Logstash Shipper / Forwarder

Once you have the ELK stack installed, you can then ship/forward your logs to the redis database on the ELK stack. Once your logs are on the redis database, the logstash on the ELK server will read from it and forward it to elasticsearch. You can then use kibana to query the elasticsearch for the newly intercepted logs!

Here are the steps for setting up Logstash shipper/forwarder on Ubuntu/Debian family:

Add the key:
wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -

Add the logstash repo to /etc/apt/sources.list
deb http://packages.elasticsearch.org/logstash/1.4/debian stable main

Install Logstash:
sudo apt-get install logstash -y

With this you have installed Logstash as a service.

Create logstash shipper config:
vi /etc/logstash/conf.d/logstash_shipper.conf

input {  
  file {
    path => "/opt/applications/logs/your_app/your_app.log"
    start_position => beginning
    codec =>  multiline {
      'negate' => true
      'pattern' => '^\d'
      'what' => 'previous'
    }
  }
}

filter {  
  grok {
    match => {"message" => "%{DATESTAMP:logDateTime} \[%{LOGLEVEL:logLevel}\] %{GREEDYDATA:logMessage}" }
}

output {  
  redis { host => "10.11.14.15" data_type => "list" key => "logstash" }
}

And then start logstash service on the client: sudo service logstash start. Logstash will start reading the file: /opt/application/logs/your_app/your_app.log from the beginning. Each line read will be concatenated into previous line unless the new line starts with a number. This way stacktraces will be read as one line instead of many. The input like then will be tokenized based on the grok pattern and these tokens will then be sent to the redis server: 10.11.14.15, as a list, under the key name: logstash.

The logstash in ELK stack will be reading from the redis server and seding it's output to Elasticsearch which then can be queried via Kibana.

Does the explaination above make sense? Would you like more detail? Did I miss something? Please let me know via comments below!

Thank you for your time!

P.S: Of course you would need to plug in the file name that you want logstash to read and the redis ip needs to be changed to your ELK server ip.