Coding pipelines using those tools (and others) is a highly iterative process, specially when dealing with grok patterns to parse unstructured logs: you get some sample data, feed it to an input, and you will be repeating 1) coding the pipeline logic (filters in Logstash and processors in Filebeat) and 2) inspecting the output, until the logs are correctly parsed.

I always felt this iteration cycle of changing the pipeline and inspecting the output to be somewhat slow - sure you have the console output in both Logstash and Filebeat, but you end up with a mixed of those programs’ outputs and your output, you will be surely scrolling a lot. And sure, you also have the file output on both tools but its easy to get lost when dealing with documents with hundreds of fields, since they are all written in a single line per document, no pretty-print.

I needed a way to tell right away if the output of my pipeline was correct or not, to have pretty printed and navigable output were my main requirements, if I had that my development iteration would be so much faster! Such tool didn’t existed, so I’ve created it and called it Logshark (inspired by Wireshark, a popular network inspection tool)

It’s a CLI application with a terminal UI written in Go. It works by starting a small webserver that mimmicks Elasticsearch’s behavior by accepting _bulk requests, so all you need to do is to redirect your Logstash/Filebeat elasticsearch output to the tool.

This tool is particularly handy when changing production pipelines, as you can add a second elasticsearch output to your pipeline just to inspect the events, it will by default collect the first 100 events it sees and accept but discard the rest, you can inspect the next batch by hitting r to refresh it.

It will also tell you events per second and the average document size, which are handy when you need to optimize your throughput by adjusting the bulk/batch size, something really important if, say, your are collecting logs from a machine in the southern hemisphere to send to an elasticsearch cluster in the northern.

You can run it using the binary directly (<5mb) or on docker. The UI can be used on anything that can emulate a terminal, like your regular Linux terminal, iTerm, tmux, PuTTY and even VSCode.

Getting Started

1) Start the server

binary

./logshark --host 0.0.0.0 --port 9200 --max 1000

docker

docker run -p 9200:9200 -it ugosan/logshark -host 0.0.0.0 -port 9200

docker-compose.yml

version: "3.2"
services:

  logshark:
    image: ugosan/logshark
    tty: true
    stdin_open: true

note you should not use “docker-compose up” but instead “docker-compose run logshark sh” since docker-compose doesnt attach to containers with “up”. e.g. docker-compose run -p 9200:9200 logshark -port 9200

docker-compose run -p 9200:9200 logshark -port 9200

2) Point your Logstash pipeline’s output to it

Just like a normal elasticsearch output:

input {}

filter {}

output {
  elasticsearch {
    hosts => ["http://host.docker.internal:9200"]
  }
  
}   

When using docker, you can reach the logshark container from another container using host.docker.internal like docker run --rm byrnedo/alpine-curl -v -XPOST -d '{"hello":"test"}' http://host.docker.internal:9200

On Mac, using Homebrew

Install figlet

brew install figlet

Install lolcat because why not?

brew install lolcat

Find out your font directory using brew list figlet, then based on the installed version (mine was 2.2.5) do:

for file in /opt/homebrew/Cellar/figlet/2.2.5/share/figlet/fonts/*.flf;\
do echo "\n\n$file"; figlet -c -w 150 -f "$file" Hello World |\
lolcat; done

Our job is first to identify what exactly is on fire, and for that we need to get as much context as possible, as fast as possible.

Step 1: Check _cat/nodes for resource usage

Lets first check which nodes are actually in trouble.

Run:

GET _cat/nodes?v&h=ip,name,cpu,ram.max,heap.max,heap.percent,node.role,diskAvail,master

The output looks like this.

  master ip           name                cpu ram.max heap.max heap.percent node.role diskAvail
  -      10.47.48.170 instance-0000000009  26     2gb    844mb           60 himrst       48.7gb
  -      10.47.48.127 instance-0000000008  16     2gb    844mb           64 himrst       52.7gb
  *      10.47.48.118 instance-0000000003   7     2gb    844mb           69 himrst         50gb
  -      10.47.48.61  instance-0000000005   0     1gb    268mb           41 lr            1.8gb

If we notice a high CPU usage on a group of nodes, verify the node.role of those roles, if you have data tiers (a hot-warm architecture) it might be that only warm nodes are high, and hot nodes are unaffected.

There are more variables you can check like search.query_current and search.fetch_current which will show us the amount of time is being currently spent for search in query and fetch phases respectively. GET _cat/nodes?help is your friend

Step 2: Check the hot threads

This API yields a breakdown of the hot threads on each selected node in the cluster. The output is plain text with a breakdown of each node’s top hot threads.

