Logstash is a log management tool that collects data from a variety of sources, transforms it on the fly, and sends it to your desired destination. It is often used as a data pipeline for Elasticsearch, an open-source analytics and search engine.
Now, Manticore supports the use of Logstash as a processing pipeline. This allows the collected and transformed data to be sent to Manticore just like to Elasticsearch. Currently, the versions 7.6-7.15 are supported.
Let’s examine a simple example of a Logstash config file used for indexing dpkg.log, a standard log file of the Debian package manager. The log itself has a simple structure, as shown below:
2023-05-31 10:42:55 status triggers-awaited ca-certificates-java:all 20190405ubuntu1.1
2023-05-31 10:42:55 trigproc libc-bin:amd64 2.31-0ubuntu9.9 <none>
2023-05-31 10:42:55 status half-configured libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 status installed libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 trigproc systemd:amd64 245.4-4ubuntu3.21 <none>Here is an example Logstash configuration:
input {
file {
path => ["/var/log/dpkg.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
mode => "read"
exit_after_read => "true"
file_completed_action => "log"
file_completed_log_path => "/dev/null"
}
}
output {
elasticsearch {
index => " dpkg_log"
hosts => ["http://localhost:9308"]
ilm_enabled => false
manage_template => false
}
}Note that, before proceeding further, one crucial caveat needs to be addressed: Manticore does not support Log Template Management and the Index Lifecycle Management features of Elasticsearch. As these features are enabled by default in Logstash, they need to be explicitly disabled in the config. Additionally, the hosts option in the output config section must correspond to Manticore’s HTTP listen port (default is localhost:9308).
After adjusting the config as described, you can run Logstash, and the data from the dpkg log will be passed to Manticore and properly indexed.
Here is the resulting schema of the created table and an example of the inserted document:
mysql> DESCRIBE dpkg_log;
+------------------+--------+---------------------+
| Field | Type | Properties |
+------------------+--------+---------------------+
| id | bigint | |
| message | text | indexed stored |
| @version | text | indexed stored |
| @timestamp | text | indexed stored |
| path | text | indexed stored |
| host | text | indexed stored |
+------------------+--------+---------------------+mysql> SELECT * FROM dpkg_log LIMIT 1\G
*************************** 1. row ***************************
id: 7280000849080746110
host: logstash-db848f65f-lnlf9
message: 2023-04-12 02:03:21 status unpacked libc-bin:amd64 2.31-0ubuntu9
path: /var/log/dpkg.log
@timestamp: 2023-06-16T09:23:57.405Z
@version: 1Filebeat is a lightweight shipper for forwarding and centralizing log data. Once installed as an agent, it monitors the log files or locations you specify, collects log events, and forwards them for indexing, usually to Elasticsearch or Logstash.
Now, Manticore also supports the use of Filebeat as processing pipelines. This allows the collected and transformed data to be sent to Manticore just like to Elasticsearch. Currently, all the versions >= 7.10 are supported.
Below is a Filebeat config to work with our example dpkg log:
filebeat.inputs:
- type: filestream
id: example
paths:
- /var/log/dpkg.log
output.elasticsearch:
hosts: ["http://localhost:9308"]
index: "dpkg_log"
allow_older_versions: true
setup.ilm:
enabled: false
setup.template:
name: "dpkg_log"
pattern: "dpkg_log"Note that Filebeat versions higher than 8.10 have the output compression feature enabled by default. That is why the compression_level: 0 option must be added to the configuration file to provide compatibility with Manticore:
filebeat.inputs:
- type: filestream
id: example
paths:
- /var/log/dpkg.log
output.elasticsearch:
hosts: ["http://localhost:9308"]
index: "dpkg_log"
allow_older_versions: true
compression_level: 0
setup.ilm:
enabled: false
setup.template:
name: "dpkg_log"
pattern: "dpkg_log"Once you run Filebeat with this configuration, log data will be sent to Manticore and properly indexed. Here is the resulting schema of the table created by Manticore and an example of the inserted document:
mysql> DESCRIBE dpkg_log;
+------------------+--------+--------------------+
| Field | Type | Properties |
+------------------+--------+--------------------+
| id | bigint | |
| @timestamp | text | indexed stored |
| message | text | indexed stored |
| log | json | |
| input | json | |
| ecs | json | |
| host | json | |
| agent | json | |
+------------------+--------+--------------------+mysql> SELECT * FROM dpkg_log LIMIT 1\G
*************************** 1. row ***************************
id: 7280000849080753116
@timestamp: 2023-06-16T09:27:38.792Z
message: 2023-04-12 02:06:08 status half-installed libhogweed5:amd64 3.5.1+really3.5.1-2
input: {"type":"filestream"}
ecs: {"version":"1.6.0"}
host: {"name":"logstash-db848f65f-lnlf9"}
agent: {"ephemeral_id":"587c2ebc-e7e2-4e27-b772-19c611115996","id":"2e3d985b-3610-4b8b-aa3b-2e45804edd2c","name":"logstash-db848f65f-lnlf9","type":"filebeat","version":"7.10.0","hostname":"logstash-db848f65f-lnlf9"}
log: {"offset":80,"file":{"path":"/var/log/dpkg.log"}}DBeaver is a SQL client software application and a database administration tool. For MySQL databases, it applies the JDBC application programming interface to interact with them via a JDBC driver.
Manticore allows you to use DBeaver for working with data stored in Manticore tables the same way as if it was stored in a MySQL database.
To start working with Manticore in DBeaver, follow these steps:
- Choose the
New database connectionoption in DBeaver's UI - Choose
SQL->MySQLas DBeaver's database driver - Set the
Server hostandPortoptions corresponding to the host and port of your Manticore instance (keep thedatabasefield empty) - Set
root/<empty password>as authentication credentials
Since Manticore does not fully support MySQL, only a part of DBeaver's functionality is available when working with Manticore.
You will be able to:
- View, create, delete, and rename tables
- Add and drop table columns
- Insert, delete, and update column data
You will not be able to:
- Use database integrity check mechanisms (
MyISAMwill be set as the only storage engine available) - Use MySQL procedures, triggers, events, etc.
- Manage database users
- Set other database administration options
Some MySQL data types are not currently supported by Manticore and, therefore, cannot be used when creating a new table with DBeaver. Also, a few of the supported data types are converted to the most similar Manticore types with type precision being ignored in such conversion. Below is the list of supported MySQL data types as well as the Manticore types they are mapped to:
BIGINT UNSIGNED=>bigintBOOL=>booleanDATE,DATETIME,TIMESTAMP=>timestampFLOAT=>floatINT=>intINT UNSIGNED,SMALLINT UNSIGNED,TINYINT UNSIGNED,BIT=>uintJSON=>jsonTEXT,LONGTEXT,MEDIUMTEXT,TINYTEXT,BLOB,LONGBLOB,MEDIUMBLOB,TINYBLOB=>textVARCHAR,LONG VARCHAR,BINARY,CHAR,VARBINARY,LONG VARBINARY=>string
You can find more details about Manticore data types here.
Manticore is able to handle the DATE, DATETIME and TIMESTAMP data types, however, this reqiures Manticore's Buddy enabled. Otherwise, an attempt to operate with one of these types will result in an error.
Note that the TIME type is not supported.
-
DBeaver's
Preferences->Connections->Client identificationoption must not be turned off or overridden. To work correctly with DBeaver, Manticore needs to distinguish its requests from others. For this, it uses client notification info sent by DBeaver in request headers. Disabling client notification will break that detection and, therefore, Manticore's correct functionality. -
When trying to update data in your table for the first time, you'll see the
No unique keypopup message and will be asked to define a custom unique key. When you get this message, perform the following steps:- Choose the
Custom Unique Keyoption - Choose only the
idcolumn in the columns list - Press
Ok
After that, you'll be able to update your data safely.
- Choose the