Log forwarding at Scale

Preview:

Click to see full reader

Citation preview

Log Forwarding at Scale

Scale 15X, Pasadena, CAEduardo Silva (@edsiper)eduardo@treasure-data.com

/about

● Open Source Engineer at Treasure Data

● Repositories / Projects

○ github.com/edsiper○ fluentbit.io○ duda.io○ monkey-project.com

“Logging is Simple”

“Logging is Simple”

“Logging is Simple”

Logs App Analysis

Logging exists because of Analysis needs

Before Analysis

Logs Database

Someone have to do some work

?

In a galaxy not so far away...

Logs Database

Analysis

Internally, Logging is not Simple

Scale Logging Requires Understanding

Logging Pipeline

Logging Pipeline

Log Messages Parse Filter Buffer

Routing

Elasticsearch

InfluxDB

Others

Logging Pipeline

Log Messages Parse Filter Buffer

Routing

Elasticsearch

InfluxDB

Others

● Log files● Journald● TCP

Logging Pipeline

Log Messages Parse Filter Buffer

Routing

Elasticsearch

InfluxDB

Others

Format / Structure:

● JSON● Regex / Named Capture

Logging Pipeline

Log Messages Parse Filter Buffer

Routing

Elasticsearch

InfluxDB

Others

Alter content: Grep, Exclude, Metadata

Logging Pipeline

Log Messages Parse Filter Buffer

Routing

Elasticsearch

InfluxDB

Others

Memory / Filesystem

Logging Pipeline

Log Messages Parse Filter Buffer

Routing

Elasticsearch

InfluxDB

OthersDeliver buffers to N destinations

Logging Pipeline

Logging Pipeline

Log Messages Parse Filter Buffer

Routing

Elasticsearch

InfluxDB

Others

Logging Pipeline

Logging Pipeline

● How to deal with the Logging Pipeline ?

● Is there any solution around ?

About Fluentd

● Created by

● Now hosted at

About Fluentd

● More than 600 plugins available

● Pluggable Architecture

● Built-in Reliability

● Full integration with Docker and Kubernetes

● Written in Ruby + C

Fluentd Modes

● Log Forwarder

● Log Aggregator

Log Aggregator = (Forwarder + Buffering Capabilities)

Edge Nodes / Forward to Aggregators

App

Node 1

DB

App DB

Edge Nodes & Costs

Edge Nodes & Costs

● Fluentd requires ~40MB as minimum

● Deploying a few hundred could be expensive

● Can we make Forward cheaper ?

Forwarder & Aggregator

Log Forwarder Log Aggregator

About Fluentd

● Written in C

● Pluggable Architecture

● Built-in Reliability

● Event Driven - Async I/O

Why Fluent Bit as a Forwarder

● Features

○ Input, Filter and Output Plugins

○ Built-in parsing support

○ Minimum memory required 450KB

Edge Nodes / Forward to Aggregators

Cheap Forwarding

Cloud Native Features

● Docker & Kubernetes Support

● Buffering fully controled○ pause() / resume() for input plugins

● Easy to containerize○ Small memory footprint○ No dependencies (all are built-in)

Hands on!

DEMO #1

Unstructured vs Structured data

Unstructured v/s Structured

● Why

○ Structured data have a schema

○ Easy to convert to different representations

○ It can be filtered

Hands on!

DEMO #2

Process Docker Logs

Kubernetes use case

● Applications runs in Containers

● Containers runs in a POD

● Multiple PODs can exists in a Node

● How to solve logging ?

Hands on!

DEMO #3Kubernetes: parse logs and append Metadata

API Server Nodes

Kubernetes

Metadata Support Status

The new kubernetes filter takes care of the following metadata handling:

○ Local data: POD Name, Namespace, Container Name and Container ID.

○ Remote (API Server): Labels and Annotations

Fluent Bit, what else ?

Networking and Co-routines

Easier implementation of output plugins that interact with networking operations like socket(), connect(), read(), write(), etc.

