Hello Friends,
A system administrator knows how much system logs can help to troubleshoot critical problems. And what if those logs are indexed at one place and can be visualized in charts etc. Fun, isn't it?
Let's see what can help us to set it up..
1. Nothing special to be done at Elasticsearch just run it by executing elasticsearch.bat from bin directory.
2. Prepare a config so that Logstash can read windows logs. We need to add config in input plugin.
This eventlog plugin helps logstash to read windows logs. Windows logs are stored in binary format and can be accessed using only Win32 API. This plugin takes several configuration options but all of those are optional. These config options are codec, add_field, logfile, interval, tags, type out of which we are using logfile and type.
a) type has no default value and used for filter activation. The given type is stored as part of event and we can search events in Kibana using this.
b) logfile is an array of String and contains Application, Security, System as default values in array. In the config we have used only System.
3. Store this config to a custom file in conf in Logstash with name logstash-windowslogs.conf
and run logstash using
where complete config file will be as -
4. We're done with configuration of Logstash. Next is to read this in kibana. Here is our config to connect Kibana to Elasticsearch to read indices.
5. As soon as we start Logstash, it will start collecting all the events and index them to elasticsearch. Now lets run Kibana by executing kibana.bat in bin directory.
6. Once Kibana is started, we can open its interface in browser using http://localhost:5601/. We need to configure index pattern. By default, it shows logstash-* in index name or pattern field and @timestamp in Time-Field name. Hit create by keeping defaults.
7. Now click Discover on the top menu to see the results. It will show histogram of counts of event.
All the results are also listed below histogram but for security reasons, I have not shown them here..
That's it. Pretty clean, what you say?
A system administrator knows how much system logs can help to troubleshoot critical problems. And what if those logs are indexed at one place and can be visualized in charts etc. Fun, isn't it?
Let's see what can help us to set it up..
1. Nothing special to be done at Elasticsearch just run it by executing elasticsearch.bat from bin directory.
2. Prepare a config so that Logstash can read windows logs. We need to add config in input plugin.
This eventlog plugin helps logstash to read windows logs. Windows logs are stored in binary format and can be accessed using only Win32 API. This plugin takes several configuration options but all of those are optional. These config options are codec, add_field, logfile, interval, tags, type out of which we are using logfile and type.
a) type has no default value and used for filter activation. The given type is stored as part of event and we can search events in Kibana using this.
b) logfile is an array of String and contains Application, Security, System as default values in array. In the config we have used only System.
3. Store this config to a custom file in conf in Logstash with name logstash-windowslogs.conf
and run logstash using
where complete config file will be as -
4. We're done with configuration of Logstash. Next is to read this in kibana. Here is our config to connect Kibana to Elasticsearch to read indices.
5. As soon as we start Logstash, it will start collecting all the events and index them to elasticsearch. Now lets run Kibana by executing kibana.bat in bin directory.
6. Once Kibana is started, we can open its interface in browser using http://localhost:5601/. We need to configure index pattern. By default, it shows logstash-* in index name or pattern field and @timestamp in Time-Field name. Hit create by keeping defaults.
7. Now click Discover on the top menu to see the results. It will show histogram of counts of event.
All the results are also listed below histogram but for security reasons, I have not shown them here..
That's it. Pretty clean, what you say?
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.