The Logstash architecture

The Logstash event processing pipeline has three stages, that is, InputsFilters, and Outputs. A Logstash pipeline has two required elements, that is, input and output, and one option element known as filters:

Inputs create events, Filters modify the input events, and Outputs ship them to the destination. Inputs and outputs support codecs, which allow you to encode or decode the data as and when it enters or exits the pipeline, without having to use a separate filter.

Logstash uses in-memory bounded queues between pipeline stages by default (Input to Filter and Filter to Output) to buffer events. If Logstash terminates unsafely, any events that are stored in memory will be lost. To prevent data loss, you can enable Logstash to persist in-flight events to the disk by making use of persistent queues. 

Persistent queues can be enabled by setting the queue.type: persisted property in the logstash.yml file, which can be found under the LOGSTASH_HOME/config folder. logstash.yml is a configuration file that contains settings related to Logstash. By default, the files are stored in LOGSTASH_HOME/data/queue. You can override this by setting the path.queue property in logstash.yml.

By default, Logstash starts with a heap size of 1 GB. This can be overridden by setting the Xms and Xmx properties in the jvm.options file, which is found under the LOGSTASH_HOME/config folder. 

The Logstash pipeline is stored in a configuration file that ends with a .conf extension. The three sections of the configuration file are as follows:

input
{
}
filter
{
}
output
{
}

Each of these sections contains one or more plugin configurations. A plugin can be configured by providing the name of the plugin and then its settings as a key-value pair. The value is assigned to a key using the => operator.

Let's use the same configuration that we used in the previous section, with some little modifications, and store it in a file:

#simple.conf
#A simple logstash configuration 

input { 
  stdin { } 
} 

filter {
  mutate {
    uppercase => [ "message" ]
  }
}

output { 
  stdout { 
    codec => rubydebug 
    }
}

Create a conf folder under LOGSTASH_HOME. Create a file called simple.conf under the LOGSTASH_HOME/conf folder.

It's good practice to place all the configurations in a separate directory, either under LOGSTASH_HOME or outside of it rather than placing the files in the LOGSTASH_HOME/bin folder

You may notice that this file contains two required elements, input and output, and that the input section has a plugin named stdin which accepts default parameters. The output section has a stdout plugin which accepts the rubydebug codec. stdin is used for reading input from the standard input, and the stdout plugin is used for writing the event information to standard outputs. The rubydebug codec will output your Logstash event data using the Ruby Awesome Print library. It also contains a filter section that has a mutate plugin, which converts the incoming event message into uppercase.

Let's run Logstash using this new pipeline/configuration that's stored in the simple.conf file, as follows:

E:logstash-7.0.0in>logstash -f ../conf/simple.conf

Once Logstash has started, enter any input, say, LOGSTASH IS AWESOME, and you should see the response, as follows:

{
      "@version" => "1",
          "host" => "SHMN-IN",
    "@timestamp" => 2017-11-03T11:42:56.221Z,
       "message" => "LOGSTASH IS AWESOME
"
}

As seen in the preceding code, along with the input message, Logstash automatically adds the timestamp at which the event was generated, and information such as the host and version number. The output is pretty printed due to the use of the rubydebug codec. The incoming event is always stored in the field named message

 Since the configuration was specified using the file note, we used the -f flag/option when running Logstash. 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.201.57