notes blog about

Logs, events and metrics

Logs provide more context but are more difficult to store and process because it’s more data and it’s often unstructured.

Components

Logs flow:

  1. Logs producer (VMs, containers, applications, devices)
  2. (OPTIONAL message broker like Kafka - you can do some logs pre-processing here)
  3. Input
  4. Extractor
  5. Stream
  6. Pipeline
  7. Alert

Index

Input

Extractor

Stream

Pipeline

Alert

Searching

The following characters must be escaped with a backslash:

& | : \ / + - ! ( ) { } [ ] ^ " ~ * ?

e.g:

resource:\/posts\/45326

Full text

All messages that include ssh or login:

ssh login

By field

Messages where the field type includes ssh or login:

type:(ssh OR login)

Messages where the field type includes exact phrase “ssh login”:

type:"ssh login"

Numeric fields support range queries:

http_response_code:[500 TO 504] # inclusive
http_response_code:{400 TO 404} # exclusive
bytes:{0 TO 64]
http_response_code:>=400
http_response_code:(>=400 AND <500)
timestamp:["2019-07-23 09:53:08.175" TO "2019-07-23 09:53:08.575"] # must be UTC

Patterns

Regexes (see ES regexes syntax for more):

/ethernet[0-9]+/

Wildcards - use ? to replace a single character or * to replace zero or more characters:

source:exam?ple.*

Fuzziness - search for similar terms:

ssh login~
source:example.org~

More