I use lumberjack which handles the same functionality that logstash uses redis for
MixMuffins
whack: so my setup looks like this: 30 prod servers -> rabbitMQ -> logstash filtering server -> ES clusters for certain logs types -> back to logstash server hosting Kibanas
aaand HR just told me they scheduled a meeting for now 30 minutes ago.
JohnS_
i was thinkig to put redis on all out web servers....and ship logs to local, and tell elastic to get there for input
MixMuffins
bbl.
imperialwicket
whack: do your servers send logs to a particular hostname, or some load balancer?
whack
imperialwicket: lumberjack handles that; I give a list of servers and it figures it out
eper
that works fine but juniper kit tends to not run lumberjack to well
whack
well certainly lumberjack isn't a solution for all situations ;)
eper
thought there was a magic trick I was missing - damn !
whack
most juniper stuff is freebsd-based, isn't it?
eper
yeah
i can get to shell but the memory is not massive for java stuff to run
whack
lumberjack should run on it then, though I haven't tested.
lumberjack is written in C, not java.
Urocyon
I think I found my strange message problem… a couple of extra escapes in something that's getting single quoted rather than double quoted.
eper
also i think it might violate our support contracts :)
worth a go though
whack
eper: indeed, which means you should get logs from whatever supported interface there is.
willejs has quit
rashidkpc
MixMuffins: I haven't read everything, but have we addressed your grok filters?
imperialwicket
whack: but it's still the case that if you want to deploy an 8th LS/ES server, you need to push that updated server list to all the shipping servers before 8 gets used, right?
saurajeetd has quit
whack
imperialwicket: well, yes, but at some point to add another server to any system you have to have a way of advertising that additional server's presence.
rashidkpc
MixMuffins: oh, you're gone. Well, if we haven't already addressed, use grok less. Grok is great, but if you can avoid it, you're going to get much better performance
whack
imperialwicket: and the config file is automatically generated for lumberjack, so there's nothing to do by hand for me
webb joined the channel
(in my case, anyway)
rashidkpc
MixMuffins: as an example, I went from shipping logs as strings, through grok, to shipping as json objects with minimal groking, and went from 350e/s per LS node, to 1800+
cjs226 has quit
imperialwicket
whack: sounds right, just checking. thanks for details, much appreciated
JohnS_
can someone tell me what is the best INPUT for redis, Thread and batch_count
Layke has quit
whack
there's no best
JohnS_: experimentation is the best recommendation
MixMuffins
rashidkpc: yeah, actually. The majority of my logs aren't using grok filters; they're actually being input directly thanks to changes using a logstash json appender that formats the logs into an easy-to-parse format for logstash
So, short meeting, but I need to head home for a bit. One of my coworkers passed away this morning, which is a bit of a shakeup.
JohnS_
whatc: yes but there should be some guidance
rashidkpc
MixMuffins: my condolences
JohnS_
as per cpu or somthing else
whack
JohnS_: I don't really have any guidance. If I did, I'd set that guidance to be the default values.
so my guidance is generally "use the defaults"
kjstone00 has quit
MixMuffins
whack rashidkpc: Thank you for help though. :) I'll have to talk with you guys on a different date. I seem to have the worst luck so far as coming in here for questions; gotta love unexpected events. In any case, have a wonderful evening.
MixMuffins has quit
JohnS_
there should be something about on how big rate can logstash read from redis
whack
JohnS_: taht depends on your configuration (software and hardware)
I've done 25000 events/sec with logstash 1.1.13 on my workstation
JohnS_
whack: yes but with 4cpu machinge what threads and batch to set?
whack
If you care, here's the results of my last test set
