Logstash conf Converter to Data Prepper

vnovotny98 · January 12, 2023, 1:18pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Hello, I have downloaded on my RHEL 8.6:
opensearchproject/data-prepper:2.0.1

Describe the issue:
I used logstash before this and want to migrate do Data Prepper. I tried to follow:

github.com/opensearch-project/data-prepper

[RFC] Logstash Configuration Converter

opened 05:02PM - 20 Oct 21 UTC

closed 07:04PM - 18 Nov 21 UTC

sshivanii

proposal

### What kind of business use case are you trying to solve? What are your requir…ements? We want to provide Logstash users an easy way to run their workloads on Data Prepper. By leveraging their existing Logstash configuration file, we will make the transition from Logstash to Data Prepper as seamless as possible. ### What is the problem? What is preventing you from meeting the requirements? The Pipeline Configuration file required to run a Data Prepper instance (`pipelines.yaml`) is in YAML format and Logstash configuration file is a custom format. ### What are you proposing? What do you suggest we do to solve the problem or improve the existing situation? The goal is to take existing Logstash configuration files, transform them into Data Prepper configuration files and build a Data Prepper Log Ingestion pipeline from them. The Logstash Configuration Converter will support the following requirements: * The Converter will transform the Logstash configuration format to a Data Prepper YAML with the respective mapping and run alongside the Data Prepper log pipeline. This will be a 1-step process to make it user-friendly. * The Converter will fail for unsupported Logstash plugins and Conditionals (scope is mentioned below in **What are your assumptions or prerequisites?** section). However, if the basic supported plugins are present in the Configuration, it will process those and throw errors for the Unsupported plugins. This can be altered later on when we extend the scope. ### User Experience ### macOS/Linux * User has a `logstash.conf`file. * As of Data Prepper 1.2 release, the Converter will be part of the Data Prepper uber-jar. * User will run the uber-jar with the Logstash configuration file and `data-prepper-config.yaml` (to configure Data Prepper server with TLS/SSL): ``` java -jar data-prepper-core-$VERSION.jar logstash.conf data-prepper-config.yaml ``` * The `logstash.yaml` will be generated. * The Data Prepper log pipeline will read the `logstash.yaml` and run the plugins. ### Docker * User can pull the Data Prepper for Docker image using: ``` docker pull opensearchproject/data-prepper:latest ``` * A bind-mounted volume can be used to give the Logstash configuration using: ``` docker run --name data-prepper --expose 21890 -v /full/path/to/logstash.conf:/usr/share/data-prepper/pipelines.conf -v /full/path/to/data-prepper-config.yaml:/usr/share/data-prepper/data-prepper-config.yaml opensearchproject/opensearch-data-prepper:latest pipelines.conf ``` ### What are your assumptions or prerequisites? * Users wish to use existing Logstash configuration with Data prepper. * Scope of the Converter for the Data Prepper 1.2 release will be supporting a Log HTTP Source plugin as Input plugin, Grok Prepper as Filter Plugin and Opensearch Sink as Output plugin. * Conditionals and other Logstash plugins are not supported in this Converter for the Data Prepper 1.2 release.

but it isnot working for me.

Configuration:

I want to migrate this logstash.conf configuration.

input {
  tcp {
    mode => "server"
    host => "IP"
    port => "6379"
    ssl_enable => "true"
    ssl_cert => "/usr/share/logstash/config/server.crt"
    ssl_key => "/usr/share/logstash/config/privateKey.key"
    ssl_key_passphrase => "PW"
    ssl_verify => "false"
    ssl_cipher_suites => ['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']
    ssl_supported_protocols => ['TLSv1.2', 'TLSv1.3']
    codec => "json_lines"
    tags => "ssl_TCPinput"
  }
}

filter {
if [LogType] == "TrxPersist" {
        mutate { add_tag => "trx_log" }
}
else if [LogType] == "TrxPostProc" {
  mutate { add_tag => "trx_time" }
 }

#filtr-indexy
if [appname] == "INT_EDDIE" {
mutate { add_field => { "[@metadata][target_index]" => "eddie-int" } }
}
}



output {
if [enviroment] == "integration" {
if [appname] == "INT_EDDIE" {
opensearch {
hosts => ["IP:9200"]
ssl => true
ssl_certificate_verification => false
user => "admin"
password => "admin"
index => "%{[@metadata][target_index]}-temporary-%{+YYYY-MM-dd}"
manage_template => false
}
}

else {
opensearch {
hosts => ["IP:9200"]
ssl => true
ssl_certificate_verification => false
user => "admin"
password => "admin"
index => "trash-int-%{+YYYY.MM.dd}"
manage_template => false
}
}
}

else {
opensearch {
hosts => ["IP:9200"]
ssl => true
ssl_certificate_verification => false
user => "admin"
password => "admin"
index => "trash"
manage_template => false
}
}
}

