How to use it for log analysis

[WellYixuanDu]

I have a log file named logs.log, the content of the file is such as

2023-08-02 14:30:45 INFO This is an informational log message.
2023-08-02 14:31:15 ERROR An error occurred in the application.
2023-08-02 14:31:45 WARN This is a warning log message.
2023-08-02 14:32:15 DEBUG Debugging information for troubleshooting.

can you tell me how can I use manticore search to log analysis to support keyword search log and then displays the number of log lines containing specific keywords

Thanks a lot

[sanikolaev]

Hi @WellYixuanDu,

The dev version (which is currently a release candidate) offers enhanced support for:

• Logstash
• Beats
• Fluentbit
• Vector

You can try using any of them to write data to Manticore.

After that, you can use Apache Superset or Grafana to visualize your data. Support for Kibana and Opensearch dashboards is in the works.

[WellYixuanDu]

Thanks for your help，but I'm still confused about this. My understanding of manticore search is that the data format of the log needs to be formatted and stored in the table. Do I need to convert the log of the text file into a formatted sql table through logstash, and then analyze it through manticore search, or both I am a little confused about the interface that can be shared between the two. Can you please give an example to explain it? Thank you very much

[sanikolaev]

Do I need to convert the log of the text file into a formatted sql table

No.

Can you please give an example to explain it?

Sure, please take this course https://play.manticoresearch.com/logstash/
Is this helpful?

[WellYixuanDu]

oh,thanks a lot, I have understand it, but I have a new question. I run the logstash,but it's error,the error information is "elasticsearch - Could not connect to a compatible version of Elasticsearch {:url=>"http://localhost:9308/"}"
The conf is as follows
input {
file {
path => ["/data/task_code/search/logs.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
mode => "read"
exit_after_read => "true"
file_completed_action => "log"
file_completed_log_path => "/dev/null"
}

}

output {
elasticsearch {
index => "testlog_1"
hosts => ["http://localhost:9308"]
ilm_enabled => false
manage_template => false
}
}
Where is the problem? Are the two application versions inconsistent? What corresponding version is required?
Thank you again!

[sanikolaev]

What's the Logstash version?

[WellYixuanDu]

I changed the version, Now the version is 7.12.1,the problem now is
[logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9308/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9308/][Manticore::SocketException] 拒绝连接 (Connection refused)"}

I run sudo service manticore status, find now it's error

root@6f3d5fdb3bb7:/data/task_code/search# sudo service manticore start
Starting manticore: Manticore 6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)
Copyright (c) 2001-2016, Andrew Aksyonoff
Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Copyright (c) 2017-2023, Manticore Software LTD (https://manticoresearch.com)

[29:47.208] [1880] using config file '/etc/manticoresearch/manticore.conf' (273 chars)...
starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
listening on 127.0.0.1:9312 for sphinx and http(s)
listening on 127.0.0.1:9306 for mysql
listening on 127.0.0.1:9308 for sphinx and http(s)
ERROR.

but before I change the logstash version, it is running successfully, what's wrong with it

[sanikolaev]

What's in the searchd log (/var/log/manticore/searchd.log)?

[WellYixuanDu]

