'logstash' 태그의 글 목록 (2 Page)

[Logstash] logstash filter date 조금 알아보기

Elastic/Logstash 2019. 11. 6. 14:34

문의가 들어 왔습니다.

여러 필드에 대해서 date format 이 다른데 어떻게 적용을 해야 하나요?

그래서 소스코드를 열어 보고 아래와 같이 해보라고 했습니다.

date {
...
}

date {
...
}

결국 date {...} 를 필드 별로 선언을 해주면 되는 내용입니다.

공식 문서)

https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html

Common Options)

https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html#plugins-filters-date-common-options

Date Filter Configuration Options)

Setting	Input type	Required
locale	string	No
match	array	No
tag_on_failure	array	No
target	string	No
timezone	string	No

전체 옵션이 필수가 아니긴 합니다.

그래도 꼭 아셔야 하는 설정은 match, target 입니다.

- match 의 첫 번째 값은 field 명이고, 그 이후는 format 들이 되겠습니다.

(공식 문서에 잘 나와 있습니다.)

An array with field name first, and format patterns following, [ field, formats... ]

If your time field has multiple possible formats, you can do this:

match => [ "logdate",

"MMM dd yyyy HH:mm:ss",

"MMM d yyyy HH:mm:ss",

"ISO8601" ]

- target 은 지정을 하지 않게 되면 기본 @timestamp 필드로 설정이 됩니다. 변경 하고자 하면 target 에 원하시는 field name 을 넣으시면 됩니다.

예제)

date {
    match => ["time" , "yyyy-MM-dd'T'HH:mm:ssZ", "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
    target => "@timestamp"
}

date {
    match => ["localtime" , "yyyy-MM-dd HH:mm:ssZ"]
    target => "time"
}

DateFilter.java)

/*
 * Licensed to Elasticsearch under one or more contributor
 * license agreements. See the NOTICE file distributed with
 * this work for additional information regarding copyright
 * ownership. Elasticsearch licenses this file to you under
 * the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.logstash.filters;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.joda.time.Instant;
import org.logstash.Event;
import org.logstash.ext.JrubyEventExtLibrary.RubyEvent;
import org.logstash.filters.parser.CasualISO8601Parser;
import org.logstash.filters.parser.JodaParser;
import org.logstash.filters.parser.TimestampParser;
import org.logstash.filters.parser.TimestampParserFactory;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

public class DateFilter {
  private static Logger logger = LogManager.getLogger();
  private final String sourceField;
  private final String[] tagOnFailure;
  private RubyResultHandler successHandler;
  private RubyResultHandler failureHandler;
  private final List<ParserExecutor> executors = new ArrayList<>();
  private final ResultSetter setter;

  public interface RubyResultHandler {
    void handle(RubyEvent event);
  }

  public DateFilter(String sourceField, String targetField, List<String> tagOnFailure, RubyResultHandler successHandler, RubyResultHandler failureHandler) {
    this(sourceField, targetField, tagOnFailure);
    this.successHandler = successHandler;
    this.failureHandler = failureHandler;
  }

  public DateFilter(String sourceField, String targetField, List<String> tagOnFailure) {
    this.sourceField = sourceField;
    this.tagOnFailure = tagOnFailure.toArray(new String[0]);
    if (targetField.equals("@timestamp")) {
      this.setter = new TimestampSetter();
    } else {
      this.setter = new FieldSetter(targetField);
    }
  }

  public void acceptFilterConfig(String format, String locale, String timezone) {
    TimestampParser parser = TimestampParserFactory.makeParser(format, locale, timezone);
    logger.debug("Date filter with format={}, locale={}, timezone={} built as {}", format, locale, timezone, parser.getClass().getName());
    if (parser instanceof JodaParser || parser instanceof CasualISO8601Parser) {
      executors.add(new TextParserExecutor(parser, timezone));
    } else {
      executors.add(new NumericParserExecutor(parser));
    }
  }

 public List<RubyEvent> receive(List<RubyEvent> rubyEvents) {
    for (RubyEvent rubyEvent : rubyEvents) {
      Event event = rubyEvent.getEvent();

      switch (executeParsers(event)) {
        case FIELD_VALUE_IS_NULL_OR_FIELD_NOT_PRESENT:
        case IGNORED:
          continue;
        case SUCCESS:
          if (successHandler != null) {
            successHandler.handle(rubyEvent);
          }
          break;
        case FAIL: // fall through
        default:
          for (String t : tagOnFailure) {
            event.tag(t);
          }
          if (failureHandler != null) {
            failureHandler.handle(rubyEvent);
          }
      }
    }
    return rubyEvents;
  }

  public ParseExecutionResult executeParsers(Event event) {
    Object input = event.getField(sourceField);
    if (event.isCancelled()) { return ParseExecutionResult.IGNORED; }
    if (input == null) { return ParseExecutionResult.FIELD_VALUE_IS_NULL_OR_FIELD_NOT_PRESENT; }

    for (ParserExecutor executor : executors) {
      try {
        Instant instant = executor.execute(input, event);
        setter.set(event, instant);
        return ParseExecutionResult.SUCCESS;
      } catch (IllegalArgumentException | IOException e) {
        // do nothing, try next ParserExecutor
      }
    }
    return ParseExecutionResult.FAIL;
  }
}

:

[Elastic] 목차 입니다.

Elastic 2019. 11. 5. 14:52

Elastic Stack 의 Reference 목차 입니다.

이걸 왜 한 장으로 정리를 했냐면 목차만 잘 찾아 봐도 해결 방법이 어딨는지 어떤 기능을 제공 하고 있는지 쉽게 알수 있습니다.

(In my case!!)

그래서 혼자 보기 아까워서 그냥 올려봤습니다.

Elastic Stack References)

1. Elasticsearch

2. Logstash

3. Kibana

4. Beats Platform

5. Beats Developer Guide

6. Filebeat

Elasticsearch

Elasticsearch introduction

Data in: documents and indices
Information out: search and analyze
Scalability and resilience

Getting Started with Elasticsearch

Get Elasticsearch up and running
Index some documents
Start searching
Analyze results with aggregations
Where to go from here

Set up Elasticsearch

Installing Elasticsearch

Install Elasticsearch from archive on Linux or MacOS
Install Elasticsearch with .zip on Windows
Install Elasticsearch with Debian Package
Install Elasticsearch with RPM
Install Elasticsearch Windows MSI Installer
Install Elasticsearch with Docker
Install Elasticsearch on macOS with Homebrew

Configuring Elasticsearch

Setting JVM options
Secure settings
Logging configuration
Auditing settings
Cross-cluster replication settings
Transforms settings
Index lifecycle management settings
License settings
Machine learning settings
Security settings
SQL access settings
Watcher settings

Important Elasticsearch configuration

path.data and path.logs
cluster.name
node.name
network.host
Discovery and cluster formation settings
Setting the heap size
JVM heap dump path
GC logging
Temp directory
JVM fatal error logs

Important System Configuration

Configuring system settings
Disable swapping
File Descriptors
Virtual memory
Number of threads
DNS cache settings
JNA temporary directory not mounted with noexec

Bootstrap Checks

Heap size check
File descriptor check
Memory lock check
Maximum number of threads check
Max file size check
Maximum size virtual memory check
Maximum map count check
Client JVM check
Use serial collector check
System call filter check
OnError and OnOutOfMemoryError checks
Early-access check
G1GC check
All permission check
Discovery configuration check

Starting Elasticsearch
Stopping Elasticsearch
Adding nodes to your cluster
Set up X-Pack
Configuring X-Pack Java Clients
Bootstrap Checks for X-Pack

Upgrade Elasticsearch

Rolling upgrades
Full cluster restart upgrade
Reindex before upgrading

Reindex in place
Reindex from a remote cluster

Aggregations

Metrics Aggregations

Avg Aggregation
Weighted Avg Aggregation
Cardinality Aggregation
Extended Stats Aggregation
Geo Bounds Aggregation
Geo Centroid Aggregation
Max Aggregation
Min Aggregation
Percentiles Aggregation
Percentile Ranks Aggregation
Scripted Metric Aggregation
Stats Aggregation
Sum Aggregation
Top Hits Aggregation
Value Count Aggregation
Median Absolute Deviation Aggregation

Bucket Aggregations

Adjacency Matrix Aggregation
Auto-interval Date Histogram Aggregation
Children Aggregation
Composite Aggregation
Date Histogram Aggregation
Date Range Aggregation
Diversified Sampler Aggregation
Filter Aggregation
Filters Aggregation
Geo Distance Aggregation
GeoHash grid Aggregation
GeoTile Grid Aggregation
Global Aggregation
Histogram Aggregation
IP Range Aggregation
Missing Aggregation
Parent Aggregation
Range Aggregation
Rare Terms Aggregation
Reverse nested Aggregation
Sampler Aggregation
Significant Terms Aggregation
Significant Text Aggregation
Terms Aggregation
Subtleties of bucketing range fields

Pipeline Aggregations

Avg Bucket Aggregation
Derivative Aggregation
Max Bucket Aggregation
Min Bucket Aggregation
Sum Bucket Aggregation
Stats Bucket Aggregation
Extended Stats Bucket Aggregation
Percentiles Bucket Aggregation
Moving Average Aggregation
Moving Function Aggregation
Cumulative Sum Aggregation
Cumulative Cardinality Aggregation
Bucket Script Aggregation
Bucket Selector Aggregation
Bucket Sort Aggregation
Serial Differencing Aggregation

