elastic/logstash-forwarder elastic/logstash-forwarder

  • Stars
    star
    1,788
  • Rank 24,941 (Top 0.6 %)
  • Language
    Go
  • License
    Other
  • Created over 11 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
elastic/logstash-forwarder
github

elastic

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An experiment to cut logs in preparation for processing elsewhere. Replaced by Filebeat: https://github.com/elastic/beats/tree/master/filebeat

logstash-forwarder

THIS PROJECT IS REPLACED BY FILEBEAT

The filebeat project replaces logstash-forwarder. Please use that instead.

No further development will occur on this project. Major bug fixes or security fixes may be worked on through 2016, at which point this repository and its project will be abandoned. The replacement is filebeat which receives new features and fixes frequently. :)

Happy logging!

β™« I'm a lumberjack and I'm ok! I sleep when idle, then I ship logs all day! I parse your logs, I eat the JVM agent for lunch! β™«

(This project was recently renamed from 'lumberjack' to 'logstash-forwarder' to make its intended use clear. The 'lumberjack' name now remains as the network protocol, and 'logstash-forwarder' is the name of the program. It's still the same lovely log forwarding program you love.)

Questions and support

If you have questions and cannot find answers, please join the #logstash irc channel on freenode irc or ask on the [email protected] mailing list.

What is this?

A tool to collect logs locally in preparation for processing elsewhere!

Resource Usage Concerns

Perceived Problems: Some users view logstash releases as "large" or have a generalized fear of Java.

Actual Problems: Logstash, for right now, runs with a footprint that is not friendly to underprovisioned systems such as EC2 micro instances; on other systems it is fine. This project will exist until that is resolved.

Transport Problems

Few log transport mechanisms provide security, low latency, and reliability.

The lumberjack protocol used by this project exists to provide a network protocol for transmission that is secure, low latency, low resource usage, and reliable.

Configuring

logstash-forwarder is configured with a json file you specify with the -config flag:

logstash-forwarder -config yourstuff.json

Here's a sample, with comments in-line to describe the settings. Comments are invalid in JSON, but logstash-forwarder will strip them out for you if they're the only thing on the line:

{
  # The network section covers network configuration :)
  "network": {
    # A list of downstream servers listening for our messages.
    # logstash-forwarder will pick one at random and only switch if
    # the selected one appears to be dead or unresponsive
    "servers": [ "localhost:5043" ],

    # The path to your client ssl certificate (optional)
    "ssl certificate": "./logstash-forwarder.crt",
    # The path to your client ssl key (optional)
    "ssl key": "./logstash-forwarder.key",

    # The path to your trusted ssl CA file. This is used
    # to authenticate your downstream server.
    "ssl ca": "./logstash-forwarder.crt",

    # Network timeout in seconds. This is most important for
    # logstash-forwarder determining whether to stop waiting for an
    # acknowledgement from the downstream server. If an timeout is reached,
    # logstash-forwarder will assume the connection or server is bad and
    # will connect to a server chosen at random from the servers list.
    "timeout": 15
  },

  # The list of files configurations
  "files": [
    # An array of hashes. Each hash tells what paths to watch and
    # what fields to annotate on events from those paths.
    {
      "paths": [
        # single paths are fine
        "/var/log/messages",
        # globs are fine too, they will be periodically evaluated
        # to see if any new files match the wildcard.
        "/var/log/*.log"
      ],

      # A dictionary of fields to annotate on each event.
      "fields": { "type": "syslog" }
    }, {
      # A path of "-" means stdin.
      "paths": [ "-" ],
      "fields": { "type": "stdin" }
    }, {
      "paths": [
        "/var/log/apache/httpd-*.log"
      ],
      "fields": { "type": "apache" }
    }
  ]
}

Any part of config can use environment variables as $VAR or ${VAR}. They will be evaluated before processing JSON, allowing to pass any structure.

You can also read an entire directory of JSON configs by specifying a directory instead of a file with the -config option.

