Skip to content

Configuration

Jump to bottom
Sivasamy Kaliappan edited this page Oct 23, 2017 · 1 revision

Logtrail configuration options are present in logtrail.json located in ./plugins/logtrail directory (for 4.x the directory is ./installedPlugins/logtrail/). Logtrail provides an option to load the configuration from Elasticsearch (if available, this will be given priority). This will be useful in docker based deployments, HA deployments and upgrades. logtrail.json can be pushed to Elasticsearch search using the following curl command:

curl -XPUT 'localhost:9200/.logtrail/config/1?pretty' -H 'Content-Type: application/json' -d@<path_to_logtrail.json_file>

Any updates to configuration can be done by pushing the updated file using the above command.

Any changes in logtrail configuration requires restart of Kibana.

Configuration options are available on per index-pattern basis. logtrail.json file contains an array of index patterns. For each index pattern following configurations are available:

  • default_index - Elasticsearch index where the syslog events are stored (default: logstash-*)
    • While using an index name other than logstash-*, make sure respective .raw fields are created in ES index.
  • **default_time_range_in_days **- Default time range in days to search when time is not specified using Seek button. Example: Value of 30 means logtrail will search only in logs from last 30 days, unless time is specified using Seek button. Value of 0 means logtrail will search in all available logs by default.
  • **display_timezone **- Timezone to display the timestamp in Event Viewer. e.g. America/Los_Angeles. Default value of local will use the timezone of browser. The time specified in Seek To popup will always use browser timezone.
  • **display_timestamp_format **- Format to display the timestamp in Event Viewer. For list of valid value refer here
  • **fields **- Edit this parameter to map the event fields in ES to logtrail fields
    • **timestamp **- maps to timestamp field present in event. This will be used for querying internally. Logtrail recommends @timestamp to be stored in UTC in ES. In case of logstash use date filter to explicitly convert any timestamp field in log event.
    • **display_timestamp **- the formatted timestamp displayed in the events view. By default mapped to @timestamp
    • **hostname **- hostname from where the events were received. Also used by hostname filter
    • **program **- program that generated this event.
    • **message **- actual event message. This is the default field used for search.
  • Example: If the event fields names are @timestamp, host, process, message the mapping should be
"mapping" : {
       "timestamp" : "@timestamp",
       "display_timestamp" : "@timestamp",
       "hostname" : "host",
       "program": "process",
       "message": "message"
   }
  • By default each line displayed in the events view is of format: display_timestamp hostname program:message
  • message_format - Used to add additional fields to be shown for log event. For more details refer Adding additional fields
  • color_mapping - Color code messages based on field values. For more details refer Color coding messages
  • Any changes in logtrail.json requires restart of Kibana
Clone this wiki locally