Lets sample them by 1 second:

GET _nodes/hot_threads?interval=1s&ignore_idle_threads

The output will be something like this, with only the important parts:

::: {warm-xxx}{XXXXXXX}{YYYYYYYY}{10.10.10.10}{10.10.10.10:9300}{aws_availability_zone=us-west-2b, data_type=warm, ml.machine_memory=64388997120, ml.max_open_jobs=20, xpack.installed=true, ml.enabled=true}
   Hot threads at 2019-12-30T23:22:24.304Z, interval=500ms, busiestThreads=3, ignoreIdleThreads=true:

   44.0% (440.2ms out of 1000ms) cpu usage by thread 'elasticsearch[warm-xxx][management][T#1]'
      ... omitted ...

   42.7% (413.4ms out of 1000ms) cpu usage by thread 'elasticsearch[warm-xxx][search][T#2]'                    
     ... omitted ...

   41.8% (408.9ms out of 1000ms) cpu usage by thread 'elasticsearch[warm-xxx][search][T#7]'
     ... omitted ...

Step 3: Check Tasks

The Task Management API can give you a lot of information about the operations being executed at the cluster at any given time.

GET _tasks?human&detailed

They can be filtered to include only read (search) operations

GET _tasks?human&detailed&actions=indices:data/read/*

The output will show us the running_time and, in case of searches, the content of the specific search request being executed:

      "0l67b6iLSzmp7v3TNtkjbQ:138659665" : {
          "node" : "0l67b6iLSzmp7v3TNtkjbQ",
          "id" : 138659665,
          "type" : "transport",
          "action" : "indices:data/read/search",
          "description" : "indices[tasks], types[], search_type[QUERY_THEN_FETCH], source[{\"size\":0,\"query\":{\"bool\":{\"must\":[{\"terms\":{\"User.Actions.ActionId\":[\"f6583dbd-4079-4efd-80c4-28e3f0606c1f\",\"2f80c480-18a4-4079-4efd-d3bdf9361164\",
          ...
          "start_time" : "2022-06-28T15:27:20.766Z",
          "start_time_in_millis" : 1656430040766,
          "running_time" : "36.6s",
          "running_time_in_nanos" : 36665783627,

The task 0l67b6iLSzmp7v3TNtkjbQ:138659665 is a search task that has been running for 36 seconds, its source is also there, which might help identify the culprit.

Step 4: Cancel long running tasks

If you see queries that are impacting performance for too long and you want to cancel them, you can with PUT _tasks/<id>/_cancel:

POST _tasks/0l67b6iLSzmp7v3TNtkjbQ:138659665/_cancel

However if you find yourself cancelling tasks every day, your team should really rethink their data structure, query design or cluster size.

Problem solved? Lets get a little bit more proactive by:

1) having a dedicated Monitoring Cluster

• In Elastic Cloud that is as easy as creating a secondary (small) cluster and pointing Logs and Metrics over there.
• In on-premises clusters you need to start an instance of Metricbeat and point it to your production cluster:

  • The elasticsearch module will fetch monitoring info from your host with the following configuration (metricbeat.yml):

     metricbeat.modules:
     - module: elasticsearch
       xpack.enabled: true
       period: 10s
       hosts: ["https://prod-cluster:9200"] 
       scope: cluster
       username: "user"
       password: "secret"
       ssl.enabled: true
       ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
       ssl.verification_mode: "certificate"
    
     output.elasticsearch:
       hosts: ["https://my-monitoring-cluster:9200"]
       username: "metricbeat_writer"
       password: "secret"
    

2) Enabling Slow Logs

Exception caught in json filter {JSON} :exception=>#<RuntimeError: Invalid FieldReference: proc.aname[2]>}

Original Slack thread

When you have proc.aname[2] and want to have proc_aname2 - you can use regex groups to automatically change all occurrences of that string:

Solution

mutate {
    gsub => [ "message", "proc\.aname\[([0-9]+)\]", "proc_aname\1"]
}

Basically parenthesis () will make groups that can be later referenced by its number ( \1 for the first group, \2 for the second and so on.

Used Logshark for debugging

Top 2 reasons to deploy Logstash on Kubernetes:

• You can easily scale up and down to deal with throughput
• You can easily deploy ETL pipelines to hundreds of instances with a single click

A “headless” Logstash is a Logstash that doesnt contain any pipeline logic in itself, instead it will fetch the pipelines definitions from a centralized location (Elasticsearch itself), so we can create our ETL pipelines through Kibana and deploy them automatically to several Logstash instances. This feature is called Centralized Pipeline Management.

We are then going to create a Secret to store credentials, a ConfigMap to configure Logstash, a Deployment that will expose some container ports and finally a Service so Logstash is reachable from the outside.

