VictoriaMetrics/deployment/docker/victorialogs/logstash/README.md
Aliaksandr Valialkin f45f39d80e
Revert "deployment/docs: use lower-case links to VictoriaLogs docs"
This reverts commit a0937b01c1.

Reason for revert: MixedCase links started working again.
See, for example, https://docs.victoriametrics.com/VictoriaLogs/querying/#vmui
2024-03-17 23:13:23 +02:00

1.9 KiB

Docker compose Logstash integration with VictoriaLogs for syslog

It is required to use OpenSearch plugin for output configuration. Plugin can be installed by using the following command:

bin/logstash-plugin install logstash-output-opensearch

OpenSearch plugin is required because elasticsearch output plugin performs various checks for Elasticsearch version and license which are not applicable for VictoriaLogs.

To spin-up environment run the following command:

docker compose up -d 

To shut down the docker-compose environment run the following command:

docker compose down
docker compose rm -f

The docker compose file contains the following components:

  • logstash - logstash is configured to accept syslog on 5140 port, you can find configuration in the pipeline.conf. It writes data in VictoriaLogs
  • VictoriaLogs - the log database, it accepts the data from logstash by elastic protocol

Querying the data

  • vmui - a web UI is accessible by http://localhost:9428/select/vmui
  • for querying the data via command-line please check these docs

Here is an example of logstash configuration(pipeline.conf):

input {
  syslog {
    port => 5140
  }
}
output {
  opensearch {
    hosts => ["http://victorialogs:9428/insert/elasticsearch"]
    custom_headers => {
        "AccountID" => "0"
        "ProjectID" => "0"
    }
    parameters => {
        "_stream_fields" => "host.ip,process.name"
        "_msg_field" => "message"
        "_time_field" => "@timestamp"
    }
  }
}

Please, note that _stream_fields parameter must follow recommended best practices to achieve better performance.