Matrix Aggregations

Matrix Stats

Caching heavy aggregations
Returning only aggregations
Aggregation Metadata
Returning the type of the aggregation

Query DSL

Query and filter context
Compound queries

Boolean
Boosting
Constant score
Disjunction score
Function score

Full text queries

Intervals
Match
Match boolean prefix
Match phrase
Match phrase prefix
Multi-match
Common Terms Query
Query String
Simple query string

Geo queries

Geo-bounding box
Geo-distance
Geo-polygon
Geo-shape

Shape queries

Shape

Joining queries

Nested
Has child
Has parent
Parent ID

Match all
Span queries

Span containing
Span field masking
Span first
Span multi-term
Span near
Span not
Span or
Span term
Span within

Specialized queries

Distance feature
More like this
Percolate
Rank feature
Script
Script score
Wrapper
Pinned Query

Term-level queries

Exists
Fuzzy
IDs
Prefix
Range
Regexp
Term
Terms
Terms set
Type Query
Wildcard

minimum_should_match parameter
rewrite parameter
Regular expression syntax

Search across clusters
Scripting

How to use scripts
Accessing document fields and special variables
Scripting and security
Painless scripting language
Lucene expressions language
Advanced scripts using script engines

Mapping

Removal of mapping types
Field datatypes

Alias
Arrays
Binary
Boolean
Date
Date nanoseconds
Dense vector
Flattened
Geo-point
Geo-shape
IP
Join
Keyword
Nested
Numeric
Object
Percolator
Range
Rank feature
Rank features
Search-as-you-type
Sparse vector
Text
Token count
Shape

Meta-Fields

_field_names field
_ignored field
_id field
_index field
_meta field
_routing field
_source field
_type field

Mapping parameters

analyzer
normalizer
boost
coerce
copy_to
doc_values
dynamic
enabled
eager_global_ordinals
fielddata
format
ignore_above
ignore_malformed
index
index_options
index_phrases
index_prefixes
fields
norms
null_value
position_increment_gap
properties
search_analyzer
similarity
store
term_vector

Dynamic Mapping

Dynamic field mapping
Dynamic templates

Analysis

Anatomy of an analyzer
Testing analyzers
Analyzers

Configuring built-in analyzers
Fingerprint Analyzer
Keyword Analyzer
Language Analyzers
Pattern Analyzer
Simple Analyzer
Standard Analyzer
Stop Analyzer
Whitespace Analyzer
Custom Analyzer

Normalizers
Tokenizers

Char Group Tokenizer
Classic Tokenizer
Edge NGram Tokenizer
Keyword Tokenizer
Letter Tokenizer
Lowercase Tokenizer
NGram Tokenizer
Path Hierachy Tokenizer
Pattern Tokenizer
Simple Pattern Tokenizer
Simple Pattern Split Tokenizer
Standard Tokenizer
Thai Tokenizer
UAX URL Email Tokenizer
Whitespace Tokenizer

Token Filters

Apostrophe
ASCII Folding Token Filter
CJK bigram
CJK width
Classic Token Filter
Common Grams Token Filter
Compound Word Token Filters
Conditional Token Filter
Decimal Digit Token Filter
Delimited Payload Token Filter
Edge NGram Token Filter
Elision Token Filter
Fingerprint Token Filter
Flatten Graph Token Filter
Hunspell Token Filter
Keep Types Token Filter
Keep Words Token Filter
Keyword Request Token Filter
KStem Token Filter
Length Token Filter
Limit Token Count Token Filter
Lowercase Token Filter
MinHash Token Filter
Multiplexer Token Filter
NGram Token Filter
Normalization Token Filter
Pattern Capture Token Filter
Pattern Replace Token Filter
Phonetic Token Filter
Porter Stem Token Filter
Predicate Token Filter Script
Remove Duplicates Token Filter
Reverse Token Filter
Shingle Token Filter
Snowball Token Filter
Stemmer Token Filter
Stemmer Override Token Filter
Stop Token Filter
Synonym Token Filter
Synonym Graph Token Filter
Trim Token Filter
Truncate Token Filter
Unique Token Filter
Uppercase Token Filter
Word Delimiter Token Filter
Word Delimiter Graph Token Filter

Character Filters

HTML Strip Char Filter
Mapping Char Filter
Pattern Replace Char Filter

Modules

Discovery and cluster formation

Discovery
Quorum-based decision making
Voting configurations
Bootstrapping a cluster
Adding and removing nodes
Publishing the cluster state
Cluster fault detection
Discovery and cluster formation settings

Shard allocation and cluster-level routing

Cluster level shard allocation
Disk-based shard allocation
Shard allocation awareness
Cluster-level shard allocation filtering
Miscellaneous cluster settings

Local Gateway

Dangling indices

HTTP
Indices

Circuit Breaker
Fielddata
Node Query Cache
Indexing Buffer
Shard request cache
Index recovery
Search Settings

Network Settings
Node
Plugins
Snapshot And Restore
Thread Pool
Transport
Remote clusters

Index modules

Analysis
Index Shard Allocation

Index-level shard allocation filtering
Delaying allocation when a node leaves
Index recovery prioritization
Total shards per node

Mapper
Merge
Similarity module
Slow Log
Store

Preloading data into the file system cache

Translog
History retention
Index Sorting

Use index sorting to speed up conjunctions

Ingest node

Pipeline Definition
Accessing Data in Pipelines
Conditional Execution in Pipelines

Handling Nested Fields in Conditionals
Complex Conditionals
Conditionals with the Pipeline Processor
Conditionals with the Regular Expressions

Handling Failures in Pipelines
Processors

Append Processor
Bytes Processor
Circle Processor
Convert Processor
Date Processor
Date Index Name Processor
Dissect Processor
Dot Expander Processor
Drop Processor
Fail Processor
Foreach Processor
GeoIP Processor
Grok Processor
Gsub Processor
HTML Strip Processor
Join Processor
JSON Processor
KV Processor
Lowercase Processor
Pipeline Processor
Remove Processor
Rename Processor
Script Processor
Set Processor
Set Security User Processor
Split Processor
Sort Processor
Trim Processor
Uppercase Processor
URL Decode Processor
User Agent processor

Managing the index lifecycle

Getting started with index lifecycle management
Policy phases and actions

Timing
Phase Execution
Actions
Full Policy

Set up index lifecycle management policy

Applying a policy to an index template
Apply a policy to a create index request

Using policies to manage index rollover

Skipping Rollover

Update policy

Updates to policies not managing indices
Updates to executing policies
Switching policies for an index

Index lifecycle error handling
Restoring snapshots of managed indices
Start and stop index lifecycle management
Using ILM with existing indices

Managing existing periodic indices with ILM
Reindexing via ILM

Getting started with snapshot lifecycle management

SQL access

Overview
Getting Started with SQL
Conventions and Terminology

Mapping concepts across SQL and Elasticsearch

Security
SQL REST API

Overview
Response Data Formats
Paginating through a large response
Filtering using Elasticsearch query DSL
Columnar results
Supported REST parameters

SQL Translate API
SQL CLI
SQL JDBC

API usage

SQL ODBC

Driver installation
Configuration

SQL Client Applications

DBeaver
DbVisualizer
Microsoft Excel
Microsoft Power BI Desktop
Microsoft PowerShell
MicroStrategy Desktop
Qlik Sense Desktop
SQuirreL SQL
SQL Workbench/J
Tableau Desktop

SQL Language

Lexical Structure
SQL Commands
DESCRIBE TABLE
SELECT
SHOW COLUMNS
SHOW FUNCTIONS
SHOW TABLES
Data Types
Index patterns
Frozen Indices

Functions and Operators

Comparison Operators
Logical Operators
Math Operators
Cast Operators
LIKE and RLIKE Operators
Aggregate Functions
Grouping Functions
Date/Time and Interval Functions and Operators
Full-Text Search Functions
Mathematical Functions
String Functions
Type Conversion Functions
Geo Functions
Conditional Functions And Expressions
System Functions

Reserved keywords
SQL Limitations

Monitor a cluster

Overview
How it works
Monitoring in a production environment
Collecting monitoring data

Pausing data collection

Collecting monitoring data with Metricbeat
Collecting log data with Filebeat
Configuring indices for monitoring
Collectors
Exporters

Local exporters
HTTP exporters

Troubleshooting

Frozen indices

Best practices
Searching a frozen index
Monitoring frozen indices

Roll up or transform your data

Rolling up historical data

Overview
API quick reference
Getting started
Understanding groups
Rollup aggregation limitations
Rollup search limitations

Transforming data

Overview
When to use transforms
How checkpoints work
API quick reference
Tutorial: Transforming the eCommerce sample data
Examples
Troubleshooting
Limitations

Set up a cluster for high availability

Back up a cluster

Back up the data
Back up the cluster configuration
Back up the security configuration
Restore the security configuration
Restore the data

Cross-cluster replication

Overview
Requirements for leader indices
Automatically following indices
Getting started with cross-cluster replication
Remote recovery
Upgrading clusters

