How to Send Structured Logs to ELK Stack with Custom Fields Using Python Logging?
I'm working on a Python application where I want to send logs to the ELK stack. However, I'm struggling to add custom fields to the log entries so that they appear as separate fields in Kibana, not just inside the "message" field. I'm relatively new to the ELK stack, so any guidance would be appreciated.
I tried using custom formatters, but all fields still end up inside the "message" field in Kibana. Here's my current Python script:
import logging
from logstash_async.formatter import LogstashFormatter
try:
import json
except ImportError:
import simplejson as json
from logstash_async.handler import AsynchronousLogstashHandler
class CustomLogstashFormatter(LogstashFormatter):
def format(self, record):
log_record = {
"timestamp": self._format_timestamp(record.created),
"level": record.levelname,
"logger": record.name,
"message": record.getMessage(),
"filename": record.pathname,
"funcName": record.funcName,
"appName": "MyPythonApp"
}
if record.exc_info:
log_record['exception'] = self._format_exception(record.exc_info)
return json.dumps(log_record)
def activate_logging() -> None:
logstash_handler = AsynchronousLogstashHandler("0.0.0.0", 5000, database_path=None)
logstash_handler.setFormatter(CustomLogstashFormatter())
logging.basicConfig(
level=logging.INFO,
force=True,
handlers=[logstash_handler]
)
Despite this setup, all log fields appear nested within the "message" field.
I've researched and found some suggestions about changing the logstash.conf file to properly parse the log fields, but I can't modify the Logstash configuration at the moment.
Is there any way to achieve my goal directly from the application?
Any help or guidance would be greatly appreciated.
It turned out that actually the only way was to update the logstash .conf. What I didn't want to do was to add filters or plugins, but really it's simply a problem of how I defined the input part. My configuration was as follows:
input {
tcp {
port => 5000
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
}
}
Since no codec was specified, the data was treated as plain text. By updating it to what follows, it manages to unpack the 'message' into fields.
input {
tcp {
port => 5000
type => syslog
codec => json_lines
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
}
}
- How to convert a python datetime.timedelta to years?
- Why does python allocate new memory to variables on every new assignment?
- Changing the GridSpec properties after generating the subplots
- Python virtual environment and `sys.path`
- Correct path of mock.patch
- Open document with default OS application in Python, both in Windows and Mac OS
- How can I parse (read) and use JSON in Python?
- how to choose certain amount of characters from a column in Python?
- Python unit tests run function after all test
- Do we ever need to synchronise threads in python?
- Reverse Inlines in Django Admin
- Object points and Image points in OpenCV calibrateCamera
- PDB won't stop on breakpoint
- Black formatter - Ignore specific multi-line code
- Polars Rolling Mean, fill start of window with null instead of shortened window
- Reading registers with pymodbus
- Read python output from another python script
- can't import gdal in python?
- How to close files using the pathlib module?
- Using PdfFileMerger in Python to merge PDFs with the same name, but different numbers
- Why is numpy's sine function so inaccurate at some points?
- I keep on getting a KeyError in Python
- NaN in mapper - name 'nan' is not defined
- Pandas groupby transform mean with date before current row for huge huge dataframe
- What does pip install . (dot) mean?
- Trying to Find Optimal Price Point in a Data Set
- How to create a whatsapp bot?
- Collatz Conjecture in Python
- ImportError: cannot import name 'url' from 'django.conf.urls' after upgrading to Django 4.0
- Polars Pivot Dataframe an count the cumulative uniques ID