Elasticsearch API Key

We first need to create an API Key so Logstash can communicate to Elasticsearch to fetch pipeline definitions.

Let’s define two roles: my_role which allows Logstash to fetch the pipeline definitions from Elasticsearch and my_write_role which will allow us to write to a datastream from our output. Those could be two different API Keys, but we are using just one to keep it simple.

Open up Kibana and then run the following command:

POST /_security/api_key
{
  "name": "logstash",   
  "role_descriptors": { 
    "my_role": {
      "cluster": ["monitor" ,"manage_logstash_pipelines"]
    },
    "my_write_role": {
      "index": [
        {
          "names": ["logs-*"],
          "privileges": ["all"]
        }
      ]
    }
  }
}

The response will have the encoded field, copy it:

{
  ...
  "encoded": "RlNXaEU0TUJXQWVtRnlHU3p6d0o6STkzVE9yX1RSTy03TGdiMHU5YWlZZw=="
}

Secret

Next, we need to create a Kubernetes Secret with our API key, paste the value from the encoded field to a variable we are calling ELASTICSEARCH_API_KEY:

apiVersion: v1
kind: Secret
metadata:
  name: logstash-secrets
type: Opaque
data:
  ELASTICSEARCH_API_KEY: RlNXaEU0TUJXQWVtRnlHU3p6d0o6STkzVE9yX1RSTy03TGdiMHU5YWlZZw==

ConfigMap

The ELASTICSEARCH_API_KEY variable will be used in a ConfigMap that will represent our logstash.yml with a very simple configuration that tells Logstash:

1) Where to fetch the pipeline configs (the xpack.management.elasticsearch.hosts)

2) What are the pipeline names to fetch (xpack.management.pipeline.id), in our case it will be anything starting with my-pipeline-*

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: logstash-configmap
data:
  logstash.yml: |
    http.host: "0.0.0.0"
    log.level: info
    xpack.management.enabled: true
    xpack.management.elasticsearch.hosts: ["https://my-cluster.es.us-east-1.aws.found.io:443"]  
    xpack.management.elasticsearch.api_key: "${ELASTICSEARCH_API_KEY}"
    xpack.management.logstash.poll_interval: 5s
    xpack.management.pipeline.id: ["my-pipeline-*"]

Deployment

Next, we create a Deployment that will expose a couple containerPort, use the ELASTICSEARCH_API_KEY from the Secret logstash-secrets as an environment variable, and use our ConfigMap.

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: logstash-deployment
spec:
  replicas: 1
  revisionHistoryLimit: 0
  selector:
    matchLabels:
      app: logstash
  template:
    metadata:
      labels:
        app: logstash
    spec:
      containers:
      - name: logstash
        image: docker.elastic.co/logstash/logstash:8.3.3
        ports:
        - containerPort: 5044
        - containerPort: 5045
        resources:
            limits:
              memory: "2Gi"
              cpu: "2500m"
            requests: 
              memory: "1Gi"
              cpu: "300m"
        env: 
          - name: ELASTICSEARCH_API_KEY
            valueFrom:
              secretKeyRef:
                name: logstash-secrets
                key: ELASTICSEARCH_API_KEY
        volumeMounts:
          - name: config-volume
            mountPath: /usr/share/logstash/config
      volumes:
      - name: config-volume
        configMap:
          name: logstash-configmap
          items:
            - key: logstash.yml
              path: logstash.yml

Service

The service will expose the ports 5044 and 5045 to the outside through a LoadBalancer, depending on the provider that is enough - in GKE you will get public ClusterIP automatically assigned.

kind: Service
apiVersion: v1
metadata:
  name: logstash-service
  labels: 
    app: logstash
spec:
  type: LoadBalancer
  selector:
    app: logstash
  ports:
  - protocol: TCP
    port: 5044
    targetPort: 5044
    name: my-pipeline-1
  - protocol: TCP
    port: 5045
    targetPort: 5045
    name: my-pipeline-2

Logstash Pipeline

Our pipeline can open up a HTTP input, Beats input even Syslog on the available ports, for instance:

input {
  http {
    port => 5045
    codec => json
    user => "webhook_admin"
    password => "verysecretpassword"
  }
}

filter { }

output {
    elasticsearch {
        hosts => "https://my-cluster.es.us-east-1.aws.found.io:443"
        ssl => true
        api_key => "${ELASTICSEARCH_API_KEY}"
        data_stream => true
        data_stream_type => "logs"
        data_stream_dataset => "my-datastream"
        data_stream_namespace => "dev"
    }
}