Secure a cluster

Overview
Configuring security

Encrypting communications in Elasticsearch
Encrypting communications in an Elasticsearch Docker Container
Enabling cipher suites for stronger encryption
Separating node-to-node and client traffic
Configuring an Active Directory realm
Configuring a file realm
Configuring an LDAP realm
Configuring a native realm
Configuring a PKI realm
Configuring a SAML realm
Configuring a Kerberos realm
Security files
FIPS 140-2

How security works
User authentication

Built-in users
Internal users
Realms
Realm chains
Active Directory user authentication
File-based user authentication
LDAP user authentication
Native user authentication
PKI user authentication
SAML authentication
Kerberos authentication
Integrating with other authentication systems
Enabling anonymous access
Controlling the user cache

Configuring SAML single-sign-on on the Elastic Stack

The identity provider
Configure Elasticsearch for SAML authentication
Generating SP metadata
Configuring role mappings
User metadata
Configuring Kibana
Troubleshooting SAML Realm Configuration

Configuring single sign-on to the Elastic Stack using OpenID Connect

The OpenID Connect Provider
Configure Elasticsearch for OpenID Connect authentication
Configuring role mappings
User metadata
Configuring Kibana
OpenID Connect without Kibana

User authorization

Built-in roles
Defining roles
Security privileges
Document level security
Field level security
Granting privileges for indices and aliases
Mapping users and groups to roles
Setting up field and document level security
Submitting requests on behalf of other users
Configuring authorization delegation
Customizing roles and authorization

Auditing security events

Audit event types
Logfile audit output
Auditing search queries

Encrypting communications

Setting up TLS on a cluster

Restricting connections with IP filtering
Cross cluster search, clients, and integrations

Cross cluster search and security
Java Client and security
HTTP/REST clients and security
ES-Hadoop and Security
Beats and Security
Monitoring and security

Tutorial: Getting started with security

Enable Elasticsearch security features
Create passwords for built-in users
Add the built-in user to Kibana
Configure authentication
Create users
Assign roles
Add user information in Logstash
View system metrics in Kibana

Tutorial: Encrypting communications

Generate certificates
Encrypt internode communications
Add nodes to your cluster

Troubleshooting

Some settings are not returned via the nodes settings API
Authorization exceptions
Users command fails due to extra arguments
Users are frequently locked out of Active Directory
Certificate verification fails for curl on Mac
SSLHandshakeException causes connections to fail
Common SSL/TLS exceptions
Common Kerberos exceptions
Common SAML issues
Internal Server Error in Kibana
Setup-passwords command fails due to connection failure
Failures due to relocation of the configuration files

Limitations

Alerting on cluster and index events

Getting started with Watcher
How Watcher works
Encrypting sensitive data in Watcher
Inputs

Simple input
Search input
HTTP input
Chain input

Triggers

Schedule trigger

Conditions

Always condition
Never condition
Compare condition
Array compare condition
Script condition

Actions

Running an action for each element in an array
Adding conditions to actions
Email action
Webhook action
Index action
Logging Action
Slack Action
PagerDuty action
Jira action

Transforms

Search transform
Script transform
Chain transform

Java API
Managing watches
Example watches

Watching the status of an Elasticsearch cluster
Watching event data

Troubleshooting
Limitations

Command line tools

elasticsearch-certgen
elasticsearch-certutil
elasticsearch-croneval
elasticsearch-migrate
elasticsearch-node
elasticsearch-saml-metadata
elasticsearch-setup-passwords
elasticsearch-shard
elasticsearch-syskeygen
elasticsearch-users

How To

General recommendations
Recipes

Mixing exact search with stemming
Getting consistent scoring
Incorporating static relevance signals into the score

Tune for indexing speed
Tune for search speed

Tune your queries with the Profile API
Faster phrase queries with index_phrases
Faster prefix queries with index_prefixes

Tune for disk usage

Testing

Java Testing Framework

Why randomized testing?
Using the Elasticsearch test classes
Unit tests
Integration tests
Randomized testing
Assertions

Glossary of terms
REST APIs

API conventions

Multiple Indices
Date math support in index names
Common options
URL-based access control

cat APIs

cat aliases
cat allocation
cat count
cat fielddata
cat health
cat indices
cat master
cat nodeattrs
cat nodes
cat pending tasks
cat plugins
cat recovery
cat repositories
cat task management
cat thread pool
cat shards
cat segments
cat snapshots
cat templates

Cluster APIs

Cluster Health
Cluster State
Cluster Stats
Pending cluster tasks
Cluster Reroute
Cluster Update Settings
Cluster Get Settings
Nodes Stats
Nodes Info
Nodes Feature Usage
Remote Cluster Info
Task management
Nodes hot_threads
Cluster Allocation Explain API
Voting Configuration Exclusions

Cross-cluster replication APIs

Get CCR stats
Create follower
Pause follower
Resume follower
Unfollow
Forget follower
Get follower stats
Get follower info
Create auto-follow pattern
Delete auto-follow pattern
Get auto-follow pattern

Document APIs

Reading and Writing documents
Index
Get
Delete
Delete by query
Update
Update By Query API
Multi get
Bulk
Reindex
Term vectors
Multi term vectors
?refresh
Optimistic concurrency control

Explore API
Index APIs

Add index alias
Analyze
Clear cache
Clone index
Close index
Create index
Delete index
Delete index alias
Delete index template
Flush
Force merge
Freeze index
Get field mapping
Get index
Get index alias
Get index settings
Get index template
Get mapping
Index alias exists
Index exists
Index recovery
Index segments
Index shard stores
Index stats
Index template exists
Open index
Put index template
Put mapping
Refresh
Rollover index
Shrink index
Split index
Synced flush
Type exists
Unfreeze index
Update index alias
Update index settings

Index lifecycle management API

Create policy
Get policy
Delete policy
Move to step
Remove policy
Retry policy
Get index lifecycle management status
Explain lifecycle
Start index lifecycle management
Stop index lifecycle management

Ingest APIs

Put pipeline
Get pipeline
Delete pipeline
Simulate pipeline

Info API
Licensing APIs

Delete license
Get license
Get trial status
Start trial
Get basic status
Start basic
Update license

Machine learning anomaly detection APIs

Add events to calendar
Add jobs to calendar
Close jobs
Create jobs
Create calendar
Create datafeeds
Create filter
Delete calendar
Delete datafeeds
Delete events from calendar
Delete filter
Delete forecast
Delete jobs
Delete jobs from calendar
Delete model snapshots
Delete expired data
Find file structure
Flush jobs
Forecast jobs
Get buckets
Get calendars
Get categories
Get datafeeds
Get datafeed statistics
Get influencers
Get jobs
Get job statistics
Get machine learning info
Get model snapshots
Get overall buckets
Get scheduled events
Get filters
Get records
Open jobs
Post data to jobs
Preview datafeeds
Revert model snapshots
Set upgrade mode
Start datafeeds
Stop datafeeds
Update datafeeds
Update filter
Update jobs
Update model snapshots

Machine learning data frame analytics APIs

Create data frame analytics jobs
Delete data frame analytics jobs
Evaluate data frame analytics
Estimate memory usage for data frame analytics jobs
Get data frame analytics jobs
Get data frame analytics jobs stats
Start data frame analytics jobs
Stop data frame analytics jobs

Migration APIs

Deprecation info

Reload search analyzers
Rollup APIs

Create rollup jobs
Delete rollup jobs
Get job
Get rollup caps
Get rollup index caps
Rollup search
Rollup job configuration
Start rollup jobs
Stop rollup jobs

Search APIs

Search
URI Search
Request Body Search
Search Template
Multi Search Template
Search Shards API
Suggesters
Multi Search API
Count API
Validate API
Explain API
Profile API
Field Capabilities API
Ranking Evaluation API

Security APIs

Authenticate
Change passwords
Clear cache
Clear roles cache
Create API keys
Create or update application privileges
Create or update role mappings
Create or update roles
Create or update users
Delegate PKI authentication
Delete application privileges
Delete role mappings
Delete roles
Delete users
Disable users
Enable users
Get API key information
Get application privileges
Get builtin privileges
Get role mappings
Get roles
Get token
Get users
Has privileges
Invalidate API key
Invalidate token
OpenID Connect Prepare Authentication API
OpenID Connect authenticate API
OpenID Connect logout API
SSL certificate

Snapshot lifecycle management API

Put snapshot lifecycle policy
Get snapshot lifecycle policy
Execute snapshot lifecycle policy
Delete snapshot lifecycle policy

Transform APIs

Create transforms
Update transforms
Delete transforms
Get transforms
Get transform statistics
Preview transforms
Start transforms
Stop transforms

Watcher APIs

Ack watch
Activate watch
Deactivate watch
Delete watch
Execute watch
Get watch
Get Watcher stats
Put watch
Start watch service
Stop watch service

Definitions

Datafeed resources
Data frame analytics job resources
Data frame analytics evaluation resources
Job resources
Job statistics
Model snapshot resources
Role mapping resources
Results resources
Transform resources

Logstash

Logstash Introduction
Getting Started with Logstash

Installing Logstash
Stashing Your First Event
Parsing Logs with Logstash
Stitching Together Multiple Input and Output Plugins

