Upgrade to Pro — share decks privately, control downloads, hide ads and more …

logstash - devopsfinland

Ramez Hanna
April 25, 2014
Technology
1
3.5k

logstash - devopsfinland

Ramez Hanna

April 25, 2014
Tweet

More Decks by Ramez Hanna

See All by Ramez Hanna
building_teams.pdf
informatiq
0
15
Observability
informatiq
0
52
What is a teachnical team lead
informatiq
0
160
Provisioning AWS with ansible <our story>
informatiq
3
150
Docker hype
informatiq
2
180
Introduction to Ansible
informatiq
0
200

Other Decks in Technology

See All in Technology
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
2
590
Amplify 🩷 Bedrock 〜生成AI入門〜
minorun365
PRO
7
310
開発パフォーマンスを最大化するための開発体制
ham0215
7
780
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
17k
2024春 注目のWeb系 OSS & SaaS 3選
makies
0
170
実例で紹介するRAG導入時の知見と精度向上の勘所
yamahiro
4
1.2k
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
4
860
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
1
1.5k
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
330
Cypress or Playwright?
rainerhahnekamp
0
160
AWS学習者向けにAzureの解説スライドを作成した話
handy
3
110
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
2
140

Featured

See All Featured
KATA
mclloyd
16
12k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
11
1k
Ruby is Unlike a Banana
tanoku
96
10k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.7k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
Infographics Made Easy
chrislema
238
18k
Side Projects
sachag
451
41k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
A better future with KSS
kneath
231
16k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Designing on Purpose - Digital PM Summit 2013
jponch
111
6.5k

Transcript

  1. Logstash A Real Life Design

  2. Ramez Hanna Husband and Father Sys Admin Get It Done

    @informatiq

  3. Disclaimer I am not affiliated with Logstash in any way

    I am a happy user

  4. Stages of a log system

  5. Collection Bring order to chaos

  6. Frontend Backend Admin Database

  7. Frontend PY Nginx SYS RSYSLOG

  8. Transport Get it somewhere

  9. servers Redis RSYSLOG LOGSTASH LOGSTASH

  10. Process Make sense of your logs

  11. input { redis { host => "10.0.1.189" data_type => "list"

    key => "logstash" message_format => "json_event" } } filter { ## drop unneeded logs # DHCP client if [program] =~ 'DHCP' or [program] =~ 'dhclient' { drop{ } } # start tagging logs # ansible if [program] =~ "ansible" { mutate { add_tag => "ansible" } }

  12. ## start parsing the actual log for information # access­log

    if 'access­log' in [tags] { grok { match => ["message", '%{IPORHOST:clientIP} %{USER:ident} %{USER:auth} \[% {HTTPDATE:nginxTimeStamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/% {NUMBER:httpVersion}" %{NUMBER:responseCode} (?:%{NUMBER:bytes}|­) (?:"(?:% {URI:referrer}|­)"|%{QS:referrer}) %{QS:agent} %{BASE10NUM:logTime} % {BASE10NUM:requestDuration} "%{GREEDYDATA:sslClientDn}"' ] } } #parse vpn if 'vpn' in [tags] { grok { match => ["message", '%{IPORHOST:clientIP}:%{POSINT} \[%{WORD:user}\] Peer Connection Initiated with \[AF_INET\]'] add_tag => 'vpnlogin' } } #geoip all clientIP fields geoip { add_tag => 'geoip' source => 'clientIP' } }

  13. Store

  14. output { #elasticsearch { # embedded => false # bind_host

    => "10.0.1.189" # max_inflight_requests => "2000" # port => "9300" #} elasticsearch_http { host => "10.0.1.189" }

  15. visualize logs with Kibana

  16. Action Time

  17. Output { if "access­log" in [tags] { if [request] =~

    "login" { statsd { host => "10.0.1.196" port => 8125 namespace => "holvi_com" sender => "%{logsource}" increment => "login" } } statsd { host => "10.0.1.196" port => 8125 namespace => "holvi_com" sender => "%{logsource}" increment => "response.%{responseCode}" timing => [ "ResponseTime", "%{requestDuration}" ] count => [ "bytes", "%{bytes}" ] } }