[Wed Aug 2 15:59:48.652 2023] [11466] binlog: replaying log /var/lib/manticore/binlog/binlog.001
[Wed Aug 2 15:59:48.652 2023] [11466] binlog: replay stats: 0 commits; 0 updates, 0 reconfigure; 0 pq-add; 0 pq-delete; 0 pq-add-delete, 0 tables
[Wed Aug 2 15:59:48.652 2023] [11466] binlog: finished replaying /var/lib/manticore/binlog/binlog.001; 0.0 MB in 0.000 sec
[Wed Aug 2 15:59:48.652 2023] [11466] binlog: replaying log /var/lib/manticore/binlog/binlog.001
[Wed Aug 2 15:59:48.652 2023] [11466] binlog: replay stats: 0 commits; 0 updates, 0 reconfigure; 0 pq-add; 0 pq-delete; 0 pq-add-delete, 0 tables
[Wed Aug 2 15:59:48.652 2023] [11466] binlog: finished replaying /var/lib/manticore/binlog/binlog.001; 0.0 MB in 0.000 sec
[Wed Aug 2 15:59:48.652 2023] [11466] binlog: finished replaying total 2 in 0.000 sec
[Wed Aug 2 15:59:48.654 2023] [11469] prereading 0 tables
[Wed Aug 2 15:59:48.654 2023] [11469] preread 0 tables in 0.000 sec
[Wed Aug 2 15:59:48.667 2023] [11463] accepting connections
[Wed Aug 2 15:59:50.452 2023] [11476] [BUDDY] started '/usr/share/manticore/modules/manticore-buddy --listen=http://127.0.0.1:9312 --threads=120' at http://127.0.0.1:37201
[Thu Aug 3 15:28:20.359 2023] [1110] watchdog: main process 1111 forked ok
[Thu Aug 3 15:28:20.378 2023] [1111] starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
[Thu Aug 3 15:28:20.379 2023] [1111] listening on 127.0.0.1:9312 for sphinx and http(s)
[Thu Aug 3 15:28:20.379 2023] [1111] listening on 127.0.0.1:9306 for mysql
[Thu Aug 3 15:28:20.379 2023] [1111] listening on 127.0.0.1:9308 for sphinx and http(s)
[Thu Aug 3 15:28:20.419 2023] [1111] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version
[Thu Aug 3 15:28:20.427 2023] [1110] watchdog: main process 1111 exited cleanly (exit code 1), shutting down
[Thu Aug 3 15:28:31.415 2023] [1242] watchdog: main process 1243 forked ok
[Thu Aug 3 15:28:31.431 2023] [1243] starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
[Thu Aug 3 15:28:31.432 2023] [1243] listening on 127.0.0.1:9312 for sphinx and http(s)
[Thu Aug 3 15:28:31.432 2023] [1243] listening on 127.0.0.1:9306 for mysql
[Thu Aug 3 15:28:31.432 2023] [1243] listening on 127.0.0.1:9308 for sphinx and http(s)
[Thu Aug 3 15:28:31.459 2023] [1243] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version
[Thu Aug 3 15:28:31.469 2023] [1242] watchdog: main process 1243 exited cleanly (exit code 1), shutting down
[Thu Aug 3 15:29:47.212 2023] [1882] watchdog: main process 1883 forked ok
[Thu Aug 3 15:29:47.228 2023] [1883] starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
[Thu Aug 3 15:29:47.228 2023] [1883] listening on 127.0.0.1:9312 for sphinx and http(s)
[Thu Aug 3 15:29:47.228 2023] [1883] listening on 127.0.0.1:9306 for mysql
[Thu Aug 3 15:29:47.228 2023] [1883] listening on 127.0.0.1:9308 for sphinx and http(s)
[Thu Aug 3 15:29:47.255 2023] [1883] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version
[Thu Aug 3 15:29:47.263 2023] [1882] watchdog: main process 1883 exited cleanly (exit code 1), shutting down
[Thu Aug 3 15:37:05.049 2023] [2031] watchdog: main process 2032 forked ok
[Thu Aug 3 15:37:05.067 2023] [2032] starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
[Thu Aug 3 15:37:05.068 2023] [2032] listening on 127.0.0.1:9312 for sphinx and http(s)
[Thu Aug 3 15:37:05.068 2023] [2032] listening on 127.0.0.1:9306 for mysql
[Thu Aug 3 15:37:05.068 2023] [2032] listening on 127.0.0.1:9308 for sphinx and http(s)
[Thu Aug 3 15:37:05.098 2023] [2032] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version
[Thu Aug 3 15:37:05.109 2023] [2031] watchdog: main process 2032 exited cleanly (exit code 1), shutting down
[Thu Aug 3 15:37:06.979 2023] [2163] watchdog: main process 2164 forked ok
[Thu Aug 3 15:37:06.994 2023] [2164] starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
[Thu Aug 3 15:37:06.995 2023] [2164] listening on 127.0.0.1:9312 for sphinx and http(s)
[Thu Aug 3 15:37:06.995 2023] [2164] listening on 127.0.0.1:9306 for mysql
[Thu Aug 3 15:37:06.995 2023] [2164] listening on 127.0.0.1:9308 for sphinx and http(s)
[Thu Aug 3 15:37:07.022 2023] [2164] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version
[Thu Aug 3 15:37:07.031 2023] [2163] watchdog: main process 2164 exited cleanly (exit code 1), shutting down
[Thu Aug 3 15:37:09.149 2023] [2295] watchdog: main process 2296 forked ok
[Thu Aug 3 15:37:09.164 2023] [2296] starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
[Thu Aug 3 15:37:09.164 2023] [2296] listening on 127.0.0.1:9312 for sphinx and http(s)
[Thu Aug 3 15:37:09.164 2023] [2296] listening on 127.0.0.1:9306 for mysql
[Thu Aug 3 15:37:09.164 2023] [2296] listening on 127.0.0.1:9308 for sphinx and http(s)
[Thu Aug 3 15:37:09.191 2023] [2296] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version
[Thu Aug 3 15:37:09.199 2023] [2295] watchdog: main process 2296 exited cleanly (exit code 1), shutting down
[Thu Aug 3 15:45:37.664 2023] [2892] watchdog: main process 2893 forked ok
[Thu Aug 3 15:45:37.680 2023] [2893] starting daemon version '6.0.5 2a6ea8f@230801 dev (columnar 2.0.5 26eb589@230801) (secondary 2.0.5 26eb589@230801)' ...
[Thu Aug 3 15:45:37.680 2023] [2893] listening on 127.0.0.1:9312 for sphinx and http(s)
[Thu Aug 3 15:45:37.680 2023] [2893] listening on 127.0.0.1:9306 for mysql
[Thu Aug 3 15:45:37.680 2023] [2893] listening on 127.0.0.1:9308 for sphinx and http(s)
[Thu Aug 3 15:45:37.711 2023] [2893] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version
[Thu Aug 3 15:45:37.722 2023] [2892] watchdog: main process 2893 exited cleanly (exit code 1), shutting down

[sanikolaev]

[Thu Aug 3 15:45:37.711 2023] [2893] FATAL: binlog meta file /var/lib/manticore/binlog/binlog.meta is v.13, binary is v.14; recovery requires previous binary version

means Manticore stopped right after it was started, that's why you can't connect to it. You probably didn't stop the previous version cleanly which left the binlog files and the more recent version can't read them. You can get back to the older version, start it and then stop it cleanly and then upgrade again. Or if you don't need the binlog, you can just remove the files (/var/lib/manticore/binlog/*) and restart Manticore.

[WellYixuanDu]

Thank you a lot, I solved it.