IMPORTANT TLS/SSL CERTIFICATE NOTES

This program will reject SSL/TLS certificates which have a subject which does not match the servers value, for any given connection. For example, if you have "servers": [ "foobar:12345" ] then the 'foobar' server MUST use a certificate with subject or subject-alternative that includes CN=foobar. Wildcards are supported also for things like CN=*.example.com. If you use an IP address, such as "servers": [ "1.2.3.4:12345" ], your ssl certificate MUST use an IP SAN with value "1.2.3.4". If you do not, the TLS handshake will FAIL and the lumberjack connection will close due to trust problems.

Creating a correct SSL/TLS infrastructure is outside the scope of this document.

As a very poor example (largely due unpredictability in your system's defaults for openssl), you can try the following command as an example for creating a self-signed certificate/key pair for use with a server named "logstash.example.com":

openssl req -x509  -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt -subj /CN=logstash.example.com

The above example will create an SSL cert for the host 'logstash.example.com'. You cannot use /CN=1.2.3.4 to create an SSL certificate for an IP address. In order to do a certificate with an IP address, you must create a certificate with an "IP Subject Alternative" or often called "IP SAN". Creating a certificate with an IP SAN is difficult and annoying, so I highly recommend you use hostnames only. If you have no DNS available to you, it is still often easier to set hostnames in /etc/hosts than it is to create a certificate with an IP SAN.

logstash-forwarder needs the .crt file, and logstash will need both .key and .crt files.

Again, creating a correct SSL/TLS certificate authority or generally doing certificate management is outside the scope of this document.

If you see an error like this:

x509: cannot validate certificate for 1.2.3.4 because it doesn't contain any IP SANs

It means you are telling logstash-forwarder to connect to a host by IP address, and therefore you must include an IP SAN in your certificate. Generating an SSL certificate with an IP SAN is quite annoying, so I HIGHLY recommend you use dns names and set the CN in your cert to your dns name.

Goals

  • Minimize resource usage where possible (CPU, memory, network).
  • Secure transmission of logs.
  • Configurable event data.
  • Easy to deploy with minimal moving parts.
  • Simple inputs only:
    • Follows files and respects rename/truncation conditions.
    • Accepts STDIN, useful for things like varnishlog | logstash-forwarder....

Building it

  1. Install go

  2. Compile logstash-forwarder

Note: Do not use gccgo for this project. If you don't know what that means, you're probably OK to ignore this.

    git clone git://github.com/elasticsearch/logstash-forwarder.git
    cd logstash-forwarder
    go build -o logstash-forwarder

gccgo note: Using gccgo is not recommended because it produces a binary with a runtime dependency on libgo. With the normal go compiler, this dependency doesn't exist and, as a result, makes it easier to deploy. You can check if you are using gccgo by running go version and if it outputs something like go version xgcc, you're probably not using gccgo, and I recommend you don't. You can also check the resulting binary by doing ldd ./logstash-forwarder and seeing if libgo appears in the output; if it appears, then you are using gccgo, and I recommend you don't.

Packaging it (optional)

You can make native packages of logstash-forwarder.

To do this, a recent version of Ruby is required. At least version 2.0.0 or newer. If you are using your OS distribution's version of Ruby, especially on Red Hat- or Debian-derived systems (Ubuntu, CentOS, etc), you will need to install ruby and whatever the "ruby development" package is called for your system. On Red Hat systems, you probably want yum install ruby-devel. On Debian systems, you probably want apt-get install ruby-dev.

Prerequisite steps to prepare ruby to build your packages are:

gem install bundler
bundle install

The bundle install will install any Ruby library dependencies that are used in building packages.

Now build an rpm:

    make rpm

Or:

    make deb

Installing it (via packages only)

If you don't use rpm or deb make targets as above, you can skip this section.

Packages install to /opt/logstash-forwarder.

There are no run-time dependencies.

