Logstash

After posting a set of postfix and sendmail Grok patterns, I’ve had a request to explain how to implement Grok patterns in Logstash. So, here we go. I’m going to make some assumptions about your installation of Logstash – on a typical Debian install, assuming you installed from the Elasticsearch PPA (hint: you should be doing this), your Logstash configs will be in /etc/logstash/conf.d/ or something of the sort. |/etc/ |-logstash/ |–conf. ...

A typical install of logstash-forwarder (lumberjack) is configured to watch a set of files in specific locations and often playing with that file is impossible. However, you might need to load a file into it that it doesn’t typically monitor. In another situation, you may need to load historic logfiles into LSF. This can be problematic as LSF keeps track of its position in a given file and will often recognise the file as one it has already processed and won’t reimport events it considers as “old”. ...

For the past six months or so, I’ve been running an ELK stack setup in our hosting infrastructure at work to monitor, among other things: HTTP requests coming in Nginx response times System loads Sendmail and Postfix activity Disk IO and related metrics To do this, I’ve had to evolve the infrastructure somewhat. Here’s a brief overview of what happened. v1 Logstash was installed on a single box using its built-in Elasticsearch server to store data. ...

I’ve not the time right now to write more in the Logstash series, but as a quick interlude, I’d like to link to my ever-expanding Gist containing some useful Logstash GROK patterns for Postfix and Sendmail. Good, comprehensive sets of these are a bit of a slog to find online, so I cobbled together some from posts on the Internets, GitHub Gists and some tweaks of my own to make them work. ...

In my previous post, I outlined how I manage the collection of logs across our infrastructure at a high level with Logstash and Elasticsearch. I also touched upon viewing and searching through the data with Kibana, a Javascript frontend. In this post, I want to cover an important interim step if using the packages in the ElasticSearch repos is unfeasible or if you are running legacy servers that the repos don’t provide packages for. ...

Hello, I’m a sysadmin. I manage servers for a living. About a hundred of them, at last count. One of the biggest challenges in my job is keeping tabs on what’s going on inside my infrastructure. Was the last email sent to dave.mcUserface@example.org delivered? What’s the busiest nginx host in the network? Which vhost gets the most traffic? What was the average load across the entire infrastructure at 04:53, three days ago? ...