monitor-logstash-with-telegraf-and-metricfire

Step-by-step Guide to Monitor Logstash With Telegraf and MetricFire

Table of Contents

Introduction 

Monitoring your Logstash service is crucial, especially given its pivotal role in log processing and data pipeline architectures. Logstash often operates as part of the Elastic Stack (formerly known as ELK Stack for Elasticsearch, Logstash, and Kibana), ingesting data from various sources, transforming it, and then outputting it to a storage and visualization layer.

In this article, we'll detail how to use the Telegraf agent to collect performance metrics from your Logstash service and forward them to a data source.

        

Getting Started with the Telegraf Agent

Telegraf is a plugin-driven server agent built on InfluxDB and can collect and send metrics/events from databases, systems, devices, and a range of popular technologies. Telegraf is written in Go, compiles into a single binary with no external dependencies, and requires minimal memory footprint. It is compatible with many operating systems and has many helpful output plugins and input plugins for collecting and forwarding a wide variety of performance metrics. 

Install Telegraf (Linux/Redhat)

Download Telegraf and unzip it (see the Telegraf docs for up-to-date versions and installation commands for many operating systems). Packages and files are generally installed at /etc/telegraf/.
Ubuntu/Debian
wget https://dl.influxdata.com/telegraf/releases/telegraf_1.21.2-1_amd64.deb
sudo dpkg -i telegraf_1.21.2-1_amd64.deb

RedHat/CentOS

wget https://dl.influxdata.com/telegraf/releases/telegraf-1.21.4-1.x86_64.rpm
sudo yum localinstall telegraf-1.21.4-1.x86_64.rpm

Configure an Output

You can configure Telegraf to output to various sources, such as Kafka, Graphite, InfluxDB, Prometheus, SQL, NoSQL, and more.

In this example, we will configure Telegraf with a Graphite output. If you're not currently hosting your own data source, you can start a 14-day free trial with Hosted Graphite by MetricFire to follow along with these next steps.

A Hosted Graphite account will provide the data source, include Hosted Grafana as a visualization tool, and offer an alerting feature.

To configure the Graphite output, locate the downloaded telegraf configuration file at /etc/telegraf/telegraf.conf and open it in your preferred text editor. Then, you will need to make the following changes to the file:

Locate and comment out the line:

# [[outputs.influxdb]]

Then, uncomment the line:

[[outputs.graphite]]

Next, uncomment and edit the server line to:

servers = ["carbon.hostedgraphite.com:2003"]

Finally, uncomment and edit the prefix line to:

prefix = "<YOUR_API_KEY>.telegraf"
If you don't already have a Hosted Graphite account, sign up for a free trial here to obtain a Hosted Graphite API key.
Otherwise, you can configure a different telegraf output to forward metrics to another data source.

Update Your Logstash Configurations

  • Generally, Logstash packages are installed at /etc/logstash (Linux)
  • If you don't already have one, create a new pipeline file for your logs at: /etc/logstash/conf.d/first-logstash-pipeline.conf with a similar configuration:
input {
    file {
      path => "/var/log/syslog"
        start_position => "beginning"
    }
}

filter {
    grok {
        match => { "message" => "%{SYSLOGLINE}" }
    }
    date {
        match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
        target => "@timestamp"
    }
}

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "logs"
    }
    stdout {
        codec => rubydebug
    }
}
  • You may also need to locate the modify /etc/logstash/logstash.yml file and uncomment/configure the host, port, and path lines (no whitespace in the .yml file):
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d/*.conf
api.http.host: 127.0.0.1
api.http.port: 9600-9700
  • Create logs directory: sudo mkdir -p /usr/share/logstash/logs
  • Allow permissions: sudo chown -R logstash:logstash /usr/share/logstash/logs
  • Now just save your files and restart the Logstash service: sudo service logstash restart
  • NOTE: different operating systems and Logstash/Elasticsearch versions might require different configuration methods

Configure the Logstash Input Plugin

Telegraf has many input plugins that can collect a wide range of data from many popular technologies and 3rd party sources. In this example, we'll demonstrate how to configure the Logstash plugin.

Within your telegraf.conf file, locate and uncomment the [[inputs.logstash]] line:

[[inputs.logstash]]

Then you can uncomment the 'URL' line; the default path is:

  url = "http://127.0.0.1:9600"

Save your changes, and then start Telegraf using the following command to see if there are any configuration errors in the output:

telegraf --config telegraf.conf

Telegraf will now be forwarding roughly 60 metrics to your data source, reporting the following performance statistics:

  • elasticsearch/logstash plugins
  • events/processes/pipelines
  • garbage collectors
  • JVM memory/cpu

See the official GitHub repository for more information and configuration options for this input plugin.

