Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

output: how to select index?

https://support.nagios.com/forum/viewtopic.php?t=41857

Page 1 of 1

output: how to select index?

Posted: Fri Jan 06, 2017 6:15 am
by _asp_
Hi,

Background:
Our logstash index is currently up to 10GB per day. We are using a single instance. We have different retention intervals per logfile - that means log 1 a we need to keep a month, log 2 we sould keep for the last 3 month as example. Logs from dev systems may be deleted after 2 weeks, etc.

Target:
I would like to split up the indexes and use different index patterns. Logstash should route by type for example.
Following aims want want to reach:
- be able to choose which logfiles I can delete to save space and memory, because as I understand the bigger an opened index is, it consumes memory in ES.
- faster searches because of smaller indizes to search, if I search within a specific log file.

Questions:
- are all mentioned targets above solvable by using multiple indexes, or do I reach the opposite, especially on ES's memory usage and search times?
- How can I define an output which routes the type "log-application-1" only to index "indx_app1-{ddmmyyyy}" ?
- I know that I can only set one index name for a dashboard. I read about using aliases to make kibana / ES able to search in different indexes. So is it possible to link indx_app1-* and logstash-* to the same alias "myAlias"? In the dashboard then I would set "myAlias" as index pattern.

Thanks, Andreas

Re: output: how to select index?

Posted: Fri Jan 06, 2017 8:13 am
by _asp_
I tried to use following output configuration:

Code: Select all

if [type] == 'metricbeat' or [LogFile] == 'metricbeat'
	{
		elasticsearch 
		{ 
			cluster => 'ff0eeea9-743f-4dd8-b088-ae81fcee793a'
			host => 'localhost'
			document_type => '%{type}'
			node_name => '931e8fa4-a75f-4be1-ada5-bc71520c4ede'
			protocol => 'transport'
			workers => 4

			#hosts => ["localhost:9200"] 
			index => ["metricbeat-%{+YYYY.MM.dd}"]
		}
	}
If I take a look inside the generated /usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf I have following output:

Code: Select all

#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Fri, 06 Jan 2017 12:51:09 +0100
#

#
# Required output for Nagios Log Server
#

output {
    elasticsearch {
        cluster => 'ff0eeea9-743f-4dd8-b088-ae81fcee793a'
        host => 'localhost'
        document_type => '%{type}'
        node_name => '931e8fa4-a75f-4be1-ada5-bc71520c4ede'
        protocol => 'transport'
        workers => 4
    }
}

#
# Global outputs
#

output {
    if [type] == 'metricbeat' or [LogFile] == 'metricbeat'
        {
                elasticsearch
                {
                        cluster => 'ff0eeea9-743f-4dd8-b088-ae81fcee793a'
                        host => 'localhost'
                        document_type => '%{type}'
                        node_name => '931e8fa4-a75f-4be1-ada5-bc71520c4ede'
                        protocol => 'transport'
                        workers => 4

                        #hosts => ["localhost:9200"]
                        index => ["metricbeat-%{+YYYY.MM.dd}"]
                }
        }
}

#
# Local outputs
#
Unfortunately my custom output is inserted behind the automatic generated logstash part. So as result the events that match my criteria are going to both indizes (logstash and metricbeat). I am also not able to do something like that:
- if my condition is met
-> send to ES in custom index
-> send to NULL to drop it for later outputs.

[Edit] -> I found out, that sending to null afterwards will not delete the event. As I see it, i need to replace the whole output filter which comes with LS. I found an example here how the output filter should look like: https://gist.github.com/jhmartin/c09e450853e273ee88f2


Is there any workaround except for overwriting the file manually and never ever use the gui part for administrating input / filter / output again?
Would that workaround work, or is LS recreating these files again in any other case then pressing the apply button in the gui? Please also think about upgrade procedure of LS.

Thanks, Andreas

Re: output: how to select index?

Posted: Fri Jan 06, 2017 12:20 pm
by mcapra
Unfortunately, there isn't a way to designate specific indices for specific data, though this feature has been requested quite a lot and will likely see some implementation in a future version. I would also use caution when installing any sort of Elastic extensions on the Nagios Log Server machine.

Your thinking is certainly correct, it's just not something that is very compatible with the current version of Nagios Log Server.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited