Introducing log analysis to your organization

106
Introducing Log Analysis To Your Organization Rafał Kuć

Transcript of Introducing log analysis to your organization

Page 1: Introducing log analysis to your organization

IntroducingLogAnalysisToYourOrganization

RafałKuć

Page 2: Introducing log analysis to your organization

Sematext UndMich

logs

metrics

cloud&

Page 3: Introducing log analysis to your organization

Next60minutes…

Logshipping- buffers- protocols- parsing

Centralbuffering- Kafka- Redis

Storage&Analysis- Elasticsearch- Kibana- Grafana

Why&How?- ShouldItry?- Opensource- Commercial

Page 4: Introducing log analysis to your organization

WhyYouShouldCare

Environmentsaregettingbigger

Page 5: Introducing log analysis to your organization

WhyYouShouldCare

Environmentsaregettingbigger

Containersareeverywhere

Page 6: Introducing log analysis to your organization

WhyYouShouldCare

Environmentsaregettingbigger

Containersareeverywhere

Infrastructureworkgetsautomated

CreatedbyKjpargeter - Freepik.com

Page 7: Introducing log analysis to your organization

WhyYouShouldCare

Environmentsaregettingbigger

Containersareeverywhere

Infrastructureworkgetsautomated

Logs&metricsatthesameplace

Page 8: Introducing log analysis to your organization

WhyYouShouldCare

Environmentsaregettingbigger

Containersareeverywhere

Infrastructureworkgetsautomated

Fasterdiagnostics==lessmoneyspent

Logs&metricsatthesameplace

Page 9: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 10: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 11: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 12: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 13: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 14: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 15: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 16: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 17: Introducing log analysis to your organization

GoingForCommercialSolution

cloud

Page 18: Introducing log analysis to your organization

GoingForCommercialSolution

IconmadebySmashicons from www.flaticon.com

Page 19: Introducing log analysis to your organization

GoingOpen-Source

Page 20: Introducing log analysis to your organization

GoingOpen-Source

Page 21: Introducing log analysis to your organization

GoingOpen-Source

Page 22: Introducing log analysis to your organization

GoingOpen-Source

Page 23: Introducing log analysis to your organization

GoingOpen-Source– Today’sFocus

Page 24: Introducing log analysis to your organization

Logshippingarchitecture

File

Page 25: Introducing log analysis to your organization

Logshippingarchitecture

File Shipper

Page 26: Introducing log analysis to your organization

Logshippingarchitecture

File Shipper

File Shipper

File Shipper

Page 27: Introducing log analysis to your organization

Logshippingarchitecture

File Shipper

File Shipper

File Shipper

CentralizedBuffer

Page 28: Introducing log analysis to your organization

Logshippingarchitecture

File Shipper

File Shipper

File Shipper

CentralizedBuffer

data

Page 29: Introducing log analysis to your organization

Logshippingarchitecture

File Shipper

File Shipper

File Shipper

CentralizedBuffer

ES ES ES

ES ES ES

ES ES ES

data

Page 30: Introducing log analysis to your organization

Focus:Shipper

File Shipper

File Shipper

File Shipper

CentralizedBuffer

ES ES ES

ES ES ES

ES ES ES

data

Page 31: Introducing log analysis to your organization

Whatabouttheshipper?

logs

CentralizedBuffer

Whichshippertouse?

Whichprotocol shouldbeused

Whataboutthebuffering

LogtoJSON orparse andhow

Page 32: Introducing log analysis to your organization

Buffers

performance & availability

batches&threads whencentralbufferisgone

Page 33: Introducing log analysis to your organization

Buffertypes

Disk ||memory ||combinedhybrid approachOnsource||centralized

App

Buffer

App

Buffer

fileorlocallogshipper

easyscaling– fewermovingpartsoftenwiththeuseoflightweightshipper

App

App

Kafka /Redis /Logstash /etc…

oneplaceforallchangesextrafeaturesmadeeasy(likeTTL)

ES

ES

Page 34: Introducing log analysis to your organization

BuffersSummary

Simple Reliable

App

Buffer

App

Buffer

ES

App

App

ES

Page 35: Introducing log analysis to your organization

Protocols

UDP– fast,coolfortheapplication,notreliableTCP – reliable(almost) applicationgetsACK whenwritten tobuffer

Application levelACKsmaybeneeded

HTTP

RELP

Beats

Kafka

Logstash,rsyslog,Fluentd

Logstash,rsyslog

Logstash,Filebeat

Logstash,rsyslog,Filebeat,Fluentd

Page 36: Introducing log analysis to your organization

Choosingtheshipper

application

rsyslog Elasticsearchhttp

socket

memory&diskassistedqueues

Page 37: Introducing log analysis to your organization

FinalArchitecture

application

rsyslog Elasticsearchhttp

socket

memory&diskassistedqueues

application

filersyslogLogagentfilebeat

consumer

Page 38: Introducing log analysis to your organization

FinalArchitecture

application

rsyslog Elasticsearchhttp

socket

memory&diskassistedqueues

application

file

rsyslogLogagentfilebeat

consumer

ParsingDoneHere

Page 39: Introducing log analysis to your organization

Focus:CentralizedBuffer

File Shipper

File Shipper

File Shipper

CentralizedBuffer

ES ES ES

ES ES ES

ES ES ES

data

Page 40: Introducing log analysis to your organization

WhyApacheKafka?

Fast &easytouse

Easytoscale

Faulttolerantandhighlyavailable

Supportsstreaming

Worksinpublish/subscribemode

Page 41: Introducing log analysis to your organization

Kafkaarchitecture

ZooKeeper

ZooKeeper

ZooKeeper

Kafka

Kafka

KafkaKafka

Page 42: Introducing log analysis to your organization

Kafka&topics

security_logs access_logs

app1_logs app2_logs

Kafkastoresdatain topics

writtenondisk

Page 43: Introducing log analysis to your organization

Kafka&topics&partitions&replicas

logspartition2

logspartition1

logspartition3

logspartition4

logsreplicapartition2

logsreplicapartition1

logsreplicapartition3

logsreplicapartition4

Page 44: Introducing log analysis to your organization

ScalingKafka

logspartition1

Page 45: Introducing log analysis to your organization

ScalingKafka

logspartition1

logspartition2

logspartition3

logspartition4

Page 46: Introducing log analysis to your organization

ScalingKafka

logspartition1

logspartition2

logspartition3

logspartition4

logspartition5

logspartition6

logspartition7

logspartition8

logspartition9

logspartition10

logspartition11

logspartition12

logspartition13

logspartition14

logspartition15

logspartition16

Page 47: Introducing log analysis to your organization

ThingstorememberwhenusingKafka

Scales byaddingmorepartitions notthreads

ThemoreIOPS thebetter

Keepthe#ofconsumersequalto#ofpartitions

Replicas usedforHA andFT only

Offsets storedperconsumer– multipledestinationseasilypossible

Page 48: Introducing log analysis to your organization

Focus:Elasticsearch

File Shipper

File Shipper

File Shipper

CentralizedBuffer

ES ES ES

ES ES ES

ES ES ES

data

Page 49: Introducing log analysis to your organization

Elasticsearchclusterarchitecture

client

client

client

data

data

data

data

data

data

master

master

master

ingest

ingest

ingest

Page 50: Introducing log analysis to your organization

Dedicatedmastersplease

client

client

client

data

data

data

data

data

data

master

master

master

discovery.zen.minimum_master_nodes ->N/2+1mastereligiblenodes

ingest

ingest

ingest

Page 51: Introducing log analysis to your organization

Elasticsearch– Indices

Index – logicalplacefordata

Page 52: Introducing log analysis to your organization

Elasticsearch– Indices

Index – logicalplacefordata

Index– canbecomparedtodatabaseinDB

Page 53: Introducing log analysis to your organization

Elasticsearch– Indices

Index – logicalplacefordata

Index– canbecomparedtodatabaseinDB

Index– builtoutofoneormoreshards

Page 54: Introducing log analysis to your organization

Elasticsearch– Indices

Index – logicalplacefordata

Index– canbecomparedtodatabaseinDB

Index– builtoutofoneormoreshards

Shard – canbespreadamongmultiplenodes

Page 55: Introducing log analysis to your organization

ScalingElasticsearch

LogsShard1

Page 56: Introducing log analysis to your organization

ScalingElasticsearch

LogsShard1

UsersShard1

InvoicesShard1

Page 57: Introducing log analysis to your organization

ScalingElasticsearch

LogsShard1

LogsShard2

LogsShard3

LogsShard4

Page 58: Introducing log analysis to your organization

ScalingElasticsearch

LogsShard3

LogsShard2

LogsShard4

LogsShard1

Page 59: Introducing log analysis to your organization

ScalingElasticsearch

LogsShard1

LogsReplica4

LogsShard2

LogsReplica3

LogsShard4

LogsReplica1

LogsShard3

LogsReplica2

Page 60: Introducing log analysis to your organization

Onebigindexisano-go

Notscalableenoughfortimebaseddata

Page 61: Introducing log analysis to your organization

Onebigindexisano-go

Notscalableenoughfortimebaseddata

Indexingslowsdownwithtime

Page 62: Introducing log analysis to your organization

Onebigindexisano-go

Notscalableenoughfortimebaseddata

Indexingslowsdownwithtime

Expensivemerges

Page 63: Introducing log analysis to your organization

Onebigindexisano-go

Notscalableenoughfortimebaseddata

Indexingslowsdownwithtime

Expensivemerges

Delete byquery neededfordataretention

Page 64: Introducing log analysis to your organization

Dailyindicesareagoodstart

2017.11.16 2017.11.17 2017.11.20 2017.11.21...

Indexing isfaster forsmallerindices

Deletes arecheap

Search canbeperformedonindicesthatareneeded

Static indicesarecachefriendly

indexing

mostsearches

Page 65: Introducing log analysis to your organization

Dailyindicesareagoodstart

2017.11.16 2017.11.17 2017.11.20 2017.11.21...

Indexing isfaster forsmallerindices

Deletes arecheap

Search canbeperformedonindicesthatareneeded

Static indicesarecachefriendly

indexing

mostsearches

Wedelete wholeindices

Page 66: Introducing log analysis to your organization

Dailyindicesaresub-optimal

black

friday

saturdaysunday

loadisnoteven

Page 67: Introducing log analysis to your organization

Sizebasedindicesareoptimal

sizelimitforindices

logs_01

indexing

around5– 10GBpershardonAWS

Page 68: Introducing log analysis to your organization

Sizebasedindicesareoptimal

sizelimitforindices

logs_01

indexing

around5– 10GBpershardonAWS

Page 69: Introducing log analysis to your organization

Sizebasedindicesareoptimal

sizelimitforindices

logs_01

indexing

logs_02

around5– 10GBpershardonAWS

Page 70: Introducing log analysis to your organization

Sizebasedindicesareoptimal

sizelimitforindices

logs_01

indexing

logs_02

around5– 10GBpershardonAWS

Page 71: Introducing log analysis to your organization

Sizebasedindicesareoptimal

sizelimitforindices

logs_01 logs_02

indexing

logs_N...

around5– 10GBpershardonAWS

Page 72: Introducing log analysis to your organization

Sliceusingsize

Predictable searchingandindexingperformance

Better indicesbalancing

Fewershards

Easier handling ofspikyloads

Lesscostsbecauseofbetter hardwareutilization

Page 73: Introducing log analysis to your organization

ProperElasticsearchconfiguration

Keepindex.refresh_interval atmaximumpossiblevalue1sec->100%,5sec->125%,30sec-> 175%

Youcanloosen upmerges- possiblebecauseofheavyaggregationuse- segments_per_tier ->higher-max_merge_at_once->higher-max_merged_segment ->lower

Allprefixedwithindex.merge.policy

} higherindexingthroughput

Page 74: Introducing log analysis to your organization

ProperElasticsearchconfiguration

Index onlyneededfields

Usedocvalues

Donotindex_source

Donotstore_all

Page 75: Introducing log analysis to your organization

Optimizationtime

Wecanoptimize datanodesfortimebaseddata

client

client

client

data

data

data

data

data

data

master

master

master

ingest

ingest

ingest

Page 76: Introducing log analysis to your organization

Hot– coldarchitecture

EShot EScold EScold

-Dnode.attr.tag=hot -Dnode.attr.tag=cold -Dnode.attr.tag=cold

Page 77: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.22

EShot EScold EScold

-Dnode.attr.tag=hot -Dnode.attr.tag=cold -Dnode.attr.tag=cold

curl-XPUTlocalhost:9200/logs_2017.11.22 -d'{"settings":{"index.routing.allocation.exclude.tag":"cold","index.routing.allocation.include.tag":"hot"}}'

Page 78: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.22

EShot EScold EScold

indexing

Page 79: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.22logs_2017.11.23

EShot EScold EScold

indexing

Page 80: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.22logs_2017.11.23

EShot EScold EScold

indexing

moveindexafterdayends

curl-XPUTlocalhost:9200/logs_2017.11.22/_settings-d'{"index.routing.allocation.exclude.tag":"hot","index.routing.allocation.include.tag”:"cold"

}'

Page 81: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.23 logs_2017.11.22

EShot EScold EScold

indexing

Page 82: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.23logs_2017.11.24 logs_2017.11.22

EShot EScold EScold

indexing

Page 83: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.23logs_2017.11.24 logs_2017.11.22

EShot EScold EScold

indexing

moveindexafterdayends

Page 84: Introducing log analysis to your organization

Hot– coldarchitecture

logs_2017.11.24 logs_2017.11.22 logs_2017.11.23

EShot EScold EScold

indexing

Page 85: Introducing log analysis to your organization

Hot– coldarchitecture

HotESTier

GoodCPULotsofI/O

ColdESTier

MemoryboundDecentI/O

EScold

ColdESTier

MemoryboundDecentI/O

Page 86: Introducing log analysis to your organization

Hot– coldarchitecturesummary

EScold

Optimizecosts – differenthardwarefordifferenttier

Performance – usecaseoptimizedhardware

Isolation – longrunningsearchesdon’taffectindexing

Page 87: Introducing log analysis to your organization

Elasticsearchclient nodeneeds

client

client

client

data

data

data

data

data

data

master

master

master

ingest

ingest

ingest

Page 88: Introducing log analysis to your organization

Elasticsearchclient nodeneeds

Nodata=noIOPS

Largequerythroughput=highCPUusage

Lotsofresults=highmemory usage

Lotsofconcurrentqueries=higherresources utilization

Page 89: Introducing log analysis to your organization

Elasticsearchingest nodeneeds

client

client

client

data

data

data

data

data

data

master

master

master

ingest

ingest

ingest

Page 90: Introducing log analysis to your organization

Elasticsearchingestnodeneeds

Nodata=noIOPS

Largeindexthroughput=highCPU&memoryusage

Complicatedrules=highCPUusage

Largerdocuments=moreresources utilization

Page 91: Introducing log analysis to your organization

Elasticsearchmaster nodeneeds

client

client

client

data

data

data

data

data

data

master

master

master

ingest

ingest

ingest

Page 92: Introducing log analysis to your organization

Elasticsearchingestnodeneeds

Nodata=noIOPS

Largenumberofindices=highCPU&memoryusage

Complicatedmappings=highmemoryusage

Dailyindices=spikesinresources utilization

Page 93: Introducing log analysis to your organization

WhataboutOS?

SayNO toswapSettherightdiskscheduler

CFQ forspinningdisksdeadline forSSD

Usepropermount optionsforext4noatimenodirtimedata=writeback,nobarier

ForbaremetalcheckCPUgovernordisabletransparenthugepages

/proc/sys/vm/nr_hugepages=0

Page 94: Introducing log analysis to your organization

Analysis- Kibana

Page 95: Introducing log analysis to your organization

Analysis- Kibana

Page 96: Introducing log analysis to your organization

Analysis- Kibana

Page 97: Introducing log analysis to your organization

Analysis- Kibana

Page 98: Introducing log analysis to your organization

Analysis- Kibana

Page 99: Introducing log analysis to your organization

Analysis- Kibana

Page 100: Introducing log analysis to your organization

Analysis- Kibana

Page 101: Introducing log analysis to your organization

Analysis- Grafana

Page 102: Introducing log analysis to your organization

Analysis- Grafana

Page 103: Introducing log analysis to your organization

Analysis- Grafana

Page 104: Introducing log analysis to your organization

WhereToGoFromHere?

Page 105: Introducing log analysis to your organization

Weareengineers!

Wedevelop DevOpstools!

WeareDevOps people!

Wedofunstuff;)http://sematext.com/jobs

Page 106: Introducing log analysis to your organization

Thankyouforlistening!Getintouch!

