General questions about ELK components

[Monoman]

I've been playing/evaluating ELK and recently discovered Nagio Log Server. Does Nagios include version information on each of the ELK components? I've looked around a little bit but did not see what versions of the ELK components are included. It would also be nice to know if Nagios has a timetable to upgrade when new ELK versions are released (like within x months).

Also, does Log Server use Redis or another application to buffer Logstash?

Thank you.

[jolson]

Hello,

Your questions regarding versioning can be answered from the command line. Please see the examples below:

ElasticSearch:

Code: Select all

[root@localhost ~]# curl -XGET 'localhost:9200'
output:
{
  "status" : 200,
  "name" : "a6f4ff52-a0a2-4142-b6a7-8c1cef3c544f",
  "version" : {
    "number" : "1.3.2",
    "build_hash" : "dee175dbe2f254f3f26992f5d7591939aaefd12f",
    "build_timestamp" : "2014-08-13T14:29:30Z",
    "build_snapshot" : false,
    "lucene_version" : "4.9"
  },
  "tagline" : "You Know, for Search"
}

Logstash:

Code: Select all

/usr/local/nagioslogserver/logstash/bin/logstash --version

logstash 1.4.2

You can see that the current ElasticSearch version running on Nagios Log Server is 1.3.2 - released August 13, 2014.
The Logstash version is 1.4.2, released June 24, 2014 (current).
I could not find the current running Kibana version, but I don't think this is highly relevant.

There is currently no timetable that I am aware of.

Nagios Log Server does not use a buffer such as redis - the logs received from Logstash are picked up by Elasticsearch for display by Kibana.

Are there any other questions I could help you answer?

Best,


Jesse

[Monoman]

Thank you. I setup two demo nodes and will start playing around with things.

Is there a particular cluster node IP that logs should be directed to? or both? or the first node configured?

Hopefully Nagios considers including the component versions in the readme or on an admin page. It could help when research/troubleshooting. It seems that using Redis (or another message queue buffer) is fairly common in ELK setups. Perhaps it is really only needed for the larger installations.

Thank you again.

[Monoman]

Thank you. I think it helps to know the versions when troubleshooting. I have more questions if you don't mind.

Q1: I have two test nodes setup. Do I direct logs to one of the host IPs, both IPs, or setup a third/virtual IP?
Q2: Is there a place to configure proxy settings for the dashboard? The Home page sections for "Latest News" and "Don't Miss ..." won't load because the servers do not have direct access to the Internet.

[jolson]

Q1: I have two test nodes setup. Do I direct logs to one of the host IPs, both IPs, or setup a third/virtual IP?
A1: You can direct logs to any IP in the cluster. The nodes will share logs and therefore the only relevant difference will be resource load - it's not abnormal to put a load balancer in front of your nodes if you think that's necessary. Otherwise, I recommend simply pointing logs to whichever IP you want while attempting to keep them 'balanced'.

Q2: Is there a place to configure proxy settings for the dashboard? The Home page sections for "Latest News" and "Don't Miss ..." won't load because the servers do not have direct access to the Internet.
A2: This is not currently supported. I know that for XI this process can be lengthy, so it may be for log server as well: http://support.nagios.com/wiki/index.ph ... th_Proxies. I will put in a feature request now.

[jolson]

I have created feature request # 5095 for your web proxy request.

[Monoman]

Q1: I have two test nodes setup. Do I direct logs to one of the host IPs, both IPs, or setup a third/virtual IP?
A1: You can direct logs to any IP in the cluster. The nodes will share logs and therefore the only relevant difference will be resource load - it's not abnormal to put a load balancer in front of your nodes if you think that's necessary. Otherwise, I recommend simply pointing logs to whichever IP you want while attempting to keep them 'balanced'.

Thanks. It looks like we have a few options to look into.

• Manual/psuedo load balance by IP. That will distribute load but doesn't offer any fault tolerance.
• Use round robin DNS to distribute the load. It allows for a common destination for all hosts (that support using DNS) but still really doesn't provide any fault tolerance.
• Use a hardware load balancer or something like HAProxy. This might be an option for us but it will require some testing.
• Configure a few Redis VMs for a failover setup. This helps with Logstash Forwarder but not with other shippers that can't send to Redis (syslog, Windows, etc). I think adding Redis (or another MQ program) would be a good addition to NLS.

I would like to hear how others are setup. This is turning out to be a very interesting project. The more I read, the more questions I ask, and the more I realize this technology is very adaptable to most environments.

[jolson]

It is worth pointing out that NLS does a lot to distribute load on its own, and many people have fine success with pointing all of their logs at a single IP - but of course if you want to plan on scaling, a load balancer is worth consideration. While we don't have an official recommendation, HA Proxy sounds like a very good option as it provides the ability to 'skip-over' a dead node if one were to go down, while also having the advantage of cost compared to hardware load balancers. Do you have any further questions, or would it be alright if I closed this post out?

[Monoman]

Feel free to close it out.

thank you very much.