Beholder is a log processor. Its purpose is to receive, process, transfer and export log messages.
WARNING: Beholder has no stable version yet. Config syntax, commands, options, behaviour, everything is going to be changed without any backwards compatibility.
Latest versions are stable enough for production. Beware that Beholder is not very optimal yet. It will generate a significant CPU load.
For a quick start, use a premade Docker image:
docker run --rm -ti johnnywoo/beholder:0.1.434 beholder --config 'from timer; to stdout'
With that example config you should see Beholder print randomized messages every second.
usage: beholder
-c,--config <text> Use config from the argument
--dump-instructions Dump conveyor instructions for debugging
-f,--config-file <file> Use config from a file
-h,--help Show usage
-l,--log <file> Internal log file
-q,--quiet Do not print internal log into stdout
-t,--test Config test: syntax and minimal validation
-v,--version Show version
Here are some example configs. You should look through these to familiarize yourself with Beholder.
Listen on a UDP port and write every incoming packet into a file, separated by newlines:
flow {
from udp 1234;
to file '.../from-udp-1234.log';
}
Receive nginx access log over UDP and write it into a file:
flow {
from udp 3820;
parse syslog;
to file '.../access.log';
}
Send internal beholder log as syslog over UDP:
flow {
from internal-log;
set $payload syslog;
to udp 1234;
}
Send internal stats (metrics) into Influx over UDP:
flow {
from timer 30 seconds;
parse beholder-stats;
parse each-field-as-message;
switch $value {
case ~^[0-9]+$~ {}
default {drop}
}
set $host host;
set $payload 'beholder,host=$host,tag=tagval $key=$value';
to udp influxdb-host:8089;
}
Message sources and destinations:
from
— produces messages from various sourcesto
— sends messages to destinationsdump
— troubleshooting output
Message manipulation:
set
— puts values into message fieldskeep
— removes unnecessary message fieldsdrop
— destroys messagesparse
— populates message fields according to some format
Control structures: