Logstash Configuration and Processing

Questions and Answers

What is the primary purpose of Logstash in the ELK stack?

To store log files permanently

To archive log files for future retrieval

To process log files and send them to Elasticsearch (correct)

To visualize log data in a user-friendly way

Which of the following sections is NOT part of a Logstash configuration file?

Input

Storage (correct)

Output

Filter

What does the Grok pattern %{EMAILADDRESS:client_email} accomplish?

It encrypts email addresses

It identifies and labels email addresses in log data (correct)

It filters out invalid email addresses

It converts email addresses to a numeric format

What format does the filter section use to parse CSV files in Logstash?

Columns => [

How does the 'live' functionality in Kibana dashboards operate?

Dashboards refresh automatically using JavaScript

Which command in Logstash converts a column entry to a float?

Mutate { convert => [“TempOut”, “float”] }

What is a key benefit of using separate configuration files for different log sources in Logstash?

They allow for independent index management and configuration

What type of visual data representation can be created in Kibana?

Graphs of any query that can be visualized

Which version of the ELK stack is recommended for installation due to easier configuration?

Version 7

What is a suggested practice during the ELK stack installation process?

Take snapshots after installing each component

What command is used to install the Elasticsearch component of the ELK stack?

apt install elasticsearch

Which configuration file needs to be updated after installing Elasticsearch?

/etc/elasticsearch/elasticsearch.yml

Why is Nginx used in the ELK stack installation process?

As a front-end proxy to connect with Kibana

What should be done after installing Kibana to ensure access to its interface?

Run a curl command to check functionality

Which utility is necessary to generate a username and password for Kibana?

openssl

What dependency must be installed alongside the ELK stack components?

Java

What is a primary advantage of using Grok in Logstash for parsing logs?

It simplifies the parsing process by using predefined patterns.

Which of the following components is NOT included in the Logstash configuration files?

Execute

What is the primary format specified in the filter section for parsing CSV files with Logstash?

Columns => [name, age, location]

Why is it beneficial to create separate configuration files for different log sources in Logstash?

To facilitate independent configuration and indexing.

How does the processing of log files occur after they are sent to the ELK server via SSH?

Logstash processes them as local files.

In Kibana, what is the significance of the term 'live' in the context of dashboards?

Live means the graphs update automatically at set intervals.

What is a key consideration when using open-source software compared to commercial applications?

Open-source applications generally require more talent to operate effectively.

What does the statement 'Mutate { convert => [“TempOut” , “float”] }' accomplish in Logstash?

It changes data types within a specific column.

Study Notes

Method #2 – Local Log

• Logs are sent directly to the ELK server via SSH.
• Logstash processes the log file locally.
• Easier configuration, fewer moving parts.
• End-to-end encryption is used.

Logstash Configuration

• Logstash processes configuration files stored locally.
• Separate log sources should use separate configuration files for easier management and indexing.
• Configuration files have three sections: input, filter, and output.
• Input: Specifies the files to process and their locations.
• Filter: Defines the fields used for processing.
• Output: Specifies where processed information is sent (e.g., Elasticsearch).

Logstash Configuration Example

• Grok: A regular expression-like tool with built-in functions to find common data patterns.
• Example: %{EMAILADDRESS:client_email} identifies typical email formats (*@*.*).
• Example Log Line: 10.185.248.71 - - [09/Jan/2015:19:12:06 +0000] 808840 "GET /inventoryService/inventory/purchaseItem?userId=20253471&itemId=23434300 HTTP/1.1" 500 17 "-" "Apache-HttpClient/4.2.6 (java 1.5)"

Apache Parsing (without Grok)

• Without Grok, parsing would be complex and manual.

Parsing CSV Files with Logstash

• Logstash can parse CSV files.
• The filter section uses a CSV method.
• Columns => [ ... ]: Defines column names.
• Seperator => ",": Defines the separator.
• Mutate { convert => ["TempOut", "float"] }: Converts a column to a float type.

Creating Dashboards in Kibana

• Dashboards are created in Kibana.
• Use the Dashboard section in Kibana.
• Visualizations: Any query can be visualized as a graph.
• Dashboards are live visualizations that automatically refresh using JavaScript.
• Create queries in Kibana or Lucien and add them as visualizations.

Description

This quiz covers the fundamentals of Logstash configuration, focusing on local log processing. Learn about the structure of configuration files, including input, filter, and output sections, and understand how Grok patterns are used to identify data formats. Test your knowledge on setting up and managing Logstash for efficient log handling.