Integration of Manticore with Fluentbit

Integration of Manticore with Fluentbit

Published: Aug 03, 2023

Introduction

Fluent Bit is an open source and multi-platform tool for logs processing and distribution.
Nowadays data comes from various sources and Fluent Bit can help you aggregate and process all your log data.
Now, Manticore also supports the use of Fluent Bit as a processing pipeline. This allows the collected and transformed data to be sent to Manticore.

Let’s examine a simple example of indexing dpkg.log, a standard log file of the Debian package manager. The log itself has a simple structure, as shown below:

2023-05-31 10:42:55 status triggers-awaited ca-certificates-java:all 20190405ubuntu1.1
2023-05-31 10:42:55 trigproc libc-bin:amd64 2.31-0ubuntu9.9 <none>
2023-05-31 10:42:55 status half-configured libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 status installed libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 trigproc systemd:amd64 245.4-4ubuntu3.21 <none>

Configuration

Here is an example of the Fluent configuration file one can use to work with Manticore:

[SERVICE]
	flush    	1
	daemon   	On
	log_level	info

[INPUT]
	name tail
	path /var/log/dpkg.log
	inotify_watcher false
	read_from_head true

[OUTPUT]
	name es
	match *
	host 127.0.0.1
	port 9308
	index  dpkg_log

Note that our example is meant to be run in Docker, so we start FluentBit in the daemon mode and with the INPUT inotify_watcher option disabled to avoid possible issues with the Docker environment which can lead to errors. Also, we assume that Manticore is started on the default http port 9308.

Results

Now you can just run Fluentbit using the config above. The data from the dpkg log will be passed to Manticore and properly indexed.

Here is the resulting schema of the created table and an example of the inserted document:

mysql> DESCRIBE dpkg_log;
+-------------+--------+----------------+
| Field       | Type   | Properties     |
+-------------+--------+----------------+
| id          | bigint |                |
| @timestamp  | text   | indexed stored |
| log         | text   | indexed stored |
+-------------+--------+----------------+

mysql> SELECT * FROM dpkg_log LIMIT 3\G
*************************** 1. row ***************************
id: 7856533729353662465
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 startup archives install
*************************** 2. row ***************************
id: 7856533729353662466
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 install base-passwd:amd64 <none> 3.5.47
*************************** 3. row ***************************
id: 7856533729353662467
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 status half-installed base-passwd:amd64 3.5.47

Conclusion

The integration of Manticore with Fluent Bit provides a powerful and efficient solution for handling and indexing log data, making it more accessible and manageable for various applications. With this simple configuration and clear examples provided, even those new to these tools can quickly get started and benefit from the robust capabilities of Manticore and Fluent Bit working together. Whether you’re dealing with standard logs or more complex data sources, this collaboration simplifies the process and opens up new possibilities for effective data management.