How Logstash Works

Execution Model

Setting Up and Running Logstash

Logstash Directory Layout
Logstash Configuration Files
logstash.yml
Secrets keystore for secure settings
Running Logstash from the Command Line
Running Logstash as a Service on Debian or RPM
Running Logstash on Docker
Configuring Logstash for Docker
Running Logstash on Windows
Logging
Shutting Down Logstash
Setting Up X-Pack

Upgrading Logstash

Upgrading Using Package Managers
Upgrading Using a Direct Download
Upgrading between minor versions
Upgrading Logstash to 7.0
Upgrading with the Persistent Queue Enabled

Configuring Logstash

Structure of a Config File
Accessing Event Data and Fields in the Configuration
Using Environment Variables in the Configuration
Logstash Configuration Examples
Multiple Pipelines
Pipeline-to-Pipeline Communication
Reloading the Config File
Managing Multiline Events
Glob Pattern Support
Converting Ingest Node Pipelines
Logstash-to-Logstash Communication
Centralized Pipeline Management
X-Pack security
X-Pack Settings

Managing Logstash

Centralized Pipeline Management

Working with Logstash Modules

Using Elastic Cloud
ArcSight Module
Netflow Module (deprecated)
Azure Module

Working with Filebeat Modules

Use ingest pipelines for parsing
Use Logstash pipelines for parsing
Example: Set up Filebeat modules to work with Kafka and Logstash

Data Resiliency

Persistent Queues
Dead Letter Queues

Transforming Data

Performing Core Operations
Deserializing Data
Extracting Fields and Wrangling Data
Enriching Data with Lookups

Deploying and Scaling Logstash
Performance Tuning

Performance Troubleshooting Guide
Tuning and Profiling Logstash Performance

Monitoring Logstash with APIs

Node Info API
Plugins Info API
Node Stats API
Hot Threads API

Monitoring Logstash with X-Pack

Metricbeat collection
Internal collection
Monitoring UI
Pipeline Viewer UI
Troubleshooting

Working with plugins

Generating Plugins
Offline Plugin Management
Private Gem Repositories
Event API

Input plugins

azure_event_hubs
beats
cloudwatch
couchdb_changes
dead_letter_queue
elasticsearch
exec
file
ganglia
gelf
generator
github
google_cloud_storage
google_pubsub
graphite
heartbeat
http
http_poller
imap
irc
java_generator
java_stdin
jdbc
jms
jmx
kafka
kinesis
log4j
lumberjack
meetup
pipe
puppet_facter
rabbitmq
redis
relp
rss
s3
salesforce
snmp
snmptrap
sqlite
sqs
stdin
stomp
syslog
tcp
twitter
udp
unix
varnishlog
websocket
wmi
xmpp

Output plugins

boundary
circonus
cloudwatch
csv
datadog
datadog_metrics
elastic_app_search
elasticsearch
email
exec
file
ganglia
gelf
google_bigquery
google_cloud_storage
google_pubsub
graphite
graphtastic
http
influxdb
irc
java_sink
java_stdout
juggernaut
kafka
librato
loggly
lumberjack
metriccatcher
mongodb
nagios
nagios_nsca
opentsdb
pagerduty
pipe
rabbitmq
redis
redmine
riak
riemann
s3
sns
solr_http
sqs
statsd
stdout
stomp
syslog
tcp
timber
udp
webhdfs
websocket
xmpp
zabbix

Filter plugins

aggregate
alter
bytes
cidr
cipher
clone
csv
date
de_dot
dissect
dns
drop
elapsed
elasticsearch
environment
extractnumbers
fingerprint
geoip
grok
http
i18n
java_uuid
jdbc_static
jdbc_streaming
json
json_encode
kv
memcached
metricize
metrics
mutate
prune
range
ruby
sleep
split
syslog_pri
threats_classifier
throttle
tld
translate
truncate
urldecode
useragent
uuid
xml

Codec plugins

avro
cef
cloudfront
cloudtrail
collectd
dots
edn
edn_lines
es_bulk
fluent
graphite
gzip_lines
jdots
java_line
java_plain
json
json_lines
line
msgpack
multiline
netflow
nmap
plain
protobuf
rubydebug

Tips and Best Practices
Troubleshooting Common Problems
Contributing to Logstash

How to write a Logstash input plugin
How to write a Logstash codec plugin
How to write a Logstash filter plugin
How to write a Logstash output plugin
Documenting your plugin
Contributing a Patch to a Logstash Plugin
Logstash Plugins Community Maintainer Guide
Submitting your plugin to RubyGems.org and the logstash-plugins repository

Contributing a Java Plugin

How to write a Java input plugin
How to write a Java codec plugin
How to write a Java filter plugin
How to write a Java output plugin

Glossary of Terms

Kibana

Introduction
Set Up Kibana

Installing Kibana
Install Kibana with .tar.gz
Install Kibana with Debian Package
Install Kibana with RPM
Install Kibana on Windows
Install Kibana on macOS with Homebrew

Starting and stopping Kibana
Configuring Kibana

APM settings
Code settings
Development tools settings
Graph settings
Infrastructure UI settings
i18n settings in Kibana
Logs UI settings
Machine learning settings
Monitoring settings
Reporting settings
Secure settings
Security settings
Spaces settings

Running Kibana on Docker
Accessing Kibana
Connect Kibana with Elasticsearch
Using Kibana in a production environment
Upgrading Kibana

Standard upgrade
Troubleshooting saved object migrations

Configuring monitoring

Collecting monitoring data
Collecting monitoring data with Metricbeat
Viewing monitoring data

Configuring security

Authentication
Encrypting communications
Audit Logging

Getting Started

Add sample data
Explore Kibana using sample data
Build your own dashboard

Define your index patterns
Discover your data
Visualize your data
Add visualizations to a dashboard

Discover

Setting the time filter
Searching your data

Kibana Query Language
Lucene query syntax
Saving searches
Saving queries
Change the indices you’re searching
Refresh the search results

Filtering by Field
Viewing Document Data
Viewing Document Context
Viewing Field Data Statistics

Visualize

Creating a Visualization
Saving Visualizations
Using rolled up data in a visualization
Line, Area, and Bar charts
Controls Visualization

Adding Input Controls
Global Options

Data Table
Markdown Widget
Metric
Goal and Gauge
Pie Charts
Coordinate Maps
Region Maps
Timelion
TSVB
Tag Clouds
Heatmap Chart
Vega Graphs

Getting Started with Vega
Vega vs Vega-Lite
Querying Elasticsearch
Elastic Map Files
Vega with a Map
Debugging
Useful Links

Inspecting Visualizations

Dashboard

Create a dashboard
Dashboard-only mode

Canvas

Canvas tutorial
Create a workpad
Showcase your data with elements
Present your workpad
Share your workpad
Canvas function reference

TinyMath functions

Extend your use case

Graph data connections

Using Graph
Configuring Graph
Troubleshooting
Limitations

Machine learning

Elastic Maps

Getting started with Elastic Maps

Creating a new map
Adding a choropleth layer
Adding layers for Elasticsearch data
Saving the map
Adding the map to a dashboard

Heat map layer
Tile layer
Vector layer

Vector styling
Vector style properties
Vector tooltips

Plot big data without plotting too much data

Grid aggregation
Most recent entities
Point to point
Term join

Searching your data

Creating filters from your map
Filtering a single layer
Searching across multiple indices

Connecting to Elastic Maps Service
Upload GeoJSON data
Indexing GeoJSON data tutorial
Elastic Maps troubleshooting

Code

Import your first repo
Repo management
Install language server
Basic navigation
Semantic code navigation
Search
Config for multiple Kibana instances

Infrastructure

Getting started with infrastructure monitoring
Using the Infrastructure app
Viewing infrastructure metrics
Metrics Explorer

Logs

Getting started with logs monitoring
Using the Logs app
Configuring the Logs data

APM

Getting Started
Visualizing Application Bottlenecks
Using APM

Filters
Services overview
Traces overview
Transaction overview
Span timeline
Errors overview
Metrics overview
Machine Learning integration
APM Agent configuration
Advanced queries

Uptime

Overview
Monitor

SIEM

Using the SIEM UI
Anomaly Detection with Machine Learning

Dev Tools

Console
Profiling queries and aggregations

Getting Started
Profiling a more complicated query
Rendering pre-captured profiler JSON

Debugging grok expressions

Stack Monitoring

Beats Metrics
Cluster Alerts
Elasticsearch Metrics
Kibana Metrics
Logstash Metrics
Troubleshooting

Management

License Management
Index patterns

Cross-cluster search

Rollup jobs
Index lifecycle policies

Creating an index lifecycle policy
Managing index lifecycle policies
Adding a policy to an index
Example of using an index lifecycle policy

Managing Fields

String Field Formatters
Date Field Formatters
Geographic Point Field Formatters
Numeric Field Formatters
Scripted Fields

Index management
Setting advanced options
Saved objects
Managing Beats
Working with remote clusters
Snapshot and Restore
Spaces
Security

Granting access to Kibana
Kibana role management
Kibana privileges

Watcher
Upgrade Assistant

Reporting from Kibana

Automating report generation
PDF layout modes
Reporting configuration

Reporting and security
Secure the reporting endpoints
Chromium sandbox

Troubleshooting
Reporting integration

REST API

Features API

Get features

Kibana Spaces APIs

Create space
Update space
Get space
Get all spaces
Delete space
Copy saved objects to space
Resolve copy to space conflicts

