OK, maybe that’s not entirely true. But my read-only client, certainly.
I was perusing the Logstash input plugins recently when I noticed that there was one for IRC. Being a fan of IRC and a regular on the #obihackers channel, I thought this could be fun and yet another great example of how easy the Elastic stack is to work with.
Installation is a piece of cake:
wget https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/zip/elasticsearch/2.2.1/elasticsearch-2.2.1.zip
wget https://download.elastic.co/logstash/logstash/logstash-2.2.2.zip
wget https://download.elastic.co/kibana/kibana/kibana-4.4.2-linux-x64.tar.gz
unzip \*.zip
tar -xf kibana-4.4.2-linux-x64.tar.gz
sudo mv elasticsearch-2.2.1 logstash-2.2.2 kibana-4.4.2-linux-x64 /opt
(you’ll also need Oracle JDK installed if not already, here’s a handy way to get it from the CLI).
Start up Elasticsearch and Kibana:
/opt/elasticsearch-2.2.1/bin/elasticsearch
/opt/kibana-4.4.2-linux-x64/bin/kibana
Use screen, cos it’s awesome, to run these in parallel on the same SSH connection.
Now create a file (e.g. logtash-irc.conf) to hold the Logstash configuration. It’s very simple - connect to the IRC server, on a given channel, then add geographical attributes to each message based on the host of the user, and then dump the whole lot to both stdout and Elasticsearch:
# @rmoff / March 24, 2016
input {
irc {
channels => "#obihackers"
host => "chat.freenode.net"
}
}
filter {
geoip {
source => "host"
}
}
output {
stdout {
codec => "rubydebug"
}
elasticsearch {
hosts => "localhost"
index => "logstash-irc-%{+YYYY.MM.dd}"
}
}
Now set Logstash running:
/opt/logstash-2.2.2/bin/logstash -f logstash-irc.conf
Now any message to the channel will get picked up by the bot, sent to Elasticsearch, and echoed to stdout:
{
"message" => "ChristianBerg: LOL, never thought that before",
"@version" => "1",
"@timestamp" => "2016-03-24T15:52:47.616Z",
"user" => "rmoff!~rmoff@12345",
"command" => "PRIVMSG",
"channel" => "#obihackers",
"nick" => "rmoff",
"server" => "chat.freenode.net:6667",
"host" => "host-12345",
"geoip" => {
"ip" => "1.2.3.4",
"country_code2" => "GB",
"country_code3" => "GBR",
"country_name" => "United Kingdom",
"continent_code" => "EU",
"region_name" => "B4",
"city_name" => "Shipley",
"latitude" => 53.83330000000001,
"longitude" => -1.766699999999986,
"timezone" => "Europe/London",
"real_region_name" => "Bradford",
"location" => [
[0] -1.766699999999986,
[1] 53.83330000000001
]
}
}
You can quickly check that the data’s making it into Elasticsearch by running:
curl -XGET 'http://localhost:9200/logstash-irc-*/_search?pretty'
You should get something like this back:
{
"took" : 6,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 278,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-irc-2016.03.24",
"_type" : "logs",
"_id" : "AVOpXg1lfUfBfaUyS5CU",
"_score" : 1.0,
"_source" : {
"message" : "rmoff: I can't even get an IP from hugh_jass",
"@version" : "1",
"@timestamp" : "2016-03-24T11:58:57.401Z",
[...]
Now the data’s in Elasticsearch, it’s a piece of cake to knock up a quick dashboard in Kibana with auto-refresh switched on, showing the current channel activity and some key stats for the day:
If you’ve not built a Kibana dashboard before, check out other articles I’ve written which walk through the process.