Use Hosted Graphite by MetricFire to Create Custom Dashboards and Alerts

MetricFire is a monitoring platform that enables you to gather, visualize, analyze, and alert on metrics from sources such as servers, databases, networks, devices, and applications. Using MetricFire, you can effortlessly identify problems and optimize resources within your infrastructure. Hosted Graphite by MetricFire removes the burden of self-hosting your monitoring solution, allowing you more time and freedom to work on your most important tasks.

  1. Once you have signed up for a Hosted Graphite account and used the above steps to configure your server with the Telegraf Agent, metrics will be forwarded, timestamped, ingested, and aggregated into the Hosted Graphite backend.
  2. They will be sent and stored in the Graphite format of metric.name.path <numeric-value> <unix-timestamp>, which provides a tree-like data structure and makes them easy to query.
  3. You can locate these metrics in your Hosted Graphite account and use them to build custom Alerts and Grafana dashboards.

Create Dashboards in Hosted Graphite's Hosted Grafana

In the Hosted Graphite UI, navigate to Dashboards => Primary Dashboards and select the + button to build a new panel:

new-grafana-panel

Then you can use the query UI to select a graphite metric path (the default data source will be the hosted graphite backend if you are accessing Grafana through your Hosted Graphite account):

logstash-query 

The Hosted Graphite datasource also supports wildcard (*) searches to grab all metrics that match a specified path.



Now you can apply Graphite functions to these metrics, like aliasByNode(), to reformat the metric names on the graph:

logstash-query-refined

Grafana has many additional options, like configuring dashboard variables and annotations. You can also use different visualizations, modify the display, set the units of measurement, and much more.





Hosted Graphite also has a pre-configured dashboard for Telegraf metrics in their Dashboard Library. Once this dashboard is generated in your account, you can identify it in your Primary Dashboards to see system metrics (CPU, mem, disk) displayed. These system performance metrics come standard with a Telegraf => Graphite configuration:

Step-by-step Guide to Monitor Logstash With Telegraf and MetricFire - 1

See the Hosted Graphite dashboard docs for more details.

Creating Graphite Alerts

In the Hosted Graphite UI, navigate to Alerts => Graphite Alerts to create a new alert. Name the alert, add one of your graphite metrics to the alerting metric field, and add a description of what this alert is:

logstash-alert



Then, select the Criteria tab, which will set the threshold, and select a notification channel. The default notification channel is the email you used to sign up for the Hosted Graphite account. Still, you can easily configure a channel for Slack, PagerDuty, Microsoft Teams, and more. See the Hosted Graphite docs for more details on notification channels:

logstash-alert-criteria

Conclusion

Monitoring your Logstash service is vital for ensuring optimal performance and reliability in data processing pipelines. It helps identify bottlenecks, resource utilization issues, and errors in real-time. It also enables proactive scaling, compliance with regulatory requirements, and cost-effective resource management, ensuring that the infrastructure efficiently meets both current and future data processing needs.

Tools like dashboards and alerts complement this monitoring by providing real-time visualization, proactive identification of issues, historical trend analysis, and facilitating informed decision-making, all of which are essential for maintaining a robust and efficient network infrastructure.

Sign up for a free trial, and start monitoring your infrastructure today! You can also book a demo and talk to the MetricFire team directly about your monitoring needs.

You might also like other posts...
graphite Nov 18, 2024 · 10 min read

Monitoring Digital Ocean with Hosted Graphite and Telegraf

Explore detailed insights on how to effectively monitor your DigitalOcean environment using Hosted Graphite... Continue Reading

metricfire Nov 14, 2024 · 1 min read

How to install collectd and send metrics to MetricFire

Install collectd. Send metrics to MetricFire. Display those metrics to MetricFire's Grafana dashboard. Continue Reading

metricfire Nov 13, 2024 · 10 min read

Use the Telegraf Exec Plugin to Convert Data Formats

Streamlining your data into a single format for infrastructure monitoring makes it easier to... Continue Reading

header image

We strive for 99.999% uptime

Because our system is your system.

14-day trial 14-day trial
No Credit Card Required No Credit Card Required