Kibana role management APIs

Create or update role
Get specific role
Get all roles
Delete role

Saved objects APIs

Get object
Bulk get objects
Find objects
Create object
Bulk create objects
Update object
Delete object
Export objects
Import objects
Resolve import errors

Dashboard import and export APIs

Import dashboard
Dashboard export

Logstash configuration management APIs

Create pipeline
Retrieve pipeline
Delete pipeline
List pipeline

URL shortening API

Shorten URL

Upgrade assistant APIs

Upgrade readiness status
Start or resume reindex
Check reindex status
Cancel reindex

Kibana plugins

Install plugins
Update and remove plugins
Disable plugins
Configure the plugin manager
Known Plugins

Limitations

Nested Objects
Exporting data

Developer guide

Core Development

Considerations for basePath
Managing Dependencies
Modules and Autoloading
Communicating with Elasticsearch
Unit Testing
Functional Testing

Plugin Development

Plugin Resources
UI Exports
Plugin feature registration
Functional Tests for Plugins
Localization for plugins

Developing Visualizations

Embedding Visualizations
Developing Visualizations
Visualization Factory
Visualization Editors
Visualization Request Handlers
Visualization Response Handlers
Vis object
AggConfig object

Add Data Guide
Security

Role-based access control

Pull request review guidelines
Interpreting CI Failures

Beats Platform

Community Beats
Getting started with Beats
Config file format

Namespacing
Config file data types
Environment variables
Reference variables
Config file ownership and permissions
Command line arguments
YAML tips and gotchas

Upgrading

Upgrade between minor versions
Upgrade from 6.x to 7.x
Troubleshooting Beats upgrade issues

Beats Developer Guide

Contributing to Beats
Community Beats
Creating a New Beat

Getting Ready
Overview
Generating Your Beat
Fetching Dependencies and Setting up the Beat
Building and Running the Beat
The Beater Interface
Sharing Your Beat with the Community
Naming Conventions

Creating New Kibana Dashboards

Importing Existing Beat Dashboards
Building Your Own Beat Dashboards
Generating the Beat Index Pattern
Exporting New and Modified Beat Dashboards
Archiving Your Beat Dashboards
Sharing Your Beat Dashboards

Adding a New Protocol to Packetbeat

Getting Ready
Protocol Modules
Testing

Extending Metricbeat

Overview
Creating a Metricset
Metricset Details
Creating a Metricbeat Module
Creating a Beat based on Metricbeat
Metricbeat Developer FAQ

Creating a New Filebeat Module
Migrating dashboards from Kibana 5.x to 6.x

Filebeat

Overview
Getting Started With Filebeat

Step 1: Install Filebeat
Step 2: Configure Filebeat
Step 3: Load the index template in Elasticsearch
Step 4: Set up the Kibana dashboards
Step 5: Start Filebeat
Step 6: View the sample Kibana dashboards
Quick start: modules for common log formats
Repositories for APT and YUM

Setting up and running Filebeat

Directory layout
Secrets keystore
Command reference
Running Filebeat on Docker
Running Filebeat on Kubernetes
Filebeat and systemd
Stopping Filebeat

Upgrading Filebeat
How Filebeat works
Configuring Filebeat

Specify which modules to run
Configure inputs
Manage multiline messages
Specify general settings
Load external configuration files
Configure the internal queue
Configure the output
Configure index lifecycle management
Load balance the output hosts
Specify SSL settings
Filter and enhance the exported data
Parse data by using ingest node
Enrich events with geoIP information
Configure project paths
Configure the Kibana endpoint
Load the Kibana dashboards
Load the Elasticsearch index template
Configure logging
Use environment variables in the configuration
Autodiscover
YAML tips and gotchas
Regular expression support
HTTP Endpoint
filebeat.reference.yml

Beats central management

How central management works
Enroll Beats in central management

Modules

Modules overview
Apache module
Auditd module
AWS module
CEF module
Cisco module
Coredns Module
Elasticsearch module
Envoyproxy Module
Google Cloud module
haproxy module
IBM MQ module
Icinga module
IIS module
Iptables module
Kafka module
Kibana module
Logstash module
MongoDB module
MSSQL module
MySQL module
nats module
NetFlow module
Nginx module
Osquery module
Palo Alto Networks module
PostgreSQL module
RabbitMQ module
Redis module
Santa module
Suricata module
System module
Traefik module
Zeek (Bro) Module

Exported fields

Apache fields
Auditd fields
AWS fields
Beat fields
Decode CEF processor fields fields
CEF fields
Cisco fields
Cloud provider metadata fields
Coredns fields
Docker fields
ECS fields
elasticsearch fields
Envoyproxy fields
Google Cloud fields
haproxy fields
Host fields
ibmmq fields
Icinga fields
IIS fields
iptables fields
Jolokia Discovery autodiscover provider fields
Kafka fields
kibana fields
Kubernetes fields
Log file content fields
logstash fields
mongodb fields
mssql fields
MySQL fields
nats fields
NetFlow fields
NetFlow fields
Nginx fields
Osquery fields
panw fields
PostgreSQL fields
Process fields
RabbitMQ fields
Redis fields
s3 fields
Google Santa fields
Suricata fields
System fields
Traefik fields
Zeek fields

Monitoring Filebeat

Internal collection

Settings for internal monitoring collection

Metricbeat collection

Securing Filebeat

Secure communication with Elasticsearch
Secure communication with Logstash
Use X-Pack security

Grant users access to secured resources
Configure authentication credentials
Configure Filebeat to use encrypted connections

Use Linux Secure Computing Mode (seccomp)

Troubleshooting

Get help
Debug
Common problems

Can’t read log files from network volumes
Filebeat isn’t collecting lines from a file
Too many open file handlers
Registry file is too large
Inode reuse causes Filebeat to skip lines
Log rotation results in lost or duplicate events
Open file handlers cause issues with Windows file rotation
Filebeat is using too much CPU
Dashboard in Kibana is breaking up data fields incorrectly
Fields are not indexed or usable in Kibana visualizations
Filebeat isn’t shipping the last line of a file
Filebeat keeps open file handlers of deleted files for a long time
Filebeat uses too much bandwidth
Error loading config file
Found unexpected or unknown characters
Logstash connection doesn’t work
@metadata is missing in Logstash
Not sure whether to use Logstash or Beats
SSL client fails to connect to Logstash
Monitoring UI shows fewer Beats than expected

A. Contributing to Beats

:

[Logstash] JSON filter plugin

Elastic/Logstash 2019. 11. 4. 14:16

공홈에 올라와 있는 문서의 번역 본 정도로 정리를 해보려고 합니다.

별거 아니지만 JSON filter 를 많이 사용하면서 Validation 에 대한 인식이 부족해서 오류를 발생 시키는 경우가 꽤 많이 있습니다.

기억력을 돕기 위해 작성해 봅니다.

공식문서)

https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html

이 내용은 logstash reference 문서 내 filter 항목에 해당 합니다.

용도는 말 그대로 입니다. JSON parsing 을 하는 filter 입니다.

여기서 문제가 들어 오는 JSON 데이터가 항상 validate 할 거라고 생각 하고 구현 하시는 분들이 계시는데 이 부분이 문제가 됩니다.

기본 이라고 생각 하지만 validation 에 대한 개발자의 생각과 경험이 요즘은 다른 것 같더라구요.

암튼, 그래서 JSON filter 사용 시 제공하는 Option 에 대해서 숙지 하고 사용하시면 좋겠습니다.

기본적으로는 Common Options 를 먼저 보시는게 좋습니다.

JSON Filter Configuration Options)

Setting	Input type	Required
skip_on_invalid_json	boolean	No
source	string	Yes
tag_on_failure	array	No
target	string	No

skip_on_invalid_json
json 이 아닌 데이터가 들어 올 경우 에러를 발생 시키지 않고 skip 시키기 위한 옵션 입니다.
기본 설정 값이 false 이기 때문에 잘 못된 데이터에 대해서 오류가 발생 하게 됩니다.

source
json parsing 을 하기 위한 field 를 지정 하게 됩니다.

tag_on_failure
정상적으로 처리 되지 않았을 경우 tags 라는 filed 에 "_jsonparsefailure" 값이 추가 됩니다.

target
source field 내 json value 가 target filed 로 등록 되며, 이미 target field 가 있다면 overwrite 됩니다.

위 설정 중에서 skip_on_invalid_json 과 tag_on_failure 만 잘 설정 하셔도 invalid data 에 대한 오류는 잘 넘길 수 있습니다.

간혹 이 오류로 인해서 logstash 가 먹통이 되는 걸 예방 할 수 있기 때문 입니다.

:

[Elasticsearch] 앱 내 사용자 행동로그 수집 파이프라인 구성

Elastic/Elasticsearch 2019. 10. 17. 15:13

사용하고자 하는 Software Stack 은 다양하게 많이 있습니다.

일반적으로 아래 파이프라인으로 많이들 구성 합니다.

