ECS formatted application logs

edit

Logs formatted in Elastic Common Schema (ECS) don’t require manual parsing, and the configuration can be reused across applications. ECS-formatted logs, when paired with an APM agent, allow you to correlate logs to easily view logs that belong to a particular trace.

You can format your logs in ECS format the following ways:

  • ECS loggers: plugins for your logging libraries that reformat your logs into ECS format.
  • APM agent ECS reformatting: Java, Ruby, and Python APM agents automatically reformat application logs to ECS format without a logger.

ECS loggers

edit

ECS loggers reformat your application logs into ECS-compatible JSON, removing the need for manual parsing. ECS loggers require Filebeat or Elastic Agent configured to monitor and capture application logs. In addition, pairing ECS loggers with your framework’s APM agent allows you to correlate logs to easily view logs that belong to a particular trace.

Get started with ECS loggers
edit

For more information on adding an ECS logger to your application, refer to the guide for your framework:

APM agent ECS reformatting

edit

Java, Ruby, and Python APM agents can automatically reformat application logs to ECS format without an ECS logger or the need to modify your application. The APM agent also allows for log correlation so you can easily view logs that belong to a particular trace.

To set up log ECS reformatting:

Enable log ECS reformatting
edit

Log ECS reformatting is controlled by the log_ecs_reformatting configuration option, and is disabled by default. Refer to the guide for your framework for information on enabling:

Ingest logs
edit

After enabling log ECS reformatting, send your application logs to your project using one of the following shipping tools:

  • Filebeat: A lightweight data shipper that sends log data to your project.
  • Elastic Agent: A single agent for logs, metrics, security data, and threat prevention. With Fleet, you can centrally manage Elastic Agent policies and lifecycles directly from your project.
Ingest logs with Filebeat
edit

Follow these steps to ingest application logs with Filebeat.

Step 1: Install Filebeat
edit

Install Filebeat on the server you want to monitor by running the commands that align with your system:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-9.0.0-beta1-darwin-x86_64.tar.gz
tar xzvf filebeat-9.0.0-beta1-darwin-x86_64.tar.gz
Step 2: Connect to your project
edit

Connect to your project using an API key to set up Filebeat. Set the following information in the filebeat.yml file:

output.elasticsearch:
  hosts: ["your-projects-elasticsearch-endpoint"]
  api_key: "id:api_key"
  1. Set the hosts to your deployment’s Elasticsearch endpoint. Copy the Elasticsearch endpoint from Help menu (help icon) → Connection details. For example, https://my-deployment.es.us-central1.gcp.cloud.es.io:443.
  2. From Developer tools, run the following command to create an API key that grants manage permissions for the cluster and the filebeat-* indices using:

    POST /_security/api_key
    {
      "name": "filebeat_host001",
      "role_descriptors": {
        "filebeat_writer": {
          "cluster": ["manage"],
          "index": [
            {
              "names": ["filebeat-*"],
              "privileges": ["manage"]
            }
          ]
        }
      }
    }

    Refer to Grant access using API keys for more information.

Step 3: Configure Filebeat
edit

Add the following configuration to your filebeat.yaml file to start collecting log data.

filebeat.inputs:
- type: filestream  
  enabled: true
  paths: /path/to/logs.log  

Reads lines from an active log file.

Paths that you want Filebeat to crawl and fetch logs from.

Step 4: Set up and start Filebeat
edit

From the Filebeat installation directory, set the index template by running the command that aligns with your system:

filebeat setup -e

From the Filebeat installation directory, start filebeat by running the command that aligns with your system:

sudo service filebeat start

If you use an init.d script to start Filebeat, you can’t specify command line flags (see Command reference). To specify flags, start Filebeat in the foreground.

Also see Filebeat and systemd.

Ingest logs with Elastic Agent
edit

Add the custom logs integration to ingest and centrally manage your logs using Elastic Agent and Fleet:

Add the custom logs integration to your project
edit

To add the custom logs integration to your project:

  1. From your deployment’s home page, click Add Integrations.
  2. Type custom in the search bar and select Custom Logs.
  3. Click Install Elastic Agent at the bottom of the page, and follow the instructions for your system to install the Elastic Agent.
  4. After installing the Elastic Agent, click Save and continue to configure the integration from the Add Custom Logs integration page.
  5. Give your integration a meaningful name and description.
  6. Add the Log file path. For example, /var/log/your-logs.log.
  7. Click Advanced options.
  8. In the Processors text box, add the following YAML configuration to add processors that enhance your data. Refer to processors to learn more.

    processors:
      - add_host_metadata: \~
      - add_cloud_metadata: \~
      - add_docker_metadata: \~
      - add_kubernetes_metadata: \~
  9. Under Custom configurations, add the following YAML configuration to collect data.

      json:
        overwrite_keys: true 
        add_error_key: true 
        expand_keys: true 
        keys_under_root: true 
      fields_under_root: true 
      fields:
        service.name: your_service_name 
        service.version: your_service_version 
        service.environment: your_service_environment 

    Values from the decoded JSON object overwrite the fields that Elastic Agent normally adds (type, source, offset, etc.) in case of conflicts.

    Elastic Agent adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.

    Elastic Agent will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.

    By default, the decoded JSON is placed under a "json" key in the output document. When set to true, the keys are copied top level in the output document.

    When set to true, custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary.

    The service.name (required), service.version (optional), and service.environment (optional) of the service you’re collecting logs from, used for log correlation.

  10. Give your agent policy a name. The agent policy defines the data your Elastic Agent collects.
  11. Save your integration to add it to your deployment.

View logs

edit

Refer to the Filter and aggregate logs documentation for more information on viewing and filtering your logs in Kibana.