Relevant Logs or Screenshots:

I tried:
docker run --name data-prepper -p 4900:4900 -v ./logstash.conf:/usr/share/data-prepper/pipelines/pipeline.yaml opensearchproject/data-prepper:2.0.1 pipelines.yaml
docker run --name data-prepper -p 4900:4900 -v ./logstash.conf:/usr/share/data-prepper/pipelines/pipelines.yaml opensearchproject/data-prepper:2.0.1 pipelines.yaml
docker run --name data-prepper -p 4900:4900 -v ./logstash.conf:/usr/share/data-prepper/pipelines/pipelines.yaml opensearchproject/data-prepper:2.0.1 pipelines.conf
docker run --name data-prepper -p 4900:4900 -v ./logstash.conf:/usr/share/data-prepper/pipelines/pipelines.conf opensearchproject/data-prepper:2.0.1 pipelines.conf
docker run --name data-prepper -p 4900:4900 -v ./logstash.conf:/usr/share/data-prepper/pipelines.conf opensearchproject/data-prepper:2.0.1 pipelines.conf

I feel like I tried everything but I get error:

Error: runc: runc create failed: unable to start container process: exec: "pipelines.conf": executable file not found in $PATH: OCI runtime attempted to invoke a command that was not found

Please help or convert it for me…
Thanks

dtaivpp · January 12, 2023, 3:51pm

Okay so the last command should be the one to run.

docker run --name data-prepper -p 4900:4900 -v ./logstash.conf:/usr/share/data-prepper/pipelines.conf opensearchproject/data-prepper:2.0.1 pipelines.conf

It seems like the logstash.conf isn’t actually getting mapped in which could be a permissions issue (does your docker group have permissions to this file?) or a directory issue.

Have your tried providing a fully qualified path for logstash.conf? Something like /Users/<username>/home/logstash.conf (this is just a sample you would need the right path depending on your system.

vnovotny98 · January 12, 2023, 5:46pm

Thanks for reply,
I made these changes.
chmod to 777, chown to 1000.1000
now my file looks like:
-rwxrwxrwx 1 1000 1000 1902 Jan 11 16:44 logstash.conf
I tried to run:
docker run --name data-prepper -p 4900:4900 -v /etc/opensearch/dataprepper/logstash.conf:/usr/share/data-prepper/pipelines.conf opensearchproject/data-prepper:2.0.1 pipelines.conf
But go to an error:
Error: runc: runc create failed: unable to start container process: exec: "pipelines.conf": executable file not found in $PATH: OCI runtime attempted to invoke a command that was not found

Looks like I miss some exec file in $PATH which is /usr/share/data-prepper/ I think. But I pulled latest version and didnt make any changes to build.

dtaivpp · January 13, 2023, 2:57pm

@dlv Could you take a look at this? This seems like there may be a race condition here with the logstash formatting on data-prepper.

dlv · January 19, 2023, 10:12pm

@vnovotny98,

Thank you for your interest. Your Logstash configuration has conditionals in it. At the moment, the Logstash converter does not support Logstash’s conditional statements.

Also, Data Prepper does not have a TCP source plugin. Is this something you would be interested in having?

Feel free to create a GitHub issue if you are interested in either of these features in Data Prepper.

vnovotny98 · January 20, 2023, 2:36pm

@dlv
thanks, I started issue TCP source plugin · Issue #2162 · opensearch-project/data-prepper · GitHub
I would love to use it, if you will handle this. I dont know another way how to collect app logs

anubisg1 · February 8, 2023, 11:12am

interesting topic… just wondering … what’s the difference between logstash and data-prepper, why would i want to use one above the other?

vnovotny98 · February 8, 2023, 11:30am

We used logstash for a long time. But for every audit we had a security problem that it was Debian or Ubuntu based and we need to have every app RedHat or UBI-based. I know it is harder to build your own logstash than data-prepper build, because Opensearch makes great how-to-build and give you dockerfiles and everything you need.

dtaivpp · February 24, 2023, 4:45pm

Yeah I think as well data-prepper is providing better support for open telemetry traces which is its big selling point.

Topic		Replies	Views
Logstash Configuration Converter RFC Data Prepper	1	539	February 7, 2023
Hello team, Good day..!, Need support on fluent bit and data prepper configuration OpenSearch troubleshoot , configure	2	309	November 27, 2023
Support required for fluent bit and data prepper configuration and setup Community discuss , troubleshoot , configure , feature-request	2	329	December 14, 2023
Data Prepper is not providing output in json format and not structuring data acc to patterns passed to grok processor Data Prepper	4	174	July 27, 2024
Writing pipelines for data prepper Data Prepper discuss , configure	1	52	September 7, 2024

Logstash conf Converter to Data Prepper

Related topics