Posted in 2016

filebeat and logstash – first setup

First, let’s install logstash, I have changed my yum repository to have access to their server.

root@serv-1: ~
> yum install logstash

Installed:
  logstash.noarch 1:5.2.1-1

Complete!

root@serv-1: /etc/logstash/conf.d
> cat /etc/logstash/conf.d/input.yml
input {
        beats {
                port => 5044
        }
}

output {
        file {
              path => "/tmp/output.log"
        }
}

root@serv-1: /etc/logstash/conf.d
> service logstash start
Redirecting to /bin/systemctl start  logstash.service

Now install and configure filebeat on the database host, I have to install an Oracle database too, I found somewhere on my disk SE2 install files so I used them and configured a very simple database

[root@dbhost01 oracle]# yum install filebeat

Installed:
  filebeat.x86_64 0:5.2.1-1

Complete!

[root@dbhost01 filebeat]# cd /etc/filebeat/
[root@dbhost01 filebeat]# cat filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - "/u01/app/oracle/diag/rdbms/orcl/orcl/trace/alert_orcl.log"

output.logstash:
  hosts: ["192.168.56.102:5044"]

logging:
  level: debug
  to_syslog: false
  to_files: true
  files:
    path: /var/log/filebeat
    name: filebeat.log

[root@dbhost01 ~]# service filebeat start

Installing database…

[oracle@dbhost01 database]$ ./runInstaller -silent -responseFile 
/u01/app/oracle/install/database/response/db_install.rsp -ignoreSysPrereqs

[oracle@dbhost01 dbs]$ cat initorcl.ora
db_name='orcl'
db_unique_name='orcl'
sga_target=300m
processes = 150
audit_file_dest='/u01/app/oracle/admin/orcl/adump'
audit_trail ='none'
db_block_size=8192
db_domain=''
db_create_file_dest='/u01/app/oracle/oradata'
db_recovery_file_dest='/u01/app/oracle/fast_recovery_area'
db_recovery_file_dest_size=2G
diagnostic_dest='/u01/app/oracle'
open_cursors=300
remote_login_passwordfile='EXCLUSIVE'
undo_tablespace='UNDOTBS1'
# You may want to ensure that control files are created on separate physical
# devices
control_files = (ora_control1, ora_control2)
[oracle@dbhost01 dbs]$ mkdir -p /u01/app/oracle/admin/orcl/adump
[oracle@dbhost01 dbs]$ mkdir -p /u01/app/oracle/oradata
[oracle@dbhost01 dbs]$ mkdir -p /u01/app/oracle/fast_recovery_area
[oracle@dbhost01 dbs]$
[oracle@dbhost01 dbs]$
[oracle@dbhost01 dbs]$
[oracle@dbhost01 dbs]$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 21 15:02:18 2017

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> create spfile from pfile ;

File created.

SQL> startup nomount
ORACLE instance started.

Total System Global Area  314572800 bytes
Fixed Size                  2923920 bytes
Variable Size             121635440 bytes
Database Buffers          184549376 bytes
Redo Buffers                5464064 bytes
SQL> create database orcl
  2  character set AL32UTF8
  3  national character set AL16UTF16
  4  extent management local
  5  undo tablespace undotbs1 ;

Database created.

SQL> @?/rdbms/admin/catalog.sql
SQL> @?/rdbms/admin/catproc.sql
SQL> connect system/oracle
SQL> @?/sqlplus/admin/pupbld.sql

Our database and filebeat is configured, so let’s generate a message

[oracle@dbhost01 trace]$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 21 15:53:04 2017

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Standard Edition Release 12.1.0.2.0 - 64bit Production

SQL> exec dbms_system.ksdwrt(2,'ORA-1000 This message is not an error')

PL/SQL procedure successfully completed.

Check on logstash server the output file.

root@serv-1: /etc/logstash
> tail -1f /tmp/output.log
{"@timestamp":"2017-02-21T14:53:32.536Z","offset":18825,"@version":"1","input_type":"log","beat":
{"hostname":"dbhost01","name":"dbhost01","version":"5.2.1"},
"host":"dbhost01","source":"/u01/app/oracle/diag/rdbms/orcl/orcl/trace/alert_orcl.log",
"message":"ORA-1000 This message is not an error","type":"log","tags":["beats_input_codec_plain_applied"]}

Yes, it works. Now you can start to read about these programs and configure it with elasticsearch and also somehow parsing the messages coming from the database.

Advertisements

Author:

Database administrator who loves to work with Oracle software. (Sometimes not)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s