zincsearch icon indicating copy to clipboard operation
zincsearch copied to clipboard
verified publisher icon zincsearch

Log support like Logtash

Open kingdevnl opened this issue 4 years ago • 18 comments

So far I've been playing with Zinc and it's been working great. It would be cool if we could have a log system like Logtash for zinc. I've always mainly been using Elastic for a log system for multiple machines.

kingdevnl avatar Dec 04 '21 09:12 kingdevnl

@kingdevnl you may want to consider something like Fluend which makes data transformation IMO easier than LogStash (and is not bound to a product)

wsw70 avatar Dec 04 '21 10:12 wsw70

Can also mention Fluent Bit if you want a light weight forwarder written in C.

susinths avatar Dec 04 '21 17:12 susinths

IMO you should check out Loki. ElasticSearch wasn't made for logs anyway. ElasticSearch indexes everything which is why it has JVM memory pressure issues, whereas Loki only indexes labels associated with a logline.

Starttoaster avatar Dec 04 '21 22:12 Starttoaster

Fluentd, Fluentbit and vector (Anything that can push to elasticsearch) should be able to push to zinc with some configuration (Authentication and URL) changes. I will create some docs to make it easy.

prabhatsharma avatar Dec 06 '21 06:12 prabhatsharma

I couldn't figure out how to handle auth with fluentd

kingdevnl avatar Dec 06 '21 06:12 kingdevnl

Maybe a working fluentd configuration file example will be great to start working on it... have tried without success and no more ideas now

hugollanos avatar Dec 06 '21 10:12 hugollanos

Here is at least a working Fluent Bit config:

[SERVICE]
    Flush        1
    Log_Level    debug
    Parsers_File parsers.conf
    Daemon Off

[INPUT]
    Name tail
    Parser 	syslog-rfc3164
    Path        /var/log/*
    Path_Key 	filename
[OUTPUT]
    Name  es
    Match *
    Path /es
    Index syslog
    Type  journal
    Host lb02.localdomain
    Port 4080
    Generate_ID On
    HTTP_User admin
    HTTP_Passwd secret

[FILTER]
    Name parser
    Match *
    Key_Name data
    Parser syslog-rfc3164

I've played around using Fluent Bit and it's systemd pluging to forward logs directly from systemd journal, but so far i've not been able to. The below is the config i've tried with:

[SERVICE]
    Flush        1
    Log_Level    debug
    Parsers_File parsers.conf
    Daemon Off
[INPUT]
    Name systemd
    Tag      *
    Path        /run/systemd/journal
[OUTPUT]
    Name  es
    Match *
    Path /es
    Index systemdlog
    Type  journal
    Host lb02.localdomain
    Port 4080
    Generate_ID On
    HTTP_User admin
    HTTP_Passwd secret

If anyone has any idea about what i am doing wrong, please let me know :)

susinths avatar Dec 07 '21 15:12 susinths

Alright, the systemd plugin of Fluent Bit actually works when i am using it directly from the host OS and not running Fluent Bit as a container. This is really great. Next we need to Zinc in k8s/OpenShift, it would be awesome to get it working there :)

susinths avatar Dec 07 '21 20:12 susinths

zinc has already supported filebeat in version v0.1.7.

hengfeiyang avatar Feb 21 '22 02:02 hengfeiyang

A golang-implemented logstash https://github.com/childe/gohangout work with zinc, can save lots of resource

yourchanges avatar Feb 25 '22 09:02 yourchanges

@yourchanges can you add an example of gohangout ?

hengfeiyang avatar Feb 25 '22 09:02 hengfeiyang

A golang-implemented logstash https://github.com/childe/gohangout work with zinc, can save lots of resource

It seems to be a nice product with a good documentation but it is unfortunately in Chinese, so limited to the speakers of Chinese.

wsw70 avatar Feb 25 '22 14:02 wsw70

@yourchanges can you add an example of gohangout ?

I will try it on next week.

yourchanges avatar Feb 26 '22 12:02 yourchanges

@wsw70 here is an English readme file contains mostly doc. https://github.com/childe/gohangout/blob/master/README-EN.md

yourchanges avatar Feb 26 '22 12:02 yourchanges

now with a gohangout zinc output plugin , gohangout + zinc works well on our PRD env, replace the ELK stack, simple and stable.

the gohangout zinc output plugin see: https://github.com/winwill2012/gohangout/commit/6d9102ef53d18426bacc373d00e098515a4dcbaa

yourchanges avatar Mar 12 '22 10:03 yourchanges

@yourchanges can you try to create a merge request for https://github.com/childe/gohangout about zinc support ?

hengfeiyang avatar Mar 12 '22 11:03 hengfeiyang

see https://github.com/childe/gohangout/pull/165

yourchanges avatar Mar 14 '22 08:03 yourchanges

Since the gohangout owner reject the merge request, and suggest use the plugin ways, so pls use the following plugin: https://github.com/9ji/gohangout-output-zinc

yourchanges avatar Mar 16 '22 03:03 yourchanges

Closing this issue. Look at https://github.com/zinclabs/zincsearch/issues/782 for explanation.

prabhatsharma avatar Feb 26 '23 13:02 prabhatsharma