Elastic{ON} 2018: Latest in Logstash

Elastic
February 28, 2018
@jordansissel / @andrewvc
What’s the Latest in Logstash
Jordan Sissel and Andrew Cholakian

View Slide

Thank you to our community
You complete the picture

View Slide

In the last year, 1,413 Logstashers have helped us with 9,237
issues, comments, and pull requests to our logstash-plugins
repository. 864 pull requests were opened.
The Logstash Plugins Community
3

View Slide

In the last year, 76 Logstashers have helped us with 1,131
issues, comments, and pull requests to our logstash-plugins
repository. 179 pull requests were opened.
The Logstash Core Community
4

View Slide

Triaging in Two Parts

View Slide

We couldn’t do it without you!

View Slide

The Latest

View Slide

queue.type: persisted # (v5.4)
input
input
input
filter
filter
filter
output
output
Icons made by Freepik from www.flaticon.com is licensed by CC 3.0 BY
queue
Theme: Don’t lose data.

View Slide

WHAT IF WE CAN’T
DELIVER SOMETHING?
Theme: Don’t lose data.

View Slide

View Slide

Simple things should be simple

View Slide

bin/logstash --modules netflow

View Slide

View Slide

bin/logstash --modules arcsight

View Slide

View Slide

bin/logstash --modules

View Slide

17
A Tale of Two* Pipelines
*(or more)

View Slide

1
8
input {
beats { port => 3444 tag => apache }
tcp { port => 4222 tag => firewall }
}
filter {
if "apache" in [tags] {
dissect { ... }
} else if "firewall" in [tags] {
grok { ... }
}
}
output {
elasticsearch { ... }
tcp { ... }
}
}
TCP BEATS
DISSECT
GROK
TCP ES

View Slide

1
9
input {
}
filter {
dissect { ... }
grok { ... }
}
}
output {
tcp { ... }
}
}
input {
}
filter {
dissect { ... }
grok { ... }
}
}
output {
tcp { ... }
}
}

View Slide

2
0
input {
}
filter {
dissect { ... }
}
output {
}
input {
}
filter {
grok { ... }
}
output {
tcp { ... }
}
Multiple Pipelines (v6.0)
BEATS
DISSECT
ES
TCP
GROK
TCP

View Slide

2
1

View Slide

X-Pack Central Management (v6.0)
-------
-----------
-------- - ------ ---
----- ---- ----
---
---
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
------
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
---
---
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
------
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
---
---
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
------
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
Three Logstash instances.
Doing the same thing.
Let’s simplify this.

View Slide

X-Pack Central Management (v6.0)
-------
-----------
-------- - ------ ---
----- ---- ----
------
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
------
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
------
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
-------
-----------
-------- - ------ ---
----- ---- ----
------
---
------------
-- -- - -- ---- - -- ---
-- - ----
- --- ---
One configuration source.

View Slide

View Slide

2
5

View Slide

WITH GREAT POWER
COMES GREAT

View Slide

--experimental-java-execution (v6.1)
27
0: new #121
3: dup
4: iconst_2
5: fconst_1
6: invokespecial #122
9: astore_1
10: aload_1
11: ldc #47
13: aload_0
14: getfield #6
17: invokeinterface #52, 3
filter {
if “debug” in [tags] {
drop { }
}
grok {
match => { … }
}
}
if event.getField(“tags”)... {
drop.execute(event);
if event.isCancelled() {
return;
}
}
grok.execute(event);
Compile bytecode
Load Configuration Transform to Java

View Slide

--experimental-java-execution (v6.1)
28
“Compile”
code = config.compile()
pipeline = eval(code)
loop do
batch = queue.pop()
pipeline.execute(batch)
end
Load Configuration
filter {
if “debug” in [tags] {
drop { }
}
grok {
match => { … }
}
}
Transform to Ruby
if event.get(“tags”).include?(
drop.execute(event)
return if event.cancelled?
end
grok.execute(event)
Ruby

View Slide

Logstash 6.2: Protect credentials with the keystore
logstash-keystore (Logstash 6.2)
% logstash-keystore create
% logstash-keystore add es_password
# use es_password in the pipeline:
output {
elasticsearch {
hosts => …
user => “elastic”
password => “${es_password}”
}
}

View Slide

Upcoming Features

View Slide

Quick Hits

View Slide

Visual Pipeline Builder

View Slide

More Security Modules
(SIEM, IDS, Firewalls, etc.)

View Slide

SNMP Poller
(It’s not a trap!)

View Slide

Centralized Management
Improvements

View Slide

Node Groups

View Slide

How we do it today
3
7
xpack.management.enabled: true
xpack.management.pipeline.id: ["apache", "cloudwatch_logs"]
LS1 LS2 LS3
apache
cloudwatch
logs

View Slide

Where we Want to Go
3
8
xpack.management.enabled: true
xpack.management.pipeline.node_groups: ["webserver_logs”, “security_logs”]
LS1 LS2 LS3
apache
logs
cloudwatch
logs
webserver_logs security_logs
nginx
logs
azure
activity logs

View Slide

Pipeline Settings Will Also Be
Supported!