Fluent Bit provides non-blocking networking API that uses the event-loop with co-routines to implement:

● Network I/O● TLS/SSL usage● HTTP Client

Kubernetes DaemonSet

Github Repository

● https://github.com/fluent/fluent-bit-kubernetes-daemonset

Docker Image (ubuntu-slim)

● quay.io/fluent/fluent-bit-kubernetes-daemonset

https://github.com/fluent/fluent-bit-kubernetes-daemonset
https://github.com/fluent/fluent-bit-kubernetes-daemonset
http://quay.io/fluent/fluent-bit-kubernetes-daemonset
http://quay.io/fluent/fluent-bit-kubernetes-daemonset

Roadmap

Next Release v0.11 (March 2017)

● Kubernetes support (filter_kubernetes)● Parsers & Filters● Memory optimizations

Release v0.12 (May 2017)

● in_tail + Multiline support● Monitoring - re-enable HTTP service end-point: memory, records

flow, others.

Thanks!

Project information

● Web site Fluentbit.io● Documentation http://fluentbit.io/documentation/● Github http://github.com/fluent/fluent-bit

Contact

● Slack http://slack.fluentd.org (fluent-bit channel)● Twitter @fluentbit

http://fluentbit.io
http://fluentbit.io/documentation/
http://github.com/fluent/fluent-bit
http://slack.fluentd.org
http://twitter.com/fluentbit

Recommended

Wait For It: Determinants of Pull Request Evaluation ... · scale(log(first rsp+0.5)):scale(log(total ci time)) 0.102 (0.003)⇤⇤⇤ 434.71⇤⇤⇤ Adjusted R-squared 0.362 0.461
Documents
Large scale virtual Machine log collector (Project-Report)
Engineering
Large-Scale Click-stream and transaction log mining in ...cci.drexel.edu/bigdata/bigdata2013/IEEE.BigData.Tutorial.2.slides.pdf · Large-Scale Click-stream and transaction log mining
Documents
Towards Automated Log Parsing for Large-Scale Log Data ... · ciently parse large-scale log data. Similar to previous papers [4], [16], [17], [18], POP assumes the input is single-line
Documents
Policy Forwarding - Cisco...Policy Forwarding Thischapterprovidesinformationonconfiguringanenhanced,orextended,service.Theproduct
Documents
Large Scale Log collection using LogStash & mongoDB
Engineering
Large-Scale Click-stream and transaction log mining in practice
Documents
Q-Log Controls and Systems Company Profile Information.… · Q-Log Controls and Systems Company Profile Q-Log Controls and Systems is a small scale electronics manufacturing unit
Documents
Acid-Base Physiology. pH scale – to express hydrogen ion concentration. pH = - log 10 [H+] or pH = log 1 / [H+] log to the base 10 of the reciprocal
Documents
The Audit Log Was Cleared - SANS Institute...Self-assessment check list: - If someone stops my endpoint log forwarding service, do I know about it? - If someone changes the firewall
Documents
ASTRAL Tutorial - Tandy Warnow · gens (k), shown in log scale (see Fig. S2 for normal scale). A line is fit to the data points in the log/log space and line slopes are shown. ASTRAL-II
Documents
Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data
Documents
Enabling Event Tracing at Leadership-Class Scale … · Enabling Event Tracing at Leadership-Class Scale through I/O Forwarding Middleware Thomas Ilschez, Joseph Schuchart , Jason
Documents
Information · Information Siemens Enterprise Communications ... Call Forwarding, Speaker and dedicated applications such as Phonebook, Call Log/History, Answering ... set of business
Documents
Large scale near real-time log indexing with Flume and SolrCloud
Technology
Windows Event Logging and Forwarding - Cyber · 2019-05-31 · Event log retention The Windows default settings have log sizes set to a relatively small size and will overwrite events
Documents
Global Freight Forwarding · PDF fileGlobal Freight Forwarding 2014 ... TIGFF1407 An analysis of the global freight forwarding ... 5.3 Global Sea Freight Forwarding Market Growth and
Documents
Log Engineering: Towards Systematic Log Mining to Support the Development of Ultra-large Scale Systems
Software
Analysis of Long Queries in a Large Scale Search Log
Documents
Atlantic Forwarding Group Agosto 2010 Atlantic Forwarding SPAIN
Documents