Your typical business application would consist of a variety of servers such as WildFly, MySQL, Apache, ActiveMQ, and others. They each have a log format, with minimal to no consistency across them. The log statement typically consist of some sort of timestamp (could be widely varied) and some text information. Logs could be multi-line. If you are running a cluster of servers then these logs are decentralized, in different directories.
How do you aggregate these logs? Provide a consistent visualization over them? Make this data available to business users?
This blog will:
- Introduce ELK stack
- Explain how to start it
- Start a WildFly instance to send log messages to the ELK stack (Logstash)
- View the messages using ELK stack (Kibana)
What is ELK Stack?
ELK stack provides a powerful platform to index, search and analyze your data. It uses Logstash for log aggregation, Elasticsearch for searching, and Kibana for visualizing and analyzing data. In short, ELK stack:
- Collect logs and events data (Logstash)
- Make it searchable in fast and meaningful ways (Elasticsearch)
- Use powerful analytics to summarize data across many dimensions (Kibana)
Logstash is a flexible, open source data collection, enrichment, and transportation pipeline.
Elasticsearch is a distributed, open source search and analytics engine, designed for horizontal scalability, reliability, and easy management.
Kibana is an open source data visualization platform that allows you to interact with your data through stunning, powerful graphics.
How does ELK Stack work?
Logstash can collect logs from a variety of sources (using input plugins), process the data into a common format using filters, and stream data to a variety of sources (using output plugins). Multiple filters can be chained to parse the data into a common format. Together, they build a Logstash Processing Pipeline.
Inputs and outputs support codecs that enable you to encode or decode the data as it enters or exits the pipeline without having to use a separate filter.
Logstash can then store the data in Elasticsearch and Kibana provides a visualization of that data. Here is a sample pipeline that can collect logs from different servers and run it through the ELK stack.
Start ELK Stack
You can download individual components of ELK stack and start that way. There is plenty of advise on how to configure these components. But I like to start with a KISS, and Docker makes it easy to KISS!
All the source code on this blog is at github.com/arun-gupta/elk.
- Clone the repo:
1234git clone https://github.com/arun-gupta/elk.gitcd elk - Run the ELK stack:
This will use the pre-built Elasticsearch, Logstack, and Kibana images. It is built upon the work done in github.com/nathanleclaire/elk.123456docker-compose up -dCreating elk_elasticsearch_1...Creating elk_logstash_1...Creating elk_kibana_1...docker pswill show the output as:1234567elk> docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMEScdc61acc1623 kibana:4.1.1 "/docker-entrypoint. 59 seconds ago Up 58 seconds 0.0.0.0:80->5601/tcp elk_kibana_1e184f2efcf95 arungupta/logstash:1.5.3 "/opt/logstash/bin/l About a minute ago Up 58 seconds 0.0.0.0:5000->5000/tcp, 0.0.0.0:5000->5000/udp elk_logstash_10622b55e8645 arungupta/elasticsearch:1.7.1 "/opt/elasticsearch/ About a minute ago Up 59 seconds 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp elk_elasticsearch_1It shows all the containers running.
WildFly and ELK
James (@the_jamezp) blogged about Centralized Logging for WildFly with ELK Stack. The blog explains how to configure WildFly to send log messages to Logstash. It uses the highly modular nature of WildFly to install jboss-logmanager-ext library and install it as a module. The configured logmanager includes @timestamp field to the log messages sent to logstash. These log messages are then sent to Elasticsearch.
Instead of following the steps, lets Docker KISS and use a pre-configured image to get you started.
Start the image as:
|
1
2
3
|
docker run -p 8080:8080 -it -e HOST=<DOCKER_HOST_IP> arungupta/wildfly-logstash
|
Make sure to substitute <DOCKER_HOST_IP> with the IP address of the host where your Docker host is running. This can be easily found using docker-machine ip <MACHINE_NAME>.
View Logs using ELK Stack
Kibana runs on an embedded nginx and is configured to run on port 80 in docker-compose.yml. Lets view the logs using that.
- Access
http://<DOCKER_HOST_IP>in your machine and it should show the default page as:
The @timestampfield was created by logmanager configured in WildFly. - Click on
Createto create an index pattern and selectDiscovertab to view the logs as:
Try connecting other sources and enjoy the power of distributed consolidated by ELK!
Some more references …
- Logstash docs
- Kibana docs
- Elasticsearch The Definitive Guide
Distributed logging and visualization is a critical component in a microservices world where multiple services would come and go at a given time. A future blog will show how to use ELK stack with a microservices architecture based application.
Enjoy!
Hi Arun – there’s no arungupta/wildfly-logtash repo to pull from the hub and you say to replace DOCKER_HOST_IP but perhaps you mean to say set it? e.g. DOCKER_HOST_IP=192.168.0.1
Thanks for the note!
Command is now fixed! It should be HOST=<DOCKER_HOST_IP>. And the image is also pushed to docker hub as well.
Great! I tested it out and it works well. Just a small thing I’m seeing “docker run -p 8080:8080 -it -e HOST=<DOCKER_HOST_IP> arungupta/wildfly-logstash” above and not as you intended. Might confuse some people.
It’s the silly code formatter 😉
Now its fixed!
Hi,
Thanks for the article. I have downloaded docker images and trying to run the example provided above to check how it looks like. Unfortunately after opening the Kibana user interface I am not able to see any time field name @timestamp available automatically, in my case it shows message “Unable to fetch mapping. Do you have indices matching pattern ?”
When I looked into the logstash image through “docker exec” command I was not able to find any configuration for wildfly. Do I need to follow the article mentioned above and configured logstash properly ? http://wildfly.org/news/2015/07/25/Wildfly-And-ELK/
Please let me know what I am missing here.
Sorry for the confusion. I checked again and found that logstash was already configured to talk with elasticsearch server in /etc/logstash.sample.conf file.
Also after some time i got the option to configure the index pattern. It might be possible that till that time there were no sufficient logs generated in the system.
Thanks for the article and the pre-configured docker images.
Pre-configured Docker images should just work as is! You can also try to deploy a WAR file to WildFly and see the logs appearing.
Hi Arun,
Another great article!
Sorry for this silly question, but what do you mean with “KISS”:
“But I like to start with a KISS, and Docker makes it easy to KISS!”
What is “KISS” in this context?
Keep It Simple Stupid