Log aggregation — practice of collecting logs from multiple services into a central searchable store. Reason: grepping across 50 servers doesn't scale. Stack options: ELK (Elasticsearch + Logstash + Kibana) — powerful but expensive, Loki (Grafana, cheaper), Splunk (enterprise $$$), CloudWatch/DataDog Logs (SaaS). Critical features: search, alerts, retention, correlation with traces.
Below: details, example, related terms, FAQ.
Free online tool — HTTP header checker: instant results, no signup.
# Fluent Bit config
[INPUT]
Name tail
Path /var/log/nginx/access.log
[OUTPUT]
Name loki
Host grafana-loki:3100
Labels host=$HOSTNAME,service=nginxLog aggregation architecture involves several components that work together to collect, transform, and store logs from various sources. At its core, the architecture typically consists of:
Filebeat or Fluentd are used to forward logs from the source to the log aggregation system. They can parse, filter, and enrich logs before sending.Logstash can be configured to perform parsing, filtering, and enrichment using pipelines.Elasticsearch or Amazon S3, allowing for efficient querying and retrieval.Kibana or Grafana provide dashboards and visualizations, making it easier to analyze log data and identify trends or anomalies.This architecture allows organizations to manage logs at scale, enabling faster troubleshooting, compliance reporting, and security monitoring.
Implementing log aggregation can vary based on the chosen stack. Here are practical examples using two popular log aggregation solutions: ELK Stack and Grafana Loki.
To configure Logstash to aggregate logs from a web server, you can use the following logstash.conf configuration:
input {
file {
path => "/var/log/nginx/access.log"
start_position => "beginning"
}
}
filter {
grok {
match => {"message" => "%{IPORHOST:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:response} %{NUMBER:bytes}"}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "nginx-access-%{+YYYY.MM.dd}"
}
}For Grafana Loki, you can configure Promtail to scrape logs from a directory. Here’s a sample promtail.yaml configuration:
server:
http:
port: 9080
positions:
filename: /tmp/positions.yaml
clients:
- url: http://localhost:3100/loki/api/v1/push
scrape_configs:
- job_name: nginx
static_configs:
- targets:
- localhost
labels:
job: nginx
__path__: /var/log/nginx/*.logThese configurations illustrate how to set up log aggregation for different environments, allowing for efficient log collection and analysis.
Centralizing logs offers numerous advantages in modern IT environments, particularly as systems become more complex and distributed. Here are some key benefits:
By centralizing logs, organizations can leverage the full power of their log data, enabling proactive monitoring and faster response times in critical situations.
ELK: full-text indexed, fast search, expensive at scale. Loki: Prometheus-like labels + grep at query time, 10× cheaper. For high volume — Loki. For complex search — ELK.
Sampling (drop 90% INFO logs), log level discipline (INFO/WARN/ERROR not DEBUG in prod), TTL (< 30 days hot).
Ingestion in nearest region + async replication. Or separate stores + federated search (Loki federation, CloudWatch cross-account).
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.