Giving Elastic Search logs to externals - noi-techpark/odh-docs GitHub Wiki
General introduction
We store our logs inside Elastic Search and get any information from there afterwards. The logs on each Docker server are only kept for a certain time until the filebeat
comes by and takes them to the Elastic infrastructure.
Therefore, if external developers need to investigate older issues, they need old logs and must access the Kibana dashboard or API.
Kibana Settings
- Go to https://logs.opendatahub.bz.it
- Login with Elasticsearch
- Default space
- "Manage" (right hand side of "Home")
Then, create a role that corresponds to your use case. See odh-mobility-external-developers as an example
- Indices =
filebeat-*
- Privileges =
read
andview_index_metadata
- Activate
Grant read privileges to specific documents
; example filter could be like this: \{ "term" : { "container.labels.com_docker_compose_project" : "odh-mobility-dc-traffic-a22-elaborations" } }
- Add custom Kibana privileges below:
- Analytics - Discover: ALL
- Analytics - Dashboard: ALL
- Management - Dev Tools: READ
- Management - Saved Objects Management: READ
- ...all others are NONE
Finally, create users and give them the role above. In addition, if you want that those users can create and download CSV reports, give them also the reporting_user
privilege, which is unfortunately not assignable to roles.
Access to logs via Kibana
Go to Analytics > Discover and use the filter and search functions there.
Also CSV exports can be done with "Save" + "Share > CSV Reports > Generate CSV". This is limited to a not too high number of logs...
Access to logs via Elasticsearch API
To get you started here is an example shell-script, that takes certain logs for a mobility data collector called odh-mobility-dc-traffic-a22-elaborations
between a specified interval. After that it gets only some fields out of the JSON response with jq
and creates a CSV output.
To use this script, copy/paste it into a file and make that file executable. Call that file with optional parameters:
- offset
- limit
- start_incl
- end_excl
- csv (0 or 1)
#!/bin/bash
set -euo pipefail
HOST='https://16587ef4ae8f4a23b477025805374935.eu-west-1.aws.found.io:9243/filebeat-*/_search'
ELASTIC_USR=${ELASTIC_USR:?"Specify your elastic user's name"}
ELASTIC_PWD=${ELASTIC_PWD:?"Specify your elastic user's password, quote it eventually like 'your-secret'"}
OFFSET=${1:-0}
LIMIT=${2:-1000}
START_INCL=${3:-'2022-06-23T23'}
END_EXCL=${4:-'2022-06-24'}
# Set this to 0 to retrieve the original result of elastic search calls
# You need to install "jq" if you want to have a CSV output
CSV=${5:-1}
RESULT=$(
curl -s --user "$ELASTIC_USR:$ELASTIC_PWD" "$HOST" -XPOST -H 'Content-Type: application/json' --data-binary @- <<EOF
{
"fields": [
"json.message",
"json.level",
"@timestamp"
],
"_source": false,
"from": $OFFSET,
"size": $LIMIT,
"query": {
"bool": {
"must": {
"term": {
"container.labels.com_docker_compose_project": "odh-mobility-dc-traffic-a22-elaborations"
}
},
"filter": {
"range" : {
"@timestamp": {
"gte" : "$START_INCL",
"lt" : "$END_EXCL"
}
}
}
}
},
"sort": [
{
"@timestamp" : {
"order": "asc"
}
}
]
}
EOF
)
if [ "$CSV" = "1" ]; then
echo '"timestamp","log_level","message"'
echo "$RESULT" | jq -r '.hits.hits | .[] | .fields | ."@timestamp" + ."json.level" + ."json.message" | @csv'
else
echo "$RESULT"
fi
exit 0
For more details on all Elasticsearch capabilities, please refer to their documentation.