Running it

Generally:

logstash-forwarder -config logstash-forwarder.conf

See logstash-forwarder -help for all the flags. The -config option is required and logstash-forwrder will not run without it.

The config file is documented further up in this file.

And also note that logstash-forwarder runs quietly when all is a-ok. If you want informational feedback, use the verbose flag to enable log emits to stdout.

Fatal errors are always sent to stderr regardless of the -quiet command-line option and process exits with a non-zero status.

Key points

  • You'll need an SSL CA to verify the server (host) with.
  • You can specify custom fields for each set of paths in the config file. Any number of these may be specified. I use them to set fields like type and other custom attributes relevant to each log.

Generating an ssl certificate

Logstash supports all certificates, including self-signed certificates. To generate a certificate, you can run the following command:

$ openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout logstash-forwarder.key -out logstash-forwarder.crt -days 365

This will generate a key at logstash-forwarder.key and the 1-year valid certificate at logstash-forwarder.crt. Both the server that is running logstash-forwarder as well as the logstash instances receiving logs will require these files on disk to verify the authenticity of messages.

Recommended file locations:

  • certificates: /etc/pki/tls/certs/logstash-forwarder/
  • keys: /etc/pki/tls/private/logstash-forwarder/

Use with logstash

In logstash, you'll want to use the lumberjack input, something like:

input {
  lumberjack {
    # The port to listen on
    port => 12345

    # The paths to your ssl cert and key
    ssl_certificate => "path/to/ssl.crt"
    ssl_key => "path/to/ssl.key"

    # Set this to whatever you want.
    type => "somelogs"
  }
}

Implementation details

Below is valid as of 2012/09/19

Minimize resource usage

  • Sets small resource limits (memory, open files) on start up based on the number of files being watched.
  • CPU: sleeps when there is nothing to do.
  • Network/CPU: sleeps if there is a network failure.
  • Network: uses zlib for compression.

Secure transmission

  • Uses OpenSSL to verify the server certificates (so you know who you are sending to).
  • Uses OpenSSL to transport logs.

Configurable event data

  • The protocol supports sending a string:string map.

License

See LICENSE file.

More Repositories

1

elasticsearch

Free and Open, Distributed, RESTful Search Engine
Java
65,029
star
2

kibana

Your window into the Elastic Stack
TypeScript
19,124
star
3

logstash

Logstash - transport and process your logs, events, or other data
Java
13,615
star
4

beats

🐠 Beats - Lightweight shippers for Elasticsearch & Logstash
Go
11,967
star
5

elasticsearch-php

Official PHP client for Elasticsearch.
PHP
5,190
star
6

elasticsearch-js

Official Elasticsearch client library for Node.js
TypeScript
5,174
star
7

go-elasticsearch

The official Go client for Elasticsearch
Go
4,933
star
8

elasticsearch-py

Official Python client for Elasticsearch
Python
4,034
star
9

elasticsearch-dsl-py

High level Python client for Elasticsearch
Python
3,695
star
10

elasticsearch-definitive-guide

The Definitive Guide to Elasticsearch
HTML
3,521
star
11

elasticsearch-net

This strongly-typed, client library enables working with Elasticsearch. It is the official client maintained and supported by Elastic.
C#
3,469
star
12

curator

Curator: Tending your Elasticsearch indices
Python
3,020
star
13

elasticsearch-rails

Elasticsearch integrations for ActiveModel/Record and Ruby on Rails
Ruby
3,017
star
14

examples

Home for Elasticsearch examples available to everyone. It's a great way to get started.
Jupyter Notebook
2,587
star
15

cloud-on-k8s

Elastic Cloud on Kubernetes
Go
2,461
star
16

elasticsearch-ruby

Ruby integrations for Elasticsearch
Ruby
1,928
star
17

elasticsearch-hadoop

🐘 Elasticsearch real-time search and analytics natively integrated with Hadoop
Java
1,915
star
18

