Centralized Logging Patterns

A presentation at All Day DevOps by Philipp Krenn

Disclaimer I build highly monitored Hello World apps @xeraa

Example: Java SLF4J, Logback, MDC @xeraa

.NET: NLog PHP: Monolog JavaScript: Winston ... @xeraa

Anti-Pattern: print System.out.println("Oops"); @xeraa

[2018-09-28 10:30:38.516] ERROR net.xeraa.logging.LogMe [main] - user_experience= , session=46, loop=15 - Wake me up at night java.lang.RuntimeException: Bad runtime... at net.xeraa.logging.LogMe.main(LogMe.java:30) ^[%{TIMESTAMP_ISO8601:timestamp}]%{SPACE}%{LOGLEVEL:level} %{SPACE}%{USERNAME:logger}%{SPACE}[%{WORD:thread}] %{SPACE}-%{SPACE}%{GREEDYDATA:mdc}%{SPACE}-%{SPACE} %{GREEDYDATA:themessage}(?:\n+(?<stacktrace>(?:.|\r|\n)+))? @xeraa

Pro: No change Con: RegEx, timestamp, multiline @xeraa

Pro: No files Con: Outages & coupling @xeraa

Pro: Right format Con: JSON serialization overhead @xeraa

https://turnoff.us/geek/beforedevops-after-devops/

Default JSON log filebeat.prospectors: - type: log paths: - "/var/lib/docker/containers//.log" json.message_key: log json.keys_under_root: true processors: - add_docker_metadata: ~ @xeraa

Metadata { "host": "10.4.15.9", "port": 6379, "docker": { "container": { "id": "382184ecdb385cfd5d1f1a65f78911054c8511ae009635300ac28b4fc357ce51", "name": "my-java", "image": "my-java:1.0.0", "labels": { "app": "java" } } } } @xeraa

Mount log path my-java: container_name: my-java hostname: my-java build: ${PWD}/config/my-java networks: ['stack'] command: java -jar my-java.jar volumes: - ./logs/my-java/:/opt/my-java/logs/ filebeat: container_name: filebeat hostname: filebeat image: "docker.elastic.co/beats/filebeat:${ELASTIC_VERSION}" volumes: - ./logs/my-java/:/var/log/my-java/ - ./docker-compose/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro command: filebeat -e networks: ['stack'] @xeraa

Registry file filebeat.registry_file: /usr/share/filebeat/data/registry @xeraa

..-`__ ''-._ _.-.`. ''-._ .-.-```. ```\/ _.,_ ''-._ ( ' , .-` | `, ) |`-._`-...-` __...-.-.|'`_.-'| |`-.`._ / _.-' |`-._ `-._`-./ *.-' *.-' |`-._`-.*`-.__.-' _.-'_.-'| |`-.*`-._ _.-'_.-' |`-._ `-._`-..-'*.-' *.-' |`-._`-.*`-.__.-' _.-'_.-'| |`-.*`-._ _.-'_.-' |`-._ `-._`-..-'_.-' _.-' `-._`-..-' _.-' `-._ _.-'`-..-' Redis 4.0.9 (00000000/0) 64 bit Running in stand alone mode Port: 6379 PID: 55757 http://redis.io @xeraa

Configuration templates filebeat.autodiscover: providers: - type: docker templates: - condition: equals: docker.container.image: redis config: - type: docker containers.ids: - "${data.docker.container.id}" exclude_lines: ["^\s+[\-`('.|_]"] @xeraa
Drop asciiart lines

Metadata processors: - add_kubernetes_metadata: in_cluster: true @xeraa

Metadata { "host": "172.17.0.21", "port": 9090, "kubernetes": { "container": { "id": "382184ecdb385cfd5d1f1a65f78911054c8511ae009635300ac28b4fc357ce51", "image": "my-java:1.0.0", "name": "my-java" }, "labels": { "app": "java", }, "namespace": "default", "node": { "name": "minikube" }, "pod": { "name": "java-2657348378-k1pnh" } }, } @xeraa

Configuration templates filebeat.autodiscover: providers: - type: kubernetes templates: - condition: equals: kubernetes.namespace: redis config: - type: docker containers.ids: - "${data.kubernetes.container.id}" exclude_lines: ["^\s+[\-`('.|_]"] # Drop asciiart lines @xeraa

Customize indices output.elasticsearch: index: "%{[kubernetes.namespace]:filebeat}-%{[beat.version]}-%{+yyyy.MM.dd}" @xeraa

Examples https://github.com/xeraa/java-logging @xeraa

Parse Send Structure Containerize Orchestrate @xeraa

Philipp Krenn
@xeraa

1 / 57

Most organizations feel the need to centralize their logs. Once you have more than a couple of servers or containers, SSH and tail will not serve you well any more. However, the common question or struggle is how to achieve that.

Video

Resources

The following resources were mentioned during the presentation or are useful additional information.

GitHub: Demo Code

How to log from a Java application to the Elastic Stack.

Buzz and feedback

Here’s what was said about this presentation on social media.

ELK...B = Elastic Logstash Kibana Beats ... rebranded to Elastic Stack
Elasticsearch is the thing that's storing the data
@xeraa #DevOps #AllDayDevOps pic.twitter.com/QPE6mrcjkB
— Claire Moss (@aclairefication) October 17, 2018
Applications try to be cute and create starup ASCII art - exclude that from centralized #logging using configuration templates #containers #ElasticStack @xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018
Orchestrate? probably all @kubernetesio by now... Where to put Filebeat? DaemonSet. Like a sidecar: one instance is running and collect all the files from that host. @xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018
Centralized logging in #ElasticStack : Parse, Send, Structure, Containerize, Orchestrate
Code from this presentation https://t.co/D1IpYkOc7E
@xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018
ELKB or BELK!!!!! #alldaydevops pic.twitter.com/phiqqrcord
— vthot4 (@vthot4) October 17, 2018
Elastic in action: "Centralized Logging Patterns" at All Day DevOps 2018 #AllDayDevOps
— vthot4 (@vthot4) October 17, 2018
OH: Like writing regular expressions? Stockholm syndrome! @xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018
that is 100% stockholm syndrome
— ☭Comrade, but spoopy, and back home☭ (@ComradeEevee) October 17, 2018
Elastic Stack collection of #opensource projects https://t.co/Ob65LgxDY3
Beats platform for single-purpose data shippers https://t.co/vgXxEgOBZ8
Logstash collects & transforms
Elasticsearch searches & analyzes
Kibana visualizes & manages
@xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018
Logstash parses w/regex & stores parsed fields in Elasticsearch @xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018
Logging anti-pattern? Tightly coupling to the implmentation. Don't want logging to take down your system. @xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018
Containerizing applications: Where to put Filebeat? Sidecar. Avoid bloating your container. @xeraa #DevOps #AllDayDevOps
— Claire Moss (@aclairefication) October 17, 2018

Centralized Logging Patterns

Drop asciiart lines

Link for this presentation:

HTML code for embedding:

Share on social media:

Video

Resources

GitHub: Demo Code

Buzz and feedback