How to get started with log analysis

This article introduces exploring logs with Kibana. Elastic Stack containers are included in GroundWork Monitor. Kibana lets users visualize data with charts and graphs in Elasticsearch.

GroundWork Monitor Enterprise has long supported integration with Elastic Stack, also known as Elasticsearch, Logstash, and Kibana. We have now bundled in a containerized instance of Elastic Stack into GroundWork Monitor 8.0.0, and have forwarded all of the container logging to it by default. 

This initial implementation is not the same as the Log Bridge integration we support in GroundWork Monitor 7.x. There is no integration of saved searches as services in GroundWork Monitor as yet, but we are preparing to implement this in upcoming versions. 

While the utility of the Elastic integration we include here is minimal, it is definitely possible to forward log messages from external systems to the elastic instance in GroundWork Monitor 8.0.0, and to use additional features of Elastic. We will support the correct functioning of the bundled container and Elastic Stack, however we do not recommend any large-scale Elastic implementations using this container - it is too small to support more than the log analysis of local logs. We recommend implementing a cluster of systems running Elastic Stack in accordance with the documentation Elastic provides if this is what you wish to do. We can refer you to implementation partners for this purpose. 

We plan on implementing additional integrations with Elastic in future versions. 

Getting started with Kibana

  1. In GroundWork Monitor, navigate to Dashboards > Log Analysis to launch Kibana.
  2. As a first run, define the index pattern, this is what Elasticsearch will index and analyze.
    • On the left sidebar menu (expand or collapse), click the Management menu option.
  3. Click Index Patterns.
  4. Click Create index pattern, and Kibana will automatically identify the new logstash-* index pattern.
  5.  Define it as logstash-*, and click Next step.

    Index patterns
  6. Select @timestamp as the Time Filter field name.
  7. Click Create index pattern.

    create an index pattern

    time filters

Performing a discovery

  1. Navigate to the left sidebar menu and click Discover to see the data table of log entries.
  2. In the top right hand corner, click on the   icon next to Last 15 minutes, then select Today.
  3. You can see the Available fields list on the left side. 
    • On mouse over for each of the fields, the Add button is exposed.
    • Located and add the fields container.name. and message.

      discovery
  4. As shown in the next image, you should see the two new fields under the Selected fields title.
  5. You will also see the fields (container.name and message) as columns in the table.

    selected fields
  6. Under the Selected fields list click on the container.name item, where you should see the Top 5 values.

    selected fields
  7. To create a filter by docker container, click on the magnifier icon for any container. You will see log entries only for the one container.
  8. Filters are added to the top of the table. Hovering over a filter displays filter actions, or you can select the Actions button from the right side of the screen.

    actions

To learn more, take a look at A Kibana Tutorial.

Related articles