1. App -> Stream service -> Consumer -> Elasticsearch
2. App -> Stream service -> Producer -> Queue -> Consumer -> Elasticsearch
3. App -> Logging service (daemon, http, file ...) -> Consumer -> Elasticsearch
4. App -> Logging service (daemon, http, file ...) -> Producer -> Queue -> Consumer -> Elasticsearch

이걸 다시 Elastic Stack 으로 변환 하면

Producer 는)

- Filebeat

- Logstash

Queue 는)

- Logstash persistent queue

Consumer 는)

- Logstash

이 외에도 sqs, dynamodb, redis, kafka, fluentd, storm 등 활용 가능한 오픈소스들이 많이 준비되어 있습니다.

가장 쉽고 일반적인 구성이라고 보시면 될 것 같습니다.

:

[Logstash] --config.reload.automatic 사용 경험 공유

Elastic/Logstash 2018. 10. 4. 11:28

Logstash 사용 시 --config.reload.automatic 설정을 통해서 conf 파일에 대한 변경 사항을 데몬 재시작 없이 할 수 있습니다.

하지만 모든 변경 사항에 대해서 반영이 가능 하지 않기 때문에 사용 시 주의 하셔야 합니다.

크게 사용 방법은 두 가지로 나뉩니다.

1. --config.reload.automatic 을 통한 자동 갱신

2. Logstash 재시작을 통한 갱신

2번의 과정을 하고 싶지 않기 때문에 1번을 설정해서 사용을 하는데 문제는 이게 모든 plugins 에서 동작 하지는 않는 다는 것입니다.

만약 아래와 같은 에러를 접하셨다면, 해당 plugin 또는 pipeline 은 auto reload 설정이 동작 하지 않는 것들 이니 참고 하시기 바랍니다.

[에러내용]

[ERROR][logstash.agent ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>“Cannot reload pipeline, because the existing pipeline is not reloadable”, :backtrace=>nil}

쉽게는 기본적인 syntax 오류 같은건 바로 바로 반영 됩니다. :)

저작자표시 비영리 변경금지

:

[Logstash] AWS SQS + Logstash 구성

Elastic/Logstash 2018. 8. 28. 09:52

가끔 사용하다가도 처음 사용할 때 이해했던 내용과 다르게 기억 될 때가 있습니다.

그래서 또 복습 합니다.

구성은 아래와 같습니다.

File Log --> Logstash Agent --> SQS -->

Logstash Collector -->

File

Elasticsearch

Logstash Collector -->

File

Elasticsearch

각 서버의 file log 를 input file 로 읽고 output sqs 로 보냅니다.

그런 후 input sqs 를 읽고 multi output 으로 file 과 elasticsearch 로 저장을 하게 되는 구조 입니다.

여기서 AWS 의 SQS 에 대한 메시지 수명 주기에 대한 이해가 필요 합니다.

원문)

https://aws.amazon.com/ko/sqs/details/

Amazon SQS 메시지 수명 주기

Amazon SQS에 저장된 메시지에는 관리가 쉬우면서도 모든 메시지가 처리되도록 보장하는 수명 주기가 있습니다.

1. 메시지를 보내야 하는 시스템에서는 Amazon SQS 대기열을 선택하고 SendMessage를 사용하여 새 메시지를 전송합니다.

2. 메시지를 처리하는 다른 시스템은 처리할 메시지가 더 많이 필요해지므로 ReceiveMessage를 호출하고, 해당 메시지가 반환됩니다.

3. ReceiveMessage에 의해 메시지가 반환되면 해당 메시지는 제한 시간이 초과할 때까지는 다른 어떤 ReceiveMessage에 의해서도 반환되지 않습니다. 이는 다수의 소비자가 동일한 메시지를 동시에 처리하는 것을 방지합니다.

4. 메시지를 처리하는 시스템에서 메시지 작업을 성공적으로 완료하면, 해당 시스템에서는 다른 시스템에서 해당 메시지를 다시 처리하지 않도록 DeleteMessage를 호출하여 메시지를 대기열에서 제거합니다. 시스템에서 메시지 처리에 실패하는 경우, 제한 시간이 초과하는 즉시 다른 ReceiveMessage 호출을 통해 해당 메시지를 읽습니다.

5. 소스 대기열에 배달 못한 편지 대기열이 연결되어 있는 경우 지정한 최대 배달 시도 횟수에 도달한 이후에는 메시지가 배달 못한 편지 대기열로 이동됩니다.

결국 정리 하면, consumer 가 읽어 가면 다른 consumer 는 이미 읽어간 데이터를 읽어 가지 못합니다. 이유는 위 설명에서와 같이 삭제 되기 때문 입니다.

단일 큐를 사용하면서 큐에 쌓인 메시지의 소비는 다중 consumer 로 처리 하고 단일 저장소로 저장 할 경우 쉽게 구성 할 수 있다는 이야기 였습니다.

여기서 제가 착각한 포인트는 읽어간 메시지가 삭제 되지 않는다는 것이였구요.

이런 오해는 "메시지는 최대 14일 동안 대기열에 보관됩니다." 라는 걸 보고 착각한 것이였습니다.

저작자표시 비영리 변경금지

:

[Beats] 오랜만에 Filebeat 설치

Elastic/Beats 2018. 7. 25. 20:23

설치환경)

AWS EC2

Ubuntu

다운로드)

https://www.elastic.co/kr/downloads/beats/filebeat

https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.1-linux-x86_64.tar.gz

다운 받으시고 그냥 압축 해제 하시면 됩니다.

tree 는 그냥 제 맥북 기준으로 보여 드립니다.

