Kafka within EFK Monitoring

Today’s world is entirely internet-driven, be it in any field, we can get any product of our choice with one click.

Talking about e-commerce more in DevOps terms, the entire application/website is based on microservice architecture i.e. distributing a bulk application into smaller services to increase scalability, manageability & more process driven.

Hence, to maintain smaller services one of the important aspects is to enable their Monitoring

One such commonly known stack is, EFK stack i.e. (Elasticsearch, Fluentd, Kibana) along with Kafka

Kafka is basically an open-source event streaming platform and is currently used by many companies. 

Question: Why use Kafka within EFK monitoring?  

Answer: Well this is the first question that strikes many minds hence, in this blog we’ll focus on why to use Kafka, what are its benefits and how to integrate it with the EFK stack. 

Interesting right? 🙂 let’s begin -:

So, while traveling we’ve seen crossroads enabled by Traffic lights or Traffic policemen to streamline the traffic, as over crossroads traffic from 4 directions meet. 

So, what do Traffic lights or policemen do? They streamline the traffic by allowing one-way traffic and at the same time stopping in other directions while they wait for their turn.

Talking in technical terms in the above scenario the incoming traffic is streamlined by withholding it for some time or say creating a small buffer, isn’t it?

Kafka also does similar things, imagine approx 300 applications sending logs directly to Elasticsearch which as a result may choke it and during traffic, time scaling up elasticsearch or adding more data nodes isn’t a good solution as it becomes unstable due to re-sharding. 

Introducing kafka, breaks this incoming traffic as it acts as a buffer and sends streamlined chunks to Elasticsearch. 

Let’s understand this with a Block Diagram-: 

Not to worry, I’ll explain each and every block with configurations 🙂

Block 1 -: This block refers to the containers or instances within which application logs are populated along with the td-agent service running (to export the desired log path to Kafka). Td-agent is a stable distribution package of fluentd maintained by Treasure Data and Cloud Native computing foundation. Basically, it’s a data collection daemon. It collects logs from various data sources (in our case application) and uploads/exports them to treasure data.

Installation guide

Within the td-agent conf below configuration is done 

   @type tail
   read_from_head true
   path <path_of_log_file>
   tag <tag_name>
   format json
   keep_time_key true
   time_format 	<time_format_of_logs>
   pos_file < pos_file_location >

<match <tag_name> >
  @type kafka_buffered
     output_include_tag true
     brokers <kafka_hostname:port>
     default_topic <kafka_topic_name>
     output_data_type json
     buffer_type file
     buffer_path <buffer_path_location>
     buffer_chunk_limit 10m
     buffer_queue_limit 256
     buffer_queue_full_action drop_oldest_chunk

The <source> block is dedicated to log configurations, like -:

path   – Path of log file location

tag   – Tag name for logs, its user defined

format        – logs format e.g. json, text etc.

Keep_time_key – Time key to keep from logs e.g. True or false

Time_format   – Time format of logs e.g. %d/%b/%Y:%H:%M:%S

Pos_file      – Position file location, user-defined

Similarly, <match> block is dedicated to destination i.e. where to send these logs -:

@type       – Type of buffer, e.g kafka or elasticsearch

Output_include_tag    – tag_name include as mentioned in source block

Brokers       – Kafka dns name with port

default_topic     – Kafka Topic into which logs will be exported

output_data_type     – Output logs format e.g. json 

Buffer_type          – Buffer type e.g. file 

buffer_path     – Path of buffer file, user-defined

Buffer_chunk_limit   – Chunk limit of buffer

buffer_queue_limit   – Queue limit of buffer

Buffer_queue_full_action – To keep buffer file rotation

For more config. parameters please refer – link

Block 2 -: Is Kafka server, where kafka service is setup 

Kafka uses zookeeper for self-balancing, depending upon your infra zookeeper can be on the same server or separate (separate in case of production setup)

wget http://mirror.fibergrid.in/apache/kafka/

tar -xzf kafka_2.12-

Starting Zookeeper -:

Zookeeper needs to be started first. To do the same a convenience script comes in handy with the Kafka package to start the zookeeper single node standalone instance and further configurations need to be added within zookeeper.properties file. 

vi .bashrc

export KAFKA_HEAP_OPTS="-Xmx500M -Xms500M"

The value needs to be 50% of the total RAM on the instance. 

source .bashrc

Start Zookeeper by the following command in the background using nohup and divert its logs in zookeeper-logs file.

cd kafka_2.12-

nohup bin/zookeeper-server-start.sh config/zookeeper.properties > ~/zookeeper-logs &

Starting Kafka -:

cd kafka_2.12-

nohup bin/kafka-server-start.sh config/server.properties > ~/kafka-logs &

To stop any of them use below commands -: 



Refer to official documentation

Block 3 -: td-agent, used as forwarder

Now, we’ve logs within kafka topics. But we need a mechanism to pull these logs and further export it to Elasticsearch 

So, as td-agent was used to pick application logs and send them to kafka same way here td-agent will be configured as forwarders i.e. to pull logs from kafka and send it to Elasticsearch 


  @type kafka_group

  brokers <kafka_dns:port>

  consumer_group  <consumer_group_kafka>

  topics <kafka_topic_name>


<match <kafka_topic_name> >

    @type forest

    subtype elasticsearch


        host <ElasticSearch IP>

        port <Elasticsearch Port>

        user           <ES_username>

        password       <ES_password>

        logstash_prefix <prefix name>

        logstash_format true

        include_tag_key true

        tag_key tag_name



Again, the source and match block will be updated with similar values as stated before. 

This time, the source will be configured to take logs from kafka and match to forward them to Elasticsearch  

Consumer_group – It’s a group of consumers that share the same group id. When a topic is consumed by consumers in the same group, every record will be delivered to only one consumer.

forest – Creates sub-plugin instance of an output plugin dynamically per tag, from template configurations

Logstash_prefix – Will be index_name to which logs will be sent and viewed inside kibana

Block 4 -: Elasticsearch 

Setup can be done following below official document from Elasticsearch

Elasticsearch setup over ubuntu

Block 5: Kibana setup

Kibana setup

You can configure nginx to make kibana available over port 80 or 443 

Refer link for Nginx configuration.

So, yes now the entire EFK stack is set up with Kafka, and in the same way, it can be configured over standalone mode ( for self-learning) or over different servers for production setup. 

NOTE: – The Elasticsearch and kibana setup is the same only td-agent (collector & forwarder) and Kafka configuration is where the magic happens. 

Happy Learning …

Blog Pundits: Naveen Verma and Sandeep Rawat

OpsTree is an End-to-End DevOps Solution Provider.

Connect with Us

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: