Getting Started with the Logentries & Logstash Integration

getting-started-with-logentries-and-logstashLogstash is an open source tool for managing events and logs. It is used to collect, search and store logs for later use. If you are using Logstash to collect logs from across your infrastructure already, and you are looking for more sophisticated log analytics tool, you are in the right place.

 

 

I will show you how to configure Logstash to forward all your logs to your Logentries account using the plugin and token connection.

Prerequisites

The contrib plugins come with a pre-installed Logentries plugin. In order to forward logs from Logstash to your Logentries account you need to create a configuration file in your main Logstash folder. Each plugin has different settings for configuring it. There are 3 main sections in every configuration file: inputs, filters, outputs.

#Configuration file
input {
  ...
}
filter {
  ...
}
output {
  ...
}

Let’s call our configuration file connection.conf for now and start to fill out these fields one by one.

Input

The input section can be configured to read from Elasticsearch cluster, local file, syslog, tcp, udp, Heroku and many more. In this post we are going to read from our local access.log file.

input {
    file {
        path => "/var/log/access.log"
    }
}

The user is able to assign additional setting to the input configuration such as:

  • path
  • codec
  • start_position
  • tags
  • host
  • port

Parameters listed above vary based on input source and configuration.

Filter

Filters are used as intermediary processing devices in the Logstash chain. They are often combined with conditionals in order to perform a certain action on an event, if it matches particular criteria. I will present the output with and without active filter.

filter {
  grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
}

Ok, what is actually happening here?

Firstly, we are using grok filter, which is currently the best way in Logstash to parse badly, unstructured log data into something structured and queryable. Grok makes it easy for you to parse logs with regular expressions, by assigning labels to commonly used patterns. One such label is called COMBINEDAPACHELOG.

Filter Inactive

46.7.24.63 LOG message='111.141.244.242 - kurt [18/May/2011:01:48:10 -0700] "GET /admin HTTP/1.1" 301 566 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"' @version=1 @timestamp='2015-02-19T17:59:49.834Z' host='Bart-MacBook-Pro.local' path='/var/log/Apache.log'

Filter Active

46.7.24.63 LOG message='111.141.244.242 - kurt [18/May/2011:01:48:10 -0700] "GET /admin HTTP/1.1" 301 566 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"' @version=1 @timestamp='2015-02-19T18:07:37.437Z' host='Bart-MacBook-Pro.local' path='/var/log/Apache.log' clientip=111.141.244.242 ident='-' auth=kurt timestamp='18/May/2011:01:48:10 -0700' verb=GET request='/admin' httpversion=1.1 response=301 bytes=566 referrer='"-"' agent='"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"'

Output

This section takes advantage of the plugin and configures Logstash to forward all logs from access.log locally stored in our machine to Logentries account using unique token.

output {
  logentries{
    token => "LOGENTRIES_TOKEN"
  }
}

Start Sending Logs

The plugin has to be stored in your logstash-outputs folder:

logstash-x.x.x
├── bin
├── lib
│    └── logstash 
│           └── outputs  
│                 └── logentries.rb
├── LICENSE
├── locales
├── connection.conf
├── patterns
├── README.md
├── spec

 

Simply save your configuration file and run bin/logstash -f connection.conf. Your logs will now forward directly into your Logentries account and be easily accessible for tagging, real-time alerting, and data visualizations. Don’t have a Logentries account? Get started here in minutes for free!

Posted in How To, Log Management, Logentries, Tips & Tricks

Leave a Reply