filebeat-6.3.2-darwin-x86_64

├── LICENSE.txt

├── NOTICE.txt

├── README.md

├── fields.yml

├── filebeat

├── filebeat.reference.yml

├── filebeat.yml

├── kibana

│ ├── 5

│ │ ├── dashboard

│ │ │ ├── 0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json

│ │ │ ├── 26309570-2419-11e7-a83b-d5f4cebac9ff.json

│ │ │ ├── 277876d0-fa2c-11e6-bbd3-29c986c96e5a.json

│ │ │ ├── 5517a150-f9ce-11e6-8115-a7c18106d86a.json

│ │ │ ├── 7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json

│ │ │ ├── Filebeat-Apache2-Dashboard.json

│ │ │ ├── Filebeat-MySQL-Dashboard.json

│ │ │ ├── Filebeat-Nginx-Dashboard.json

│ │ │ ├── Filebeat-Traefik-Dashboard.json

│ │ │ ├── Filebeat-syslog-dashboard.json

│ │ │ ├── ML-Nginx-Access-Remote-IP-Count-Explorer.json

│ │ │ ├── ML-Nginx-Remote-IP-URL-Explorer.json

│ │ │ ├── ML-Traefik-Access-Remote-IP-Count-Explorer.json

│ │ │ ├── ML-Traefik-Remote-IP-URL-Explorer.json

│ │ │ ├── b9163ea0-2417-11e7-a83b-d5f4cebac9ff.json

│ │ │ ├── dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json

│ │ │ └── f693d260-2417-11e7-a83b-d5f4cebac9ff.json

│ │ ├── index-pattern

│ │ │ └── filebeat.json

│ │ ├── search

│ │ │ ├── 0ab87b80-478e-11e7-b1f0-cb29bac6bf8b.json

│ │ │ ├── 4ac0a370-0a11-11e7-8b04-eb22a5669f27.json

│ │ │ ├── 62439dc0-f9c9-11e6-a747-6121780e0414.json

│ │ │ ├── 710043e0-2417-11e7-a83b-d5f4cebac9ff.json

│ │ │ ├── 73613570-4791-11e7-be88-2ddb32f3df97.json

│ │ │ ├── 8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json

│ │ │ ├── Apache2-access-logs.json

│ │ │ ├── Apache2-errors-log.json

│ │ │ ├── Filebeat-MySQL-Slow-log.json

│ │ │ ├── Filebeat-MySQL-error-log.json

│ │ │ ├── Filebeat-Nginx-module.json

│ │ │ ├── Filebeat-Traefik-module.json

│ │ │ ├── ML-Filebeat-Nginx-Access.json

│ │ │ ├── ML-Filebeat-Traefik-Access.json

│ │ │ ├── Syslog-system-logs.json

│ │ │ ├── b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json

│ │ │ ├── c876e6a0-2418-11e7-a83b-d5f4cebac9ff.json

│ │ │ ├── eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json

│ │ │ └── ffaf5a30-2413-11e7-a0d9-39604d45ca7f.json

│ │ └── visualization

│ │ ├── 0bc34b60-2419-11e7-a83b-d5f4cebac9ff.json

│ │ ├── 12667040-fa80-11e6-a1df-a78bd7504d38.json

│ │ ├── 2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json

│ │ ├── 2cf77780-2418-11e7-a83b-d5f4cebac9ff.json

│ │ ├── 341ffe70-f9ce-11e6-8115-a7c18106d86a.json

│ │ ├── 346bb290-fa80-11e6-a1df-a78bd7504d38.json

│ │ ├── 3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json

│ │ ├── 51164310-fa2b-11e6-bbd3-29c986c96e5a.json

│ │ ├── 5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json

│ │ ├── 5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json

│ │ ├── 5ebdbe50-0a0f-11e7-825f-6748cda7d858.json

│ │ ├── 6295bdd0-0a0e-11e7-825f-6748cda7d858.json

│ │ ├── 78b74f30-f9cd-11e6-8115-a7c18106d86a.json

│ │ ├── 78b9afe0-478f-11e7-b1f0-cb29bac6bf8b.json

│ │ ├── Apache2-access-unique-IPs-map.json

│ │ ├── Apache2-browsers.json

│ │ ├── Apache2-error-logs-over-time.json

│ │ ├── Apache2-operating-systems.json

│ │ ├── Apache2-response-codes-of-top-URLs.json

│ │ ├── Apache2-response-codes-over-time.json

│ │ ├── Errors-over-time.json

│ │ ├── ML-Nginx-Access-Map.json

│ │ ├── ML-Nginx-Access-Remote-IP-Timechart.json

│ │ ├── ML-Nginx-Access-Response-Code-Timechart.json

│ │ ├── ML-Nginx-Access-Top-Remote-IPs-Table.json

│ │ ├── ML-Nginx-Access-Top-URLs-Table.json

│ │ ├── ML-Nginx-Access-Unique-Count-URL-Timechart.json

│ │ ├── ML-Traefik-Access-Map.json

│ │ ├── ML-Traefik-Access-Remote-IP-Timechart.json

│ │ ├── ML-Traefik-Access-Response-Code-Timechart.json

│ │ ├── ML-Traefik-Access-Top-Remote-IPs-Table.json

│ │ ├── ML-Traefik-Access-Top-URLs-Table.json

│ │ ├── ML-Traefik-Access-Unique-Count-URL-Timechart.json

│ │ ├── MySQL-Error-logs-levels.json

│ │ ├── MySQL-Slow-logs-by-count.json

│ │ ├── MySQL-Slow-queries-over-time.json

│ │ ├── MySQL-error-logs.json

│ │ ├── MySQL-slowest-queries.json

│ │ ├── New-Visualization.json

│ │ ├── Nginx-Access-Browsers.json

│ │ ├── Nginx-Access-Map.json

│ │ ├── Nginx-Access-OSes.json

│ │ ├── Nginx-Access-Response-codes-by-top-URLs.json

│ │ ├── Sent-sizes.json

│ │ ├── Syslog-events-by-hostname.json

│ │ ├── Syslog-hostnames-and-processes.json

│ │ ├── Traefik-Access-Browsers.json

│ │ ├── Traefik-Access-Map.json

│ │ ├── Traefik-Access-OSes.json

│ │ ├── Traefik-Access-Response-codes-by-top-URLs.json

│ │ ├── a59b5e00-2417-11e7-a83b-d5f4cebac9ff.json

│ │ ├── c5411910-0a87-11e7-8b04-eb22a5669f27.json

│ │ ├── d16bb400-f9cc-11e6-8115-a7c18106d86a.json

│ │ ├── d1726930-0a7f-11e7-8b04-eb22a5669f27.json

│ │ ├── d2864600-478f-11e7-be88-2ddb32f3df97.json

│ │ ├── d56ee420-fa79-11e6-a1df-a78bd7504d38.json

│ │ ├── d8e5dc40-2417-11e7-a83b-d5f4cebac9ff.json

│ │ ├── dc589770-fa2b-11e6-bbd3-29c986c96e5a.json

│ │ ├── dcccaa80-4791-11e7-be88-2ddb32f3df97.json

│ │ ├── e121b140-fa78-11e6-a1df-a78bd7504d38.json

│ │ ├── f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json

│ │ └── fb09d4b0-2418-11e7-a83b-d5f4cebac9ff.json

│ └── 6

│ ├── dashboard

│ │ ├── Filebeat-Kafka-overview.json

│ │ ├── Filebeat-Mongodb-overview.json

│ │ ├── Filebeat-Postgresql-overview.json

│ │ ├── Filebeat-Postgresql-slowlogs.json

│ │ ├── Filebeat-apache2.json

│ │ ├── Filebeat-auditd.json

│ │ ├── Filebeat-auth-sudo-commands.json

│ │ ├── Filebeat-icinga-debug-log.json

│ │ ├── Filebeat-icinga-main-log.json

│ │ ├── Filebeat-icinga-startup-errors.json

│ │ ├── Filebeat-iis.json

│ │ ├── Filebeat-logstash-log.json

│ │ ├── Filebeat-logstash-slowlog.json

│ │ ├── Filebeat-mysql.json

│ │ ├── Filebeat-new-users-and-groups.json

│ │ ├── Filebeat-nginx-logs.json

│ │ ├── Filebeat-nginx-overview.json

│ │ ├── Filebeat-redis.json

│ │ ├── Filebeat-ssh-login-attempts.json

│ │ ├── Filebeat-syslog.json

│ │ ├── Filebeat-traefik-overview.json

│ │ ├── ml-nginx-access-remote-ip-count-explorer.json

│ │ ├── ml-nginx-remote-ip-url-explorer.json

│ │ ├── ml-traefik-access-remote-ip-count-explorer.json

│ │ ├── ml-traefik-remote-ip-url-explorer.json

│ │ ├── osquery-compliance.json

│ │ └── osquery-rootkit.json

│ └── index-pattern

│ └── filebeat.json

├── module

│ ├── apache2

│ │ ├── access

│ │ │ ├── config

│ │ │ │ └── access.yml

│ │ │ ├── ingest

│ │ │ │ └── default.json

│ │ │ └── manifest.yml

│ │ ├── error

│ │ │ ├── config

│ │ │ │ └── error.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ └── module.yml

│ ├── auditd

│ │ ├── log

│ │ │ ├── config

│ │ │ │ └── log.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ └── module.yml

│ ├── icinga

│ │ ├── debug

│ │ │ ├── config

│ │ │ │ └── debug.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ ├── main

│ │ │ ├── config

│ │ │ │ └── main.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ ├── module.yml

│ │ └── startup

│ │ ├── config

│ │ │ └── startup.yml

│ │ ├── ingest

│ │ │ └── pipeline.json

│ │ └── manifest.yml

│ ├── iis

│ │ ├── access

│ │ │ ├── config

│ │ │ │ └── iis-access.yml

│ │ │ ├── ingest

│ │ │ │ └── default.json

│ │ │ └── manifest.yml

│ │ └── error

│ │ ├── config

│ │ │ └── iis-error.yml

│ │ ├── ingest

│ │ │ └── default.json

│ │ └── manifest.yml

│ ├── kafka

│ │ ├── log

│ │ │ ├── config

│ │ │ │ └── log.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ └── module.yml

│ ├── logstash

│ │ ├── log

│ │ │ ├── config

│ │ │ │ └── log.yml

│ │ │ ├── ingest

│ │ │ │ ├── pipeline-json.json

│ │ │ │ └── pipeline-plain.json

│ │ │ └── manifest.yml

│ │ ├── module.yml

│ │ └── slowlog

│ │ ├── config

│ │ │ └── slowlog.yml

│ │ ├── ingest

│ │ │ ├── pipeline-json.json

│ │ │ └── pipeline-plain.json

│ │ └── manifest.yml

│ ├── mongodb

│ │ ├── log

│ │ │ ├── config

│ │ │ │ └── log.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ └── module.yml

│ ├── mysql

│ │ ├── error

│ │ │ ├── config

│ │ │ │ └── error.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ ├── module.yml

│ │ └── slowlog

│ │ ├── config

│ │ │ └── slowlog.yml

│ │ ├── ingest

│ │ │ └── pipeline.json

│ │ └── manifest.yml

│ ├── nginx

│ │ ├── access

│ │ │ ├── config

│ │ │ │ └── nginx-access.yml

│ │ │ ├── ingest

│ │ │ │ └── default.json

│ │ │ ├── machine_learning

│ │ │ │ ├── datafeed_low_request_rate.json

│ │ │ │ ├── datafeed_remote_ip_request_rate.json

│ │ │ │ ├── datafeed_remote_ip_url_count.json

│ │ │ │ ├── datafeed_response_code.json

│ │ │ │ ├── datafeed_visitor_rate.json

│ │ │ │ ├── low_request_rate.json

│ │ │ │ ├── remote_ip_request_rate.json

│ │ │ │ ├── remote_ip_url_count.json

│ │ │ │ ├── response_code.json

│ │ │ │ └── visitor_rate.json

│ │ │ └── manifest.yml

│ │ ├── error

│ │ │ ├── config

│ │ │ │ └── nginx-error.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ └── module.yml

│ ├── osquery

│ │ ├── module.yml

│ │ └── result

│ │ ├── config

│ │ │ └── result.yml

│ │ ├── ingest

│ │ │ └── pipeline.json

│ │ └── manifest.yml

│ ├── postgresql

│ │ ├── log

│ │ │ ├── config

│ │ │ │ └── log.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ └── module.yml

│ ├── redis

│ │ ├── log

│ │ │ ├── config

│ │ │ │ └── log.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ ├── module.yml

│ │ └── slowlog

│ │ ├── config

│ │ │ └── slowlog.yml

│ │ ├── ingest

│ │ │ └── pipeline.json

│ │ └── manifest.yml

│ ├── system

│ │ ├── auth

│ │ │ ├── config

│ │ │ │ └── auth.yml

│ │ │ ├── ingest

│ │ │ │ └── pipeline.json

│ │ │ └── manifest.yml

│ │ ├── module.yml

│ │ └── syslog

│ │ ├── config

│ │ │ └── syslog.yml

│ │ ├── ingest

│ │ │ └── pipeline.json

│ │ └── manifest.yml

│ └── traefik

│ ├── access

│ │ ├── config

│ │ │ └── traefik-access.yml

│ │ ├── ingest

│ │ │ └── pipeline.json

│ │ ├── machine_learning

│ │ │ ├── datafeed_low_request_rate.json

│ │ │ ├── datafeed_remote_ip_request_rate.json

│ │ │ ├── datafeed_remote_ip_url_count.json

│ │ │ ├── datafeed_response_code.json

│ │ │ ├── datafeed_visitor_rate.json

│ │ │ ├── low_request_rate.json

│ │ │ ├── remote_ip_request_rate.json

│ │ │ ├── remote_ip_url_count.json

│ │ │ ├── response_code.json

│ │ │ └── visitor_rate.json

│ │ ├── manifest.yml

│ │ └── tests

│ │ ├── test.log

│ │ └── test.log-expected.json

│ └── module.yml

└── modules.d

├── apache2.yml.disabled

├── auditd.yml.disabled

├── icinga.yml.disabled

├── iis.yml.disabled

├── kafka.yml.disabled

├── logstash.yml.disabled

├── mongodb.yml.disabled

├── mysql.yml.disabled

├── nginx.yml.disabled

├── osquery.yml.disabled

├── postgresql.yml.disabled

├── redis.yml.disabled

├── system.yml.disabled

└── traefik.yml.disabled

97 directories, 254 files

도움말)

Usage:

filebeat [flags]

filebeat [command]

Available Commands:

export Export current config or index template

help Help about any command

keystore Manage secrets keystore

modules Manage configured modules

run Run filebeat

setup Setup index template, dashboards and ML jobs

test Test config

version Show current version info

Flags:

-E, --E setting=value Configuration overwrite

-M, --M setting=value Module configuration overwrite

-N, --N Disable actual publishing for testing

-c, --c string Configuration file, relative to path.config (default "filebeat.yml")

--cpuprofile string Write cpu profile to file

-d, --d string Enable certain debug selectors

-e, --e Log to stderr and disable syslog/file output

-h, --help help for filebeat

--httpprof string Start pprof http server

--memprofile string Write memory profile to this file

--modules string List of enabled modules (comma separated)

--once Run filebeat only once until all harvesters reach EOF

--path.config string Configuration path

--path.data string Data path

--path.home string Home path

--path.logs string Logs path

--setup Load sample Kibana dashboards and setup Machine Learning

--strict.perms Strict permission checking on config files (default true)

-v, --v Log at INFO level

Use "filebeat [command] --help" for more information about a command.

filebeat.yml 예제)

filebeat:

prospectors:

-

paths:

- /mnt/apps/apache-tomcat/logs/catalina.out

encoding: utf-8

input_type: log

exclude_lines: ['DEBUG', 'INFO']

include_lines: ['(E|e)rror', 'ERROR', '(E|e)xception', 'EXCEPTION']

document_type: error-log

ignore_older: 5m

scan_frequency: 10s

multiline:

pattern: '^[[:space:]]+|^Caused by:'

negate: false

match: after

max_lines: 10

timeout: 5s

tail_files: true

backoff: 1s

max_backoff: 10s

backoff_factor: 2

registry_file: /mnt/config/filebeat/.filebeat-tomcat

output:

logstash:

hosts: ["localhost:5044"]

shipper:

logging:

to_syslog: false

to_files: true

level: warning

files:

path: /mnt/logs/filebeat

name: filebeat-tomcat.log

rotateeverybytes: 10485760 # = 10MB

logstash 예제)

input {

beats {

port => 5044

}

output {

stdout { codec => rubydebug }

http {

url => "https://slack.com/api/chat.postMessage"

content_type => "application/json"

http_method => "post"

format => "json"

mapping => [ "channel", "slack-bot", "text", "%{message}" ]

headers => ["Authorization", "Bearer xoxb-XXXXXXXXXXXXXXXXXXXXX"]

}

# elasticsearch {

# host => "localhost"

# port => "9200"

# protocol => "http"

# index => "%{[@metadata][index]}"

# document_type => "%{[@metadata][type]}"

# }

}

위 예제는 그냥 filebeat 이 log file 을 리스닝 하고 있다가 error 또는 exception 발생 시 바로 slack 으로 해당 에러는 보내주는 예제 입니다.

저작자표시 비영리 변경금지

:

[Logstash] http output plugin - slack chat

Elastic/Logstash 2018. 7. 9. 12:19

예전에는 output slack_chat 이라고 플러그인을 만들어서 사용을 했었는데 logstash output http 가 있어서 그냥 이걸로 바로 사용하겠습니다.

공식문서에 잘못된 정보가 있기 때문에 그대로 보고 따라 하시면 시간을 낭비 하실 수 있습니다.

(6.3.0 에서 테스트 되었습니다.)

Reference)

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-http.html

input {

stdin {}

}

output {

stdout { codec => rubydebug }

http {

url => "https://slack.com/api/chat.postMessage"

content_type => "application/json"

http_method => "post"

format => "json"

mapping => [ "channel", "CXXXXXXXXX", "text", "%{message}" ]

headers => ["Authorization", "Bearer xoxb-xxxxxxxxxxx"]

}

문서 내 잘못된 정보)

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-http.html#plugins-outputs-http-mapping

mapping 이 hash 로 되어 있는데 실제 나와 있는 예제로는 동작 하지 않습니다.

잘못된 예)

   mapping => {"foo" => "%{host}"
              "bar" => "%{type}"}

바른 예)

mapping => [ "channel", "CXXXXXXXXX", "text", "%{message}" ]

저작자표시 비영리 변경금지

:

[Logstash] Logstash 를 이용한 CSV 파일 Import를 하려면

Elastic/Logstash 2018. 4. 24. 11:14

Elastic 사의 공식 문서를 보시면 쉽게 하실 수 있습니다.

기본 flow 는 아래와 같습니다.

CSV -> logstash input file -> Logstash filter csv -> logstash output elasticsearch

각각에 필요한 참조문서는

[Logstash Input File]

https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html

[Logstash Filter CSV]

https://www.elastic.co/guide/en/logstash/current/plugins-filters-csv.html

[Logstash Output Elasticsearch]

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html

[Elasticsearch Indices Templates]

https://www.elastic.co/guide/en/elasticsearch/reference/master/indices-templates.html

Template 이 필요한 이유는 csv 파일 데이터에 대한 dynamic mapping 시 의도치 않은 데이터에 대한 형변환 오류를 방지 하기 위함 입니다.

사전에 꼭 정의 하셔서 reindexing 하는 일이 없도록 주의 하시면 좋을 것 같습니다.

저작자표시 비영리 변경금지

:

[Logstash] input file start_position => "end"

Elastic/Logstash 2017. 8. 17. 11:20

먼저 앞서 기술한 input file 에 대한 내용을 먼저 읽어 보시면 이해 하시는데 도움이 됩니다.

※ [Logstash] input file plugin 에 대해서 알아 봅니다.

이전 글은 데이터 유실 방지를 위한 설정과 input file 의 주요 설정 정보에 대해서 알아 봤습니다.

이번 글에서는 반대로 start_position => "end" 로 했을 때 왜 데이터가 유실 되는지 간략하게 살펴 보겠습니다.

설정)

input {

file {

path => "/xxxx/logs/test-file.log"

start_position => "end"

stat_interval => 1

}

file {

path => "/xxxx/logs/test-file1.log"

start_position => "end"

stat_interval => 10

}

output {

stdout {

codec => "rubydebug"

}

첫 번째 실행)

$ bin/logstash -f config/test-file.conf

첫번째 실행 후 sincedb)

189766986 1 4 3675

두 번째 실행)

$ bin/logstash -f config/test-file.conf

두번째 실행 후 sincedb)

189766986 1 4 4065

보시는 것 처럼 start_position => "end"로 했을 경우 해당 파일의 end byte offset 정보를 기록하게 됩니다.

이후 sincedb 정보는 변경이 되지 않게 됩니다.

logstash 를 중지 하고 재실행 합니다.

그 동안 test-file.log 에는 계속 데이터가 누적 되도록 하였습니다.

두 번째 실행 된 후 sincedb 값을 확인해 보면 변경 되어 있는 것을 볼 수 있습니다.

이와 같이 첫 번째 offset 정보와 두 번째 offset 정보의 차이 만큼 데이터가 유실 되게 되는 것입니다.

저작자표시 비영리 변경금지

:

jjeong

'logstash'에 해당되는 글 38건

[Logstash] logstash filter date 조금 알아보기

[Elastic] 목차 입니다.

[Logstash] JSON filter plugin

[Elasticsearch] 앱 내 사용자 행동로그 수집 파이프라인 구성

[Logstash] --config.reload.automatic 사용 경험 공유

[Logstash] AWS SQS + Logstash 구성

[Beats] 오랜만에 Filebeat 설치

[Logstash] http output plugin - slack chat

[Logstash] Logstash 를 이용한 CSV 파일 Import를 하려면

[Logstash] input file start_position => "end"

티스토리툴바