Understanding Logstash Parsing Configurations and options

In This Tutorial we will learn to customize Logstash to parse any type of Log Files. Logstash helps us to  process logs and other event data from a variety of systems. It also Supports variable injection into elasticsearch and has 200+ plugins.

Logstash Configuration is divided into three sections:

input {
# input config options

}
filter{
# parsing options
}
output {
  # output options
}

In Input Section we configure how we input log files for ingestion, most popular options are lumberjack, file, elasticsearch, graphite

In Ouput Section we configure on what happens to parsed lines in filter section.

In FIlter Section we parse the events. Sample Logstash FIlter Config to ingest syslog events.

filter{
    grok {
match => { "message" => "%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
}

Analysis on Config:

syslog event:  May 18 11:24:30 Jagadeesh-PC /usr/lib/gdm3/gdm-x-session[8693]: Successfully activated service 'org.gnome.Terminal'

this event will be parsed as

syslog_timestamp ===>  May 18 11:24:30
syslog_hostname  ===>  Jagadeesh-PC
syslog_program ===> usr/lib/gdm3/gdm-x-session 
syslog_pid            ===> 8693
syslog_message  ===>  Successfully activated service 'org.gnome.Terminal

TIMESTAMP_ISO8601, SYSLOGHOST, POSINT, GREEDYDATA, DATA are all pattern matchers available in grok.

You are using match to match the log event, you can use add_field, add_tag to pass extra information while storing or you can use this snippet to overwite whole message and store.

  grok {
    match => { "message" => "%{SYSLOGBASE} %{DATA:message}" }
    overwrite => [ "message" ]
  }

You can use other patterns of grok like IPORHOST, HTTPDATE, USERNAME, INT ..etc.,  to parse apache/nginx files. If pattern is not available with grok, you can build your own custom pattern matchers or processing.

Many other plugins like Json, csv, kv, metrics ..etc., are available for parsing Logstash events.

 

    By Posted On
SENIOR DEVELOPER at MICROPYRAMID

Need any Help in your Project?Let's Talk

Latest Comments
Related Articles
Configure SSL with LetsEncrypt and nginx Ashwin Kumar

Configuring SSL is beneficial not only for security purpose but also for SEO too.
Linuxsoftware foundation's initiated a program called Let’s Encrypt to give ssl ...

Continue Reading...
Celery With Supervisor Siva Chittamuru

Celery is a task queue with focus on real-time processing, while also supports task scheduling. Task queues are used as mechanisms to distribute work across ...

Continue Reading...
Django Testing Automated with Self Hosted Gitlab CI and Docker Jagadeesh V

It is a bit pricy if you want to host code for collaboration using bitbucket or github on your own VPS or On-Premisis servers. Gitlab ...

Continue Reading...

Subscribe To our news letter

Free news and articles on Django, Python, Machine Learning, Amazon Web Services, DevOps, Salesforce, ReactJS, AngularJS, React Native.
*We don't provide your email contact details to any third parties