background image

30 Oct 2021

Logstash Azure event hub input 設定

最近又在規劃ELK的設定,這次比較不一樣的地方我選擇了elastic cloud以及服務部署的方式都採用PaaS的方式作為部署, 加掛volume或是在機器上安裝filebeat都是一個比較困難的事情,所以一開始考慮使用azure blob queue的方式存放log, 但後來選擇了官方有提供的input套件,Azure Event Hub來寫log在使用logstash去讀取傳送到elasticsearch上

根據官網的文件操作後會一直出現 The configuration will result in overwriting offsets. Please ensure that the each Event Hub's consumer_group is using a unique storage container. 這樣的錯誤訊息,也採用了進階的設定去使用,但因為只有一組採用進階的方式設定有點太過複雜所以又改回原本設定,後來想我的event hub的connection string有兩組會不會因為這樣我需要多個storage container的存放空間, 後來將其中一組刪除後即可正常運作

1# 會出錯的logstash pipeline config
2input {
3    azure_event_hubs {
4        event_hub_connections => ["Endpoint=sb://<<event hub>>.servicebus.windows.net/;SharedAccessKeyName=logsta...",
5            "Endpoint=sb://<<event hub>>.servicebus.windows.net/;SharedAccessKeyName=logsta..."]
6        storage_connection => "DefaultEndpointsProtocol=https;..."
7        consumer_group => "logstash"
8        decorate_events => true
9        threads => 8
10    }
11}
12filter {
13    json {
14        source => "message"
15    }
16    date {
17        match => [ "Timestamp", "ISO8601" ]
18        target => "@timestamp"
19    }
20    mutate {
21        rename => ["MessageTemplate", "message" ]
22        rename => ["Level", "level" ]
23        merge => { "message" => "Exception" }
24        remove_field => ["Exception", "Timestamp"]
25    }
26}
27output {
28    elasticsearch {
29        cloud_id => "<<Cloud id>>"
30        cloud_auth => "<<user>>:<<password>>"
31        index => "demo-%{+YYYY.w}"
32    }
33}
34
1# 最後的 logstash pipeline config
2input {
3    azure_event_hubs {
4        event_hub_connections => ["Endpoint=sb://<<event hub>>.servicebus.windows.net/;SharedAccessKeyName=logsta..."]
5        storage_connection => "DefaultEndpointsProtocol=https;..."
6        consumer_group => "logstash"
7        decorate_events => true
8        threads => 8
9    }
10}
11filter {
12    json {
13        source => "message"
14    }
15    date {
16        match => [ "Timestamp", "ISO8601" ]
17        target => "@timestamp"
18    }
19    mutate {
20        rename => ["MessageTemplate", "message" ]
21        rename => ["Level", "level" ]
22        merge => { "message" => "Exception" }
23        remove_field => ["Exception", "Timestamp"]
24    }
25}
26output {
27    elasticsearch {
28        cloud_id => "<<Cloud id>>"
29        cloud_auth => "<<user>>:<<password>>"
30        index => "demo-%{+YYYY.w}"
31    }
32}
33

參考資料

Github - logstash-input-azure_event_hubs

文章標籤