Rafał[email protected]@kucrafal

http://sematext.com@sematext http://sematext.com/jobs


Introducing the KCRI ePhD Log Helen Allwood Assistant Manager, MCDC.

Introducing the KCRI ePhD Log Helen Allwood Assistant Manager, MCDC.

Ministry of Economic Development and Innovation Introducing our New Organization June 18, 2012

Ministry of Economic Development and Innovation Introducing our New Organization June 18, 2012

Introducing agile principles and management to a library organization : IATUL35

Introducing agile principles and management to a library organization : IATUL35

Doing Action Rese ARch oRgAnizAtion · 4 doing action research in your own organization introducing action research Inquiring in your own organization As we begin our exploration

Doing Action Rese ARch oRgAnizAtion · 4 doing action research in your own organization introducing action research Inquiring in your own organization As we begin our exploration

THE PARKER ORGANIZATION, LLC “An African American Legacy” INTRODUCING.

THE PARKER ORGANIZATION, LLC “An African American Legacy” INTRODUCING.

DOs and DON Ts of introducing AGILE to hardware/industrial ......of introducing AGILE to hardware/industrial organization ... development teams •Low usage of products/appliances

DOs and DON Ts of introducing AGILE to hardware/industrial ......of introducing AGILE to hardware/industrial organization ... development teams •Low usage of products/appliances

Simple strategies for introducing lean in your workplace... · INTRODUCING LEAN IN YOUR WORKPLACE PRESENTED BY: ... organization with baselines and targets. Using the template as

Simple strategies for introducing lean in your workplace... · INTRODUCING LEAN IN YOUR WORKPLACE PRESENTED BY: ... organization with baselines and targets. Using the template as

Introducing the founder of Entrepreneurs’ Organization ...

Introducing the founder of Entrepreneurs’ Organization ...

Introducing - GlobalGiving · Introducing OUTPATIENT HEALTHCARE F ... LiveWell is a healthcare organization incorporated in the USA and in Kenya ... Spine Road, Kayole, P. O. Box

Introducing - GlobalGiving · Introducing OUTPATIENT HEALTHCARE F ... LiveWell is a healthcare organization incorporated in the USA and in Kenya ... Spine Road, Kayole, P. O. Box

Organization at the Leading Edge: Introducing Holacracy™

Organization at the Leading Edge: Introducing Holacracy™

Women’s Rights Organization, Introducing NOW

Women’s Rights Organization, Introducing NOW

Introducing the OT Box Turtle GAME LOG. What is GAME LOG? A sophisticated digital Game Log (a.k.a. Day-by- Day book) FEATURES: Stores, tracks and outputs.

Introducing the OT Box Turtle GAME LOG. What is GAME LOG? A sophisticated digital Game Log (a.k.a. Day-by- Day book) FEATURES: Stores, tracks and outputs.

Generex Technology Co.,Ltd. Agenda Company Profile Generex Organization Chart Introducing Products Our Customer.

Generex Technology Co.,Ltd. Agenda Company Profile Generex Organization Chart Introducing Products Our Customer.

Introducing the Jahia Log Analyzer

Introducing the Jahia Log Analyzer

Large-Scale Log Management Deployment...• introducing new plugins, • building log parsers, • data processing pipelines, • managing alerting and notifications, • including

Large-Scale Log Management Deployment...• introducing new plugins, • building log parsers, • data processing pipelines, • managing alerting and notifications, • including

Introducing scrum into your organization ibelis

Introducing scrum into your organization ibelis

Introducing Tupilak, Snowplow's unified log fabric

Introducing Tupilak, Snowplow's unified log fabric

SOLIS-Student Organization Library and Information Science · SOLIS-Student Organizatjon Library and Information Science..... Introducing... Library Student Journal . Introducing

SOLIS-Student Organization Library and Information Science · SOLIS-Student Organizatjon Library and Information Science..... Introducing... Library Student Journal . Introducing

The jujutsu of introducing usability to an organization

The jujutsu of introducing usability to an organization

Implementation Fidelity Log - ETR · Fidelity Log ETR (Education, Training and Research) is a nonprofit organization committed to providing science-based innovative solutions in health

Implementation Fidelity Log - ETR · Fidelity Log ETR (Education, Training and Research) is a nonprofit organization committed to providing science-based innovative solutions in health