Logging with ELK Stack
The ELK Stack (Elasticsearch, Logstash, Kibana) provides centralized logging for collecting, processing, and visualizing log data from across your infrastructure.
ELK Architecture
ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ
β App 1 β β App 2 β β App 3 β β Server β
β Logs β β Logs β β Logs β β Logs β
ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ
β β β β
ββββββββββββββΌβββββββββββββΌβββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββ
β Logstash β
β βββββββββββ ββββββββββββ βββββββββββββ β
β β Input βββΆβ Filter βββΆβ Output β β
β β (Beats) β β (Parse, β β (ES, S3) β β
β β β β Enrich) β β β β
β βββββββββββ ββββββββββββ βββββββββββββ β
ββββββββββββββββββββ¬βββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββ
β Elasticsearch β
β Index β Store β Search β Aggregate β
ββββββββββββββββββββ¬βββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββ
β Kibana β
β Dashboards β Discover β Visualizations β
βββββββββββββββββββββββββββββββββββββββββββββββ
Logstash Pipeline
# logstash.conf
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "logs-%{+YYYY.MM.dd}"
}
}
Lightweight Alternative: Filebeat
# filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/app/*.log
fields:
service: myapp
environment: production
output.elasticsearch:
hosts: ["http://elasticsearch:9200"]
index: "filebeat-%{+yyyy.MM.dd}"