ELK: Performance of the Logstash Indexing layer

elasticsearch-logoThe Logstash Indexing layer receives data from any number of input sources, transforms the data, and then submits it to Elasticsearch for indexing.  Transforming and extracting data from every event can be both I/O as well as CPU intensive.

Horizontal or Vertical

Vertical scaling will only go so far in the Logstash indexing layer.  In order to keep up with the processing demand as well as provide availability, horizontal scalability must be employed.

And if you are going to have vertical scaling, you should be using either configuration management (SaltStack, Ansible, etc.) or containers to be able to create extra Logstash indexing instances without excessive manual steps.

Continue reading “ELK: Performance of the Logstash Indexing layer”

Logstash: Testing Logstash grok patterns online

elastic-logstash-fwIn my previous posts, I have shown how to test grok patterns locally using Ruby on Linux and Windows.  This works well when your VM do not have full internet access, or only have console access, or any reason that you want to test it locally.

If you have access to a graphical web browser and the log file, there is a nice online grok constructor here and here. and by simply entering a sampling of the log lines and a grok pattern, you can verify that all the lines are parsed correctly.

Here is a small example to start you off:

Continue reading “Logstash: Testing Logstash grok patterns online”

Logstash: Testing Logstash grok patterns locally on Windows

elastic-logstash-fwIf the logs you are shipping to Logstash are from a Windows OS, it makes it even more difficult to quickly troubleshoot a grok pattern being sent to the Logstash service.

It can be beneficial to quickly validate your grok patterns directly on the Windows host.  Here is an easy way to test a log against a grok pattern:

Continue reading “Logstash: Testing Logstash grok patterns locally on Windows”