I am using logstash
, elasticsearch
and kibana
to analyze my logs.
I am alerting via email when a particular string comes into the log via email
output in logstash:
email {
match => [ "Session Detected", "logline,*Session closed*" ]
...........................
}
This works fine.
Now, I want to alert on the count of a field (when a threshold is crossed):
Eg If user
is field, I want to alert when number of unique users go more than 5.
Can this be done via email
output in logstash??
Please help.
EDIT: As @Alcanzar told I did this:
config file:
if [server] == "Server2" and [logtype] == "ABClog" {
grok{
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:server-name} abc\[%{INT:id}\]:
\(%{USERNAME:user}\) CMD \(%{GREEDYDATA:command}\)"]
}
metrics {
meter => ["%{user}"]
add_tag => "metric"
}
}
So according to above, for server2
and abclog
I have a grok pattern for parsing my file and on the user
field parsed by grok I want the metric applied.
I did that in the config file as above, but I get strange behaviour when I check logstash console with -vv
.
So if there are 9 log lines in the file it parses the 9 first, after that it starts metric part but there the message
field is not the logline in the log file but it's the user-name of my PC, thus it gives _grokparsefailure
. Something like this:
output received {
:event=>{"@version"=>"1", "@timestamp"=>"2014-06-17T10:21:06.980Z", "message"=>"my-pc-name",
"root.count"=>2, "root.rate_1m"=>0.0, "root.rate_5m"=>0.0, "root.rate_15m"=>0.0,
"abc.count"=>2, "abc.rate_1m"=>0.0, "abc.rate_5m"=>0.0, "abc.rate_15m"=>0.0, "tags"=>["metric",
"_grokparsefailure"]}, :level=>:debug, :file=>"(eval)", :line=>"137"
}
Any help is appreciated.
I believe what you need is http://logstash.net/docs/1.4.1/filters/metrics.
You'd want to use a metrics
tag to calculate the rate of your event, and then use the thing.rate_1m
or thing.rate_5m
in an if
statement around your email output.
For example:
filter {
if [message] =~ /whatever_message_you_want/ {
metrics {
meter => "user"
add_tag => "metric"
}
}
}
output {
if "metric" in [tags] and [user.rate_1m] > 1 {
email { ... }
}
}