ntpstats-ng - ntppoolstats

CSV-Daten vom pool.ntp.org Projekt als Quelle für 'ntppoolstats'.

Important
 Dieses Kapitel wird editiert und ist noch nicht abgeschlossen.
ntpstats-live_ntppoolstats
Figure 1. ntpstats-live ntppoolstats

Datenfluss

ntppoolstats_dataflow
Figure 2. ntppoolstats Datenfluss

Logstash

logstash-5.1.2
# /etc/logstash/conf.d/ntpstats-ng.conf.ntppoolstats

input {
    http_poller { ... } (1)
}

filter {
    grok { ... } (2)
    date { ... } (3)
    ruby { ... } (4)
    if [score] > 10 {
        mutate { ... } (5)
    }
}

output {
    file { ... } (6)
    elasticsearch { ... } (7)
}

  1. http_poller

  2. grok

  3. date

  4. ruby

  5. mutate

  6. file

  7. elasticsearch

Note
 Die komplette Datei findet sich hier: ntpstats-ng.conf.ntppoolstats

input

http_poller

Zum zyklischen Abholen der aktuellen CSV-Daten nutzen wir logstash-input-http_poller.

input {
    http_poller {
        # replace the two placeholders <SOURCE_ADDRESS> with your server IP address
        add_field => {
            "elastic_index"  => "ntpstats-live"
            "statshost"      => "los_angeles"
            "source_address" => "<SOURCE_ADDRESS>"
        }
        urls      => {
            stats => "http://www.pool.ntp.org/scores/<SOURCE_ADDRESS>/log?limit=1"
        }
        schedule  => { "every" => "15m" }
        codec     => "plain"
        type      => "ntppoolstats"
    }
}

Das Ergebnis:

"message":"ts_epoch,ts,offset,step,score,leap\n1486332838,\"2017-02-05 22:13:58\",-0.0148128271102905,1,20,0\n"

Als Vorgriff auf den Output (im JSON-Format):

head -n 1 /tmp/ntpstats-ng-2017-02-05.json | jq
{
  "clock_offset": -0.0148128271102905,
  "statsstamp": "2017-02-05T22:13:58.000Z",
  "message": "score:20.0 OK",
  "type": "ntppoolstats",
  "elastic_index": "ntpstats-live-2017-02-05",
  "score": 20,
  "@timestamp": "2017-02-05T22:29:49.080Z",
  "source_address": "<SOURCE_ADDRESS>",
  "step": 1,
  "leap": 0,
  "statshost": "los_angeles"
}

filter

Die folgenden Filter werden nur auf die Events vom Typ ntppoolstats angewandt.

filter {
    if [type] == "ntppoolstats" {

grok

        grok {
            match => {
                "message" => "ts_epoch,ts,offset,step,score,leap\n%{NUMBER:ts_epoch:int},\"%{TIMESTAMP_ISO8601:statsstamp}\",(%{NUMBER:clock_offset:float})?,%{NUMBER:step:float},%{NUMBER:score:float},%{NUMBER:leap:int}\n"
            }
            remove_field => [ "@version", "ts_epoch" ]
        }

date

        date {
            match    => [ "statsstamp", "YYYY-MM-dd HH:mm:ss" ]
            target   => "statsstamp"
            timezone => "UTC"
        }

ruby

        ruby {
            # logstash >= 5.0
            code => "
                statsstamp    = event.get('statsstamp').to_s;
                statsstamp    = DateTime.parse(statsstamp).strftime('%Y-%m-%d');
                elastic_index = event.get('elastic_index') + '-' + statsstamp;

                event.set('elastic_index', elastic_index);
            "
        }

mutate

Nur Server mit einer Bewertung über “10” werden in den Pool aufgenommen.

        if [score] > 10 {
            mutate {
                replace => { "message" => "score:%{score} OK" }
            }
        } else {
            mutate {
                replace => { "message" => "score:%{score} WARNING" }
            }
        }
    }
}

output

output {
    if [type] == "ntppoolstats" {

file

        # DEBUG
        file {
            path => "/tmp/%{elastic_index}.json"
        }

elasticsearch

        if  ! ( "_grokparsefailure" in [tags] )
        and ! ( "_dateparsefailure" in [tags] )
        and ! ( "_rubyexception"    in [tags] ) {
            elasticsearch {
                hosts => [ "localhost:9200" ]
                index => "%{elastic_index}"
            }
        }
    }
}

Die Details der Datenhaltung sind im Kapitel Elasicsearch beschrieben.

ntpstats-ng © MMXV-MMXVII WOLfgang Schricker

results matching ""

    No results matching ""