helm-charts

You know, for Kubernetes
Python
1,807
star
19

search-ui

Search UI. Libraries for the fast development of modern, engaging search experiences.
TypeScript
1,796
star
20

detection-rules

Python
1,751
star
21

ansible-elasticsearch

Ansible playbook for Elasticsearch
Ruby
1,567
star
22

otel-profiling-agent

The production-scale datacenter profiler
Go
1,231
star
23

stack-docker

Project no longer maintained.
Shell
1,189
star
24

apm-server

APM Server
Go
1,100
star
25

ecs

Elastic Common Schema
Python
920
star
26

protections-artifacts

Elastic Security detection content for Endpoint
YARA
848
star
27

ember

Elastic Malware Benchmark for Empowering Researchers
Jupyter Notebook
799
star
28

elasticsearch-docker

Official Elasticsearch Docker image
Python
790
star
29

elasticsearch-rs

Official Elasticsearch Rust Client
Rust
612
star
30

elasticsearch-cloud-aws

AWS Cloud Plugin for Elasticsearch
580
star
31

apm-agent-dotnet

Elastic APM .NET Agent
C#
540
star
32

apm-agent-nodejs

Elastic APM Node.js Agent
JavaScript
540
star
33

apm-agent-java

Elastic APM Java Agent
Java
536
star
34

eland

Python Client and Toolkit for DataFrames, Big Data, Machine Learning and ETL in Elasticsearch
Python
516
star
35

elasticsearch-mapper-attachments

Mapper Attachments Type plugin for Elasticsearch
Java
503
star
36

elasticsearch-servicewrapper

A service wrapper on top of elasticsearch
Shell
489
star
37

apm-agent-go

Official Go agent for Elastic APM
Go
390
star
38

sense

A JSON aware developer's interface to Elasticsearch. Comes with handy machinery such as syntax highlighting, autocomplete, formatting and code folding.
JavaScript
382
star
39

apm-agent-python

Official Python agent for Elastic APM
Python
381
star
40

elastic-charts

πŸ“Š Elastic Charts library
TypeScript
362
star
41

stream2es

Stream data into ES (Wikipedia, Twitter, stdin, or other ESes)
Clojure
356
star
42

timelion

Timelion was absorbed into Kibana 5. Don't use this. Time series composer for Elasticsearch and beyond.
JavaScript
347
star
43

elasticsearch-labs

Notebooks & Example Apps for Search & AI Applications with Elasticsearch
Jupyter Notebook
341
star
44

apm

Elastic Application Performance Monitoring - resources and general issue tracking for Elastic APM.
Gherkin
317
star
45

elasticsearch-net-example

A tutorial repository for Elasticsearch and NEST
305
star
46

elasticsearch-migration

This plugin will help you to check whether you can upgrade directly to the next major version of Elasticsearch, or whether you need to make changes to your data and cluster before doing so.
291
star
47

logstash-docker

Official Logstash Docker image
Python
286
star
48

elasticsearch-py-async

Backend for elasticsearch-py based on python's asyncio module.
Python
283
star
49

support-diagnostics

Support diagnostics utility for elasticsearch and logstash
Java
278
star
50

elasticsearch-java

Official Elasticsearch Java Client
Java
274
star
51

es2unix

Command-line ES
Clojure
274
star
52

elasticsearch-analysis-smartcn

Smart Chinese Analysis Plugin for Elasticsearch
268
star
53

dockerfiles

Dockerfiles for the official Elastic Stack images
Shell
253
star
54

go-sysinfo

go-sysinfo is a library for collecting system information.
Go
249
star
55

kibana-docker

Official Kibana Docker image
Python
243
star
56

elasticsearch-metrics-reporter-java

Metrics reporter, which reports to elasticsearch
Java
232
star
57

apm-agent-php

Elastic APM PHP Agent
PHP
229
star
58

docs

Ruby
229
star
59

elasticsearch-river-twitter

Twitter River Plugin for elasticsearch (STOPPED)
Java
202
star
60

elasticsearch-formal-models

Formal models of core Elasticsearch algorithms
Isabelle
200
star
61

rally-tracks

Track specifications for the Elasticsearch benchmarking tool Rally
Python
197
star
62

