ELK - Stack - Munich .net UG
-
Upload
steve-behrendt -
Category
Technology
-
view
100 -
download
4
Transcript of ELK - Stack - Munich .net UG
![Page 1: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/1.jpg)
ELK - StackA perfect match for your Log Management
![Page 2: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/2.jpg)
Steve Behrendt
@derStevedersteve.com
2
![Page 3: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/3.jpg)
The problem Distributed systems Service-oriented Architectures Microservices Multi-language systems Multi-technology stack Multiple Datastores (SQL, noSQL, File stores)
3
![Page 4: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/4.jpg)
Traditional Architecture
4
Browser
IIS
Store App
SQL Server
Product Schema
Invoice Schema
Billing Schema
Customer Schema
Product Module
Customer Module
![Page 5: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/5.jpg)
Azure DocumentDB
MySQL
Azure SQL Server
Microservices
5
Browser
IIS
Apache / Tomcat
Azure
Product UI
Service
Customer UI
Service
Invoicing
Service
CMS Service
Customer Schema
SQL Server
Product Schema
Content Schema
Billing Schema
![Page 6: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/6.jpg)
Azure DocumentDB
MySQL
Azure SQL Server
Be the logs with you
6
Browser
IIS
Apache / Tomcat
Azure
Product UI
Service
Customer UI
Service
Invoicing
Service
CMS Service
Customer Schema
SQL Server
Product Schema
Content Schema
Billing Schema
![Page 7: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/7.jpg)
The challenges Different log formats Each log has its expert Different log locations (machines/servers) Different date formats Internet of things – decentralised log creation
and storing Searching files by keyword is hard Combination of different messages Setting the log context
7
![Page 8: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/8.jpg)
One solution:
ELK
8
![Page 9: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/9.jpg)
ELK E - Elasticsearch L - Logstash K – Kibana … Lucene Shield Marvel
9
![Page 10: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/10.jpg)
The ELK architecture
10
LogsLogstas
h Elasticsearch Kibana
IIS
Syslog
EntLib
Broker
Indexer SearchStorage
Visualize
Visualize
Visualize
Visualize
![Page 11: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/11.jpg)
Logstash Collecting, Filtering, Normalizing, Sending logs to a central location
Understands the logs
11
![Page 12: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/12.jpg)
Logstash Pipeline
12
• Log FileInput• grok• date• geoip• useragent
Filter
• Elasticsearch• Console
Output
![Page 13: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/13.jpg)
Grok debugger
http://grokdebug.herokuapp.com/
13
![Page 14: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/14.jpg)
Forwarder - lumberjack Separate service to forward messages to a
remote endpoint, e.g. logstash instance or elasticsearch
14
![Page 15: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/15.jpg)
Logstash DEMO
15
![Page 16: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/16.jpg)
Elasticsearch Based on lucene for indexing and searching - but
lucene is just a library and very complex Provides (simple) Restful - API abstraction on top
of lucene Stores documents in json format
16
![Page 17: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/17.jpg)
Elasticsearch - Scaling Supports vertical (bigger hardware) and
horizontal scaling (more hardware)
Horizontal scaling is hard, but Elasticsearch is distributed by nature
17
![Page 18: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/18.jpg)
The empty cluster
18
Node: Is a running instance of elasticsearch
Cluster: A cluster consists of one or more nodes with the same cluster name that are working together to share their data and workload
![Page 19: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/19.jpg)
Index and shards
19
Shard: low-level worker holding a slice of data. A single instance of lucene.
Index: logical namespace that points to one or more physical shards
![Page 20: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/20.jpg)
Replicas / Failover
20
Primary and replica shards: Primary and associated replica shard store the same documents.
Newly indexed document first stored on a primary shard, then copied in parallel to the associated replica shard(s).
![Page 21: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/21.jpg)
Horizontal scaling
21
3 shards spread across 3 from 2 nodes.
Each shard is full fledged search engine. Scaling by increasing number of replica shards.
![Page 22: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/22.jpg)
Cluster Discovery Discovering nodes inside a cluster and electing a
master node
Zen discovery
22
![Page 23: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/23.jpg)
Types, Documents, Fields
23
Relational Database
Elasticsearch
Databases
Indices
Tables
Types
Rows
Documents
Columns
Fields
![Page 24: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/24.jpg)
Storing documents
PUT /customer/employee/1 { "first_name" : "John", "last_name" : "Smith", "age" : 25, "about" : "I love to go rock climbing", "interests": [ "sports", "music" ] }
24
![Page 25: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/25.jpg)
Retrieving document
GET /customer/employee/1
Search lite
GET /customer/employee/search
25
![Page 26: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/26.jpg)
Query DSL
GET /customer/employee/_search{ "query" : { "match" : { "last_name" : "Smith" } }}
26
![Page 27: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/27.jpg)
Elasticsearch
DEMO
27
![Page 28: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/28.jpg)
Kibana Data Visualization + Data Discovery
28
![Page 29: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/29.jpg)
Kibana DEMO
29
![Page 30: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/30.jpg)
What’s missing? Security Alerting
30
![Page 31: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/31.jpg)
Alternatives?
31
![Page 32: ELK - Stack - Munich .net UG](https://reader035.fdocuments.us/reader035/viewer/2022062216/55cdcf40bb61ebc86d8b45d5/html5/thumbnails/32.jpg)
32
Go and grok some logs