\/pre>\nThis will replace all transaction references with a masked version.<\/p>\n
Output<\/h3>\n
This is the part where you can direct the log that you just parsed to an output or datastore. In our case we are going to use Elasticsearch<\/code> which is a NoSQL document store, but you can also send to other places like CSV<\/code>, HTTP<\/code> or even email<\/code>.<\/p>\nYou can check the documentation for Logstash<\/code> to see all the output plugins.<\/p>\noutput {\n elasticsearch {\n hosts => [\"192.168.0.15\"]\n user => \"elastic_user\"\n password => \"elastic_password\"\n index => \"application-log\"\n }\n}<\/pre>\nIn the example here we are sending our logs to Elasticsearch<\/code> hosted in another machine.<\/p>\nElasticsearch<\/h2>\n
Elasticsearch<\/code> is a search analytics engine that does the job of collecting and aggregating the stored data. It also provides a real-time search for all kinds of data be that structured or unstructured text, or numerical data.<\/p>\nAll the data in Elasticsearch<\/code> is stored in the JSON format and then indexed which enables you to immediately search it. Each stored document is a collection of key-value pairs that contain the data and it’s stored in an optimised data structure that helps searching it later.<\/p>\nBasic constructs<\/h3>\nNodes<\/h4>\n
Nodes are one of the most basic constructs that stores and indexes the data. There are multiple types of node.<\/p>\n
\n- Master node: This controls the cluster<\/li>\n
- Data node: This holds the data and performs CRUD operations, aggregations and searches.<\/li>\n
- Ingest node: This transforms and enriches the data before indexing.<\/li>\n<\/ul>\n
Index<\/h4>\n
An index is a collection of documents with similar characteristics, they are like tables in a relational database.<\/p>\n
The Indexes are more flexible than a relational database, since they are lightweight you can create multiple indexes without much difficulty. In logging for example, you can create an index for each day and have the type to be the kind of log that you have.<\/p>\n
Every day a new index will be created, you wouldn’t do that for a relational DB.<\/p>\n
Using Elasticsearch<\/h3>\n
There are two main things that we have to pay attention to when working with Elasticsearch<\/code>. They are templates<\/code> and policies<\/code>.<\/p>\nTemplates<\/h4>\n
Templates could be considered the schema of your index, Elasticsearch<\/code> can set a default schema, but you need more control of it if you want do make aggregations and calculations in the data that you have.<\/p>\nWhich types does Elasticsearch<\/code> support? The main data types supported are:<\/p>\n\n- String<\/li>\n
- Numeric (long, int, short, double, float)<\/li>\n
- Date<\/li>\n<\/ul>\n
Building templates<\/h4>\n
How do I set up my template? Well, Elasticsearch<\/code> has a REST-like API that you can easily interact with.<\/p>\nWe are adding logs for an application for a Fintech company and we want to monitor the funds transfers that we are making. The payload that we have for transfers is:<\/p>\n
{\n \"paymentDate\": \"2019-09-14 11:25:32.321\",\n \"amount\": 100.00,\n \"message\": \"Payment message\",\n \"origin\": {\n \"sortCode\": \"11-11-11\",\n \"account\": \"838383\"\n },\n \"destination\": {\n \"sortCode\": \"11-11-11\",\n \"account\": \"1313123\"\n }\n}<\/pre>\nWe start building our template with the payment_date<\/code> field and we can set the type as date and give the format for the field:<\/p>\n\"payment_date\": {\n \"type\": \"date\",\n \"format\": \"yyyy-MM-dd HH:mm:ss.SSS\"\n}<\/pre>\nThen we have the amount<\/code>, we add this field with the type scaled_float<\/code> and the scaling_factor<\/code> to be 100 so Elasticsearch<\/code> can handle two digits in the decimal part making life a little easier for our searches later:<\/p>\n\"amount\": {\n \"type\": \"scaled_float\",\n \"scaling_factor\": \"100\"\n}<\/pre>\nThen we have the field message<\/code> which is just a string, so we are going to use the text<\/code> type which creates a field that is indexed for full text search:<\/p>\n\"message\": {\n \"type\": \"text\"\n}<\/pre>\nThe origin<\/code> and destination<\/code> fields are virtually the same and they always have the same format, so we can use the keyword<\/code> type. This type is good for small amounts of semi-structured data like postal code, addresses, emails, sort codes and account numbers:<\/p>\n\"origin\": {\n \"properties\": {\n \"body\": {\n \"properties\": {\n \"sort_code\": {\n \"type\": \"keyword\"\n },\n \"account\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n}<\/pre>\nNow we have the full mapping for the index we can insert that to Elasticsearch<\/code>. We just make a PUT<\/code> request to it.