Elasticsearch, Logstash and Kibana (E.L.K.) on Docker – Part 1 Logstash

When I set up my new server back in May, I decided to try out Elasticsearch, Logstash and Kibana (E.L.K.) on it against the Aggregator (my PVOutput aggregating and uploading application) logs. It took me most of a day to get it installed, but because I followed a guide somewhere on the internet I can’t remember how it was all configured..!

I was searching Docker Hub the other day and thought… “I wonder if they have Docker images for E.L.K.?”

Luckily for me, they have taken the time to create Docker instances and it’s a good excuse to uninstall E.L.K. on my server and re-do it using Docker images!

I started off by trying out the basic Logstash example given on Docker Hub which worked fine and the decided to try to get the image to receive my log files via the Log4j SocketAppender.  No matter how I tried to get the existing Aggregator application to send the logs (SocketAppender or even via Docker volume), I could not get it to work…

So back to the drawing board!  Time to get a simple Java application up and running to try things out with… and that’s how the Spring Boot Web Example was born.

I started out with a basic Logstash config which had previously worked, using the log4j input, but found out later that Log4j and Log4j2 have incompatibilities and an addon would be needed if that input is used.

logstash.conf (1st attempt)

input {
  log4j {
    port => 9999
  }
}
filter {

}
output {
  stdout {}
}

But I don’t want to install another plugin… so I tried out various other “methods” (a.k.a. trial and error…)  and eventually found that if you use the input type tcp, you can send data to it using the Log4j2 SocketAppender, providing the Layout isn’t SerializedLayout.

logstash.conf (2nd attempt with tcp input and json codec)

input {
  tcp {
    port => 9999
    codec => json
  }
}

filter {
}

output {
  stdout {}
}

The above logstash.conf was combined with the SocketAppender and JSONLayout combo in the log4j2.xml config file

<Socket name="socket" host="pompeii" port="13456" reconnectionDelayMillis="5000">
    <JSONLayout complete="true" compact="false" eventEol="true" />
</Socket>

But I still couldn’t get it to produce the results I was after until it dawned on me that perhaps I should change the problem around… If I just throw standard log strings at it, maybe I can break them up or format them into something that’s easier for Logstash to consume!

So I then ended up with the tcp input and line codec and decided that if I send key value paired log messages at logstash, I could use the kv filter. I’ve now ended up with…

input {
  tcp {
    port => 9999
    codec => line
  }
}

filter {
  kv {
    source => "message"
    recursive => "true"
  }
}

output {
  stdout {codec => rubydebug}
}

And changed the log4j2.xml config to use a pattern layout that works better with the kv filter

log4j2.xml (the full file can be found in the spring-boot-example in the log4j2.xml.tcp file)

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="warn" strict="true" monitorInterval="30">
    <Properties>
        ...
        <Property name="defaultpattern">logdate=(%d{ISO8601}) thread=(%thread)) level=(%level) loggerclass=(%logger{36}) message=(%msg)%n</Property>
    </Properties>
    <Filter type="ThresholdFilter" level="trace"/>
	<Appenders>
            ...
            <Socket name="socket" host="pompeii" port="13456" reconnectionDelayMillis="5000">
                <Layout type="PatternLayout" pattern="${defaultpattern}" />
            </Socket>
        </Appenders>
        <Loggers>
            <Logger name="uk.co.vsf" level="info" additivity="false">
                <AppenderRef ref="STDOUT"/>
                <AppenderRef ref="File"/>
                <AppenderRef ref="socket"/>
            </Logger>
                ...
        </Loggers>
</Configuration>

The above Log4j2 config file specifies a patter that the key value (kv) filter will read easily, realising where each value ends because the values are wrapped with brackets. The logstash config file also specifies the out codec rubydebug as I found out (the hard way) that having debug on gives you an awful log of help when trying out config changes!

Putting it all together and running Logstash in Docker is probably the easiest part! To run logstash I have a run script which has the following command

docker run -p 13456:9999 -it --rm -v "$PWD":/config-dir logstash -f /config-dir/logstash.conf

It’s exposing the Logstash host container port 9999 as host port 13456 and loads in the custom logstash.conf file.

At present Logstash doesn’t send the received messages anywhere, but it will log the input to the console. So here’s an example of calling the get users by id service.

logstash-user

And the stdout from Logstash.

logstash-stdout

That’s it for now, but (hopefully) in the next part, I plan to hook Logstash up to Elasticsearch in docker!

Mini Spring Boot Web Application

After a couple of years of reading about Spring Boot and never having actually tried it out, I thought now was the time to build a little example to find out how easy it is and also because I need a simple app for my E.L.K. project (more on that later!).

There’s a very good intro to get people off the ground from Spring on their website https://spring.io/guides/gs/spring-boot/ which I read through and then tweaked.

The source code for the rest of this blog article can be found here https://github.com/vls29/spring-boot-example.

For the web application I’ve used Maven, but instead of following the guide exactly as the guide extended the spring boot starter parent pom, I decided to find out what I might need to get the project to run by using only the poms/jars that I thought would be essential.

As such the pom doesn’t have a parent and references only the relevant spring boot related poms and jars:

  • spring-boot-starter-actuator to bring in the “…production grade services…” and see what they do!
  • spring-boot-starter-web to bring in all the Spring MVC and embedded tomcat goodies
  • and spring-boot-starter-log4j2 to add in logging which I’m going to need for the E.L.K. project

There’s also two plugins, the maven compiler plugin to make sure it compiles at Java version 8 and the spring-boot-maven-plugin as the guide mentioned that it bundles the jar with the included maven dependencies (note if you’re not extending the spring boot super pom, you’ll need an execution goal for the spring-boot-maven-plugin otherwise nothing will happen).

The Application and HelloWorldController are based around the example from the getting started guide, but the UserController is one I’ve added.  It has a noddy example service which receives a path variable long representing the id of the user to retrieve (although in the example it doesn’t matter what value!).  It constructs a static user and returns the user object to the consumer.  Spring MVC then uses Jackson to marshal the object to JSON.

The final file is then a Run Config for Eclipse which executes the “spring-boot:run” goal and starts up the app from Eclipse.

The result is a very simple service that can retrieve our fake user as shown in the image below.

spring-boot-example-1

I was pleasently surprised how quick it was to create a service and all the documentation available to set it up.

That’s it for now, but there will be more on E.L.K. soon!

Changing Hostname in Ubuntu

Having built a new server in the summer, I thought I’d post a little tip for if you decide to change the hostname in Ubuntu. I got caught out after completing steps 1 to 3 and then rebooting the server! Couldn’t SSH into it after it rebooted. Had to get the spare monitor out and figure out what I’d missed…

  1. check firewall rules ufw that 22 is open
  2. change /etc/hosts
  3. change /etc/hostname
  4. change /etc/ssh/*.pub with new hostname otherwise you won’t be able to SSH into the machine any more!

Now you can reboot