All-in-one manifest

---
apiVersion: v1
kind: Secret
metadata:
  name: logstash-secrets
type: Opaque
data:
  ELASTICSEARCH_API_KEY: RlNXaEU0TUJXQWVtRnlHU3p6d0o6STkzVE9yX1RSTy03TGdiMHU5YWlZZw==

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: logstash-deployment
spec:
  replicas: 1
  revisionHistoryLimit: 0
  selector:
    matchLabels:
      app: logstash
  template:
    metadata:
      labels:
        app: logstash
    spec:
      containers:
      - name: logstash
        image: docker.elastic.co/logstash/logstash:8.4.2
        ports:
        - containerPort: 5044
        - containerPort: 5045
        resources:
            limits:
              memory: "2Gi"
              cpu: "2500m"
            requests: 
              memory: "1Gi"
              cpu: "300m"
        env: 
          - name: ELASTICSEARCH_API_KEY
            valueFrom:
              secretKeyRef:
                name: logstash-secrets
                key: ELASTICSEARCH_API_KEY
        volumeMounts:
          - name: config-volume
            mountPath: /usr/share/logstash/config
      volumes:
      - name: config-volume
        configMap:
          name: logstash-configmap
          items:
            - key: logstash.yml
              path: logstash.yml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: logstash-configmap
data:
  logstash.yml: |
    http.host: "0.0.0.0"
    log.level: info
    xpack.management.enabled: true
    xpack.management.elasticsearch.hosts: ["https://my-cluster.es.us-east-1.aws.found.io:443"]  
    xpack.management.elasticsearch.api_key: "${ELASTICSEARCH_API_KEY}"
    xpack.management.logstash.poll_interval: 5s
    xpack.management.pipeline.id: ["my-pipeline-*"]

---
kind: Service
apiVersion: v1
metadata:
  name: logstash-service
  labels: 
    app: logstash
spec:
  type: LoadBalancer
  selector:
    app: logstash
  ports:
  - protocol: TCP
    port: 5044
    targetPort: 5044
    name: my-pipeline-1
  - protocol: TCP
    port: 5045
    targetPort: 5045
    name: my-pipeline-2

The L in ELK, Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite “stash”, currently more than 50 outputs are supported, from Elasticsearch to Syslog.

Logstash is also currently the only option within the Elastic Stack if you want to fetch data that lives in a relational database, or if you want to write the same event to multiple outputs. But all that power also comes with a cost, a Logstash instance will require a lot more resources than an Elastic Agent with Filebeat, for instance.

Here are some of the best practices for deploying Logstash in production in 8.x version, separated in three areas: Deployment, Data Ingestion and Testing

Deploying Logstash

We have several options for deploying Logstash

As standalone

Deploy Logstash always as a system service, using the official packages for YUM or APT based distributions:

Installing Logstash from Package Repositories

In containers

The main advantage here is that you can run several logstash instances at the same time, they might even have different versions. You also have a better process isolation at the system-level.

- Bind-mounted config files

In Kubernetes

Data Ingestion

• Use Datastreams instead of indices
  • Special type of index, data streams are well-suited for logs, events, metrics, and other continuously generated data that are rarely, if ever, updated.
  • standardized names
  • a common set of best practices for mappings

    elasticsearch {
      hosts => "elasticsearch:9200"
      user => "elastic"
      password => "..."
      data_stream => true
      data_stream_type => "logs"
      data_stream_dataset => "hasura"
      data_stream_namespace => "%{log_type}"
    }
    

• Pipelines
  • Maintain order? if order is not important, disable it
  • Dissect instead of Grok whenever possible

Testing

• Testing
  • Use a Load Generator for testing

Getting the fingerprint from a server

We can get this fingerprint by simply using openssl and connecting to the server you want to extract the fingerprint:

openssl s_client \
  -connect demos.es.us-east1.gcp.elastic-cloud.com:9243 \
  -servername demos.es.us-east1.gcp.elastic-cloud.com \
  -showcerts < /dev/null 2>/dev/null | \
  openssl x509 -in /dev/stdin -sha256 -noout -fingerprint | \
  sed 's/://g'  

Getting the fingerprint from a file

if you have an actual certificate file for the CA you can just load it:

 openssl x509 -in ca_file.pem -sha256 -fingerprint | grep SHA256 | sed 's/://g'

The response will be something like

SHA256 Fingerprint=65C080BF18DBFA8F57606DBA0ED11D32DF42CF63B55CC07C7A764AA9597A9403

So you can use this fingerprint in output.elasticsearch:

output.elasticsearch:
  hosts: ...
  api_key: ...
  index: ...
  ssl.ca_trusted_fingerprint: "65C080BF18DBFA8F57606DBA0ED11D32DF42CF63B55CC07C7A764AA9597A9403"
  ssl.verification_mode: full