View Slide

Ancillary Files in Config
Management

View Slide

Config
File
Grok
Patterns
GeoIP
Database
Without Config Management

View Slide

Config
File
Grok
Patterns
GeoIP
Database
Config Management Today

View Slide

Config
File
Grok
Patterns
GeoIP
Database
Config Management in the Future

View Slide

Java Plugin API

View Slide

• Allow people to use additional JVM languages to develop plugins
• Enable performance optimization where required
Java Plugin API Goals
4
5

View Slide

• We’re starting with a low level API, optimized for performance
• Will add sugar on top
• We plan to support the current plugin API indefinitely
• Some esoteric APIs, like flush, may go away
Java Plugin API Plan
4
6

View Slide

Logstash -> Logstash:
Making it a better story

View Slide

Currently, things are a little ugly

View Slide

How we do it today
4
9
output {
lumbjerjack { … }
}
input {
beats { … }
}
?
?
?

View Slide

Interpipeline Communications

View Slide

- pipeline.id: senderone
config.string: "input { generator { message => huhx } } output { internal { send_to => [foo] } }"
- pipeline.id: sendertwo
config.string: "input { generator { message => whutx } } output { internal { send_to => [foo] } }"
- pipeline.id: out
config.string: " input { internal { address => foo } } output { stdout { codec => json_lines } }"
What it looks like
5
1
senderone
sendertwo
out

View Slide

Share a Port
5
2
Beats
Ingest +
Routing
Enrich
Weblogs +
Output
Enrich ETL
Logs +
Output
Enrich
Metrics +
Output

View Slide

Buffer as Needed
5
3
PQ
PQ
Logs Ingest
Output to
Elasticsearch
Output to S3

View Slide

Put it Together
5
4
PQ
PQ
PQ
Beats
Ingest and
Route
Enrich
Weblogs
Enrich ETL
Logs
Enrich
Metrics +
Output to
Metrics ES
Cluster
Output to
Logging ES
Cluster

View Slide

Language Improvements on the
Horizons

View Slide

• Is not null checks
• Array/field reference conflation (is [foo] an array, or a field reference?)
• What else does the lang need?
• Can we experiment with new languages?
The Language Can Move Forward
5
6

View Slide

An Ephemeral World
Or, how I learned to stop worrying about my disk and
embrace ephemeral storage

View Slide

An Ephemeral World
Part 1: End to End ACKs

View Slide

Resiliency today isn’t as easy as
it could be

View Slide

60
You need to think
about disks if you
use the PQ

View Slide

61
You need to be able
to tolerate data loss
if you use the in-
memory queue

View Slide

What if we could give you the
best of both worlds?

View Slide

End-to-End (E2E) ACKs solve
this problem

View Slide

We currently buffer at each stage

View Slide

Each event must be persisted, then acknowledged

View Slide

With E2E ACKs, Nodes Can Fully Fail

View Slide

Where we can replay or delay asynchronously
acknowledge, we can skip persistence
6
7

View Slide

• TCP, UDP, and Syslog protocol offer no facility to replay
• The best strategy here is to store ASAP on Logstash, and then try to get it elsewhere ASAP
Where we can’t replay, the PQ is still best
6
8

View Slide

• Currently in progress
• Will likely require rewrites to input plugins to be efficient
• Only works for things that are replayable
• Luckily, a lot of things are replayable
E2E ACK Summary
6
9

View Slide

An Ephemeral World
Part 2: Distributed Plugin State/Execution

View Slide

Problem 1:
Plugins store metadata on disk

View Slide

This all must be backed up

View Slide

Problem 2:
Inputs cannot share work

View Slide

Today, Logstashes cannot coordinate their access to a service like S3
Active
Failover

View Slide

• Users must implement backups of metadata
• Scaling past one box requires manual partitioning, or is not possible
• Failover is tricky, and involves restoring backed up metadata
Why Local State is Irritating
7
5

View Slide

Solution: Centralized
State/Distributed Exec

View Slide

Local File Metadata Will Still Work!
Active
Failover

View Slide

But This is Way Cooler
Indexing cluster
Management Cluster
Management Data

View Slide

• Plugin state kept in ES
• Leader election through ES
• Task assignment through ES
• Still in design phase, we have a PoC in progress
How it Works
7
9

View Slide

Problem 3:
The DLQ is Local

View Slide

Solution: Create an ES DLQ

View Slide

• Pitch in on PRs
• Report bugs
• Review PRs
We Need Your Help!
8
2

View Slide

Thank You!

View Slide

Elastic{ON} 2018: Latest in Logstash

Elastic{ON} 2018: Latest in Logstash

Elastic Co

More Decks by Elastic Co

Other Decks in Technology

Featured

Transcript