<\/p>\ncurl -X PUT \"http:\/\/elasticsearch.com\/_template\/transfers_template\" -d @transfers_template.json<\/pre>\n{\n \"index_patterns\": [\n \"transfers-*\"\n ],\n \"mappings\": {\n \"_meta\": {\n \"beat\": \"transfers\",\n \"version\": \"7.0.1\"\n },\n \"date_detection\": false,\n \"dynamic_templates\": [\n {\n \"labels\": {\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\",\n \"path_match\": \"labels.*\"\n }\n },\n {\n \"container.labels\": {\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\",\n \"path_match\": \"container.labels.*\"\n }\n },\n {\n \"fields\": {\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\",\n \"path_match\": \"fields.*\"\n }\n },\n {\n \"docker.container.labels\": {\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\",\n \"path_match\": \"docker.container.labels.*\"\n }\n },\n {\n \"kibana.log.meta\": {\n \"mapping\": {\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\",\n \"path_match\": \"kibana.log.meta.*\"\n }\n },\n {\n \"strings_as_keyword\": {\n \"mapping\": {\n \"ignore_above\": 1024,\n \"type\": \"keyword\"\n },\n \"match_mapping_type\": \"string\"\n }\n }\n ],\n \"properties\": {\n \"@timestamp\": {\n \"type\": \"date\"\n },\n \"payment_date\": {\n \"type\": \"date\",\n \"format\": \"yyyy-MM-ddTHH:mm:ss.SSSSSS\"\n },\n \"amount\": {\n \"type\": \"scaled_float\",\n \"scaling_factor\": \"100\"\n },\n \"message\": {\n \"type\": \"text\"\n },\n \"origin\": {\n \"properties\": {\n \"body\": {\n \"properties\": {\n \"sort_code\": {\n \"type\": \"keyword\"\n },\n \"account\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n },\n \"destination\": {\n \"properties\": {\n \"body\": {\n \"properties\": {\n \"sort_code\": {\n \"type\": \"keyword\"\n },\n \"account\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n }\n}<\/pre>\nPolicies<\/h4>\n
This feature is only available in the premium versions of Elasticsearch<\/code>.<\/p>\nThe indexes are going to be bombarded with data the entire time and just like log files, we need a rollover policy to not get our disks full. In the premium version of Elasticsearch<\/code>, we have the Index Policies tools to help us manage that.<\/p>\nThe first thing to know is what are the states that an Index can be.<\/p>\n
\nhot<\/code>: Is the index that we are writing in.<\/li>\nwarm<\/code>: Is an index that we are querying frequently, but not writing in.<\/li>\ncold<\/code>: Is an index that we don’t write to anymore and we also don’t query the data very often.<\/li>\ndelete<\/code>: Is an index that is no longer needed and can be deleted.<\/li>\n<\/ul>\nAn index starts at the hot<\/code> state and we can say to Elasticsearch<\/code> when we don’t want to keep writing in an index anymore. We tell it to start to use another index using the max_age<\/code> and the max_size<\/code> options. In the example below, we are making a new index every day or when it reaches 5GB<\/code> (the number was arbitrarily chosen).<\/p>\n{\n \"policy\": {\n \"phases\": {\n \"hot\": {\n \"actions\": {\n \"rollover\": {\n \"max_age\": \"1d\",\n \"max_size\": \"5GB\"\n }\n }\n }\n }\n }\n}<\/pre>\nWe don’t want to keep all the indexes hot<\/code>, so we can start to change the state of our older indexes and make them warm<\/code>. The policy to define what is going to the warm<\/code> state starts with the min_age<\/code> parameter, which sounds very obvious what it does. In our case we are setting the min_age<\/code> to 7d<\/code>, so all the hot<\/code> indexes that are seven days or older are going to be converted to a warm<\/code> index.<\/p>\nFor warm<\/code> indexes we have some options that weren’t previously available in the hot<\/code> one, the actions<\/code> section allows us to do some changes when changing the state of the index.<\/p>\nThe first one that we can see is forcemerge<\/code> this option, when set to 1<\/code>, tells Elasticsearch<\/code> to merge all the indexes that are going from hot<\/code> to warm<\/code>. This is helpful because in Elastisearch<\/code> when you delete a document, that document isn’t really deleted, but only marked has deleted. During the merge the documents marked as deleted are going to be properly deleted, like you would send the files to the Trash bin<\/code> and then delete them from your system later.<\/p>\nThen we have shrink<\/code> which is used to reduce the number of shards of an index. Since we are not writing in that index anymore we don’t need all shards that we allocated previously.<\/p>\n