Logstash comes with a bunch of plugins for input, filter and output processing pipelines. When monitoring logs using a platform like ELK the most requested feature is email notifications in case of sever error conditions or issues. There are many options to enable sending emails using custom python scripts, Elastic watcher, elastalert, etc.
There is also a simpler way available within logstash, and is easily enabled using the email plugin that can be used in the output processing pipeline.
Lets look at a very simple logstash config yml file.
input { file { path => ["/var/log/network.log"] start_position => "beginning" type => "syslog" tags => [ "netsyslog" ] } } filter { #Filter using grok patterns if [type] == "syslog" { grok { #strips timestamp and host patterns_dir => "/opt/logstash/patterns" match => [ "message", "%{TIMESTAMP_ISO8601:@timestamp} % {HOST:syslog_host} %{GREEDYDATA:raw_message}" ] } } } output { #Email all filtered messages email { from => "logstash_alert@seic.com" subject => "logstash alert" to => "antony@atechref.com" via => "smtp.corp.atechref.com" port => "25" body => "Here is the event line that occured: %{message}" } }
Now everytime a log is parsed by logstash, an email notification is sent to the to address field listed in the config setting. All is well.
Now if you want to enable stdout to view the logstash filter, remember to add it before the email plugin, as shown below.
output { #Print events to stdout stdout { codec => rubydebug } #Email all filtered messages email { from => "logstash_alert@seic.com" subject => "logstash alert" to => "antony@atechref.com" via => "smtp.atechref.com" port => "22" body => "Here is the event line that occured: %{message}" } }
If stdout plugin is after the email plugin in the output section, no emails would be sent from logstash, and you may spend a lot of time debugging the email setup rather than the order of plugins defined here.
Ideally you would add some conditions around the email plugin to send emails only when an ERROR or other exception condition occurs. Again there are multiple options available. Topic for another post.
References: https://www.elastic.co/products/logstash