beats-dashboards

DEPRECATED. Moved to https://github.com/elastic/beats. Please use the new repository to add new issues.
Shell
192
star
63

elasticsearch-analysis-icu

ICU Analysis plugin for Elasticsearch
189
star
64

elasticsearch-river-rabbitmq

RabbitMQ River Plugin for elasticsearch (STOPPED)
Java
173
star
65

elasticsearch-analysis-kuromoji

Japanese (kuromoji) Analysis Plugin
168
star
66

terraform-provider-ec

Terraform provider for the Elasticsearch Service and Elastic Cloud Enterprise
Go
165
star
67

beats-docker

Official Beats Docker images
Python
165
star
68

elasticsearch-river-couchdb

CouchDB River Plugin for elasticsearch (STOPPED)
Java
163
star
69

apm-agent-ruby

Elastic APM agent for Ruby
Ruby
156
star
70

integrations

Elastic Integrations
Handlebars
155
star
71

require-in-the-middle

Module to hook into the Node.js require function
JavaScript
149
star
72

harp

Secret management by contract toolchain
Go
143
star
73

dorothy

Dorothy is a tool to test security monitoring and detection for Okta environments
Python
141
star
74

ml-cpp

Machine learning C++ code
C++
139
star
75

ecs-logging-java

Centralized logging for Java applications with the Elastic stack made easy
Java
137
star
76

SWAT

Simple Workspace Attack Tool (SWAT) is a tool for simulating malicious behavior against Google Workspace in reference to the MITRE ATT&CK framework.
Python
135
star
77

go-libaudit

go-libaudit is a library for communicating with the Linux Audit Framework.
Go
133
star
78

ansible-beats

Ansible Beats Role
Ruby
131
star
79

logstash-contrib

THIS REPOSITORY IS NO LONGER USED.
Ruby
128
star
80

elasticsearch-analysis-phonetic

Phonetic Analysis Plugin for Elasticsearch
127
star
81

azure-marketplace

Elasticsearch Azure Marketplace offering + ARM template
Shell
122
star
82

bpfcov

Source-code based coverage for eBPF programs actually running in the Linux kernel
C
115
star
83

anonymize-it

a general utility for anonymizing data
Python
114
star
84

windows-installers

Windows installers for the Elastic stack
C#
113
star
85

terraform-provider-elasticstack

Terraform provider for Elastic Stack
Go
111
star
86

makelogs

JavaScript
108
star
87

golang-crossbuild

Shell
107
star
88

elasticsearch-lang-python

Python language Plugin for elasticsearch
104
star
89

elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Go
102
star
90

go-freelru

GC-less, fast and generic LRU hashmap library for Go
Go
101
star
91

elasticsearch-lang-javascript

JavaScript language Plugin for elasticsearch
93
star
92

stack-docs

Elastic Stack Documentation
Java
92
star
93

elasticsearch-specification

Elasticsearch full specification
TypeScript
89
star
94

elasticsearch-perl

Official Perl low-level client for Elasticsearch.
Perl
87
star
95

next-eui-starter

Start building Kibana protoypes quickly with the Next.js EUI Starter
TypeScript
87
star
96

vue-search-ui-demo

A demo of implementing Elastic's Search UI and App Search using Vue.js
Vue
87
star
97

elasticsearch-transport-thrift

Thrift Transport for elasticsearch (STOPPED)
Java
84
star
98

ecs-dotnet

.NET integrations that use the Elastic Common Schema (ECS)
HTML
82
star
99

generator-kibana-plugin

DEPRECATED Yeoman Generator for Kibana Plugins, please use https://github.com/elastic/template-kibana-plugin/
JavaScript
79
star
100

hipio

A DNS server that parses a domain for an IPv4 Address
Haskell
76
star