Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Logging in a Microservice World

Logging in a Microservice World

My talk about distributed logging and the ELK Stack
The Talk was given at the DevOpsCon Munich in November 2015

Christian Uhl

November 25, 2015
Tweet

More Decks by Christian Uhl

Other Decks in Programming

Transcript

  1. Elastic Elastic Mongo Mongo ETCD Cluster Cluster Cluster Messag e

    Broker Messag e Broker Service Service Service Service Motivation for (distributed) logging 6 Proxy Cluster ETCD Service Service Service Service Mongo Elastic Cassandra Postgres Message Broker DevOps
  2. Logs are containing more information than ever before •  The

    usual errors •  State of the environment •  Behaviour of the system during normal operation 7
  3. Motivation for (distributed) logging Result: Logging gets more complicated. We

    need to deal with it. But logging can also be much more useful: 8
  4. Motivation for (distributed) logging Things we can do with Logfiles

    •  Debugging / Post Mortem •  Monitoring •  Analytics •  Business Decisions 9
  5. 11 “The server went down because the disk was full.

    The logfile got really big” -Some OPs Guy
  6. Annoying things about logfiles Every logfile is a unique snowflake

    •  Each system has it‘s own log format •  Subcomponents might have additional ones •  Stacktraces / Multiline exceptions •  That one DEV who does println 12
  7. Annoying things about logfiles Human readable != Machine Readable • 

    JSON log output makes things so much easier to parse •  JSON log output is ridiculous to read You can always generate Strings from JSON, the other way not so much 13
  8. Annoying things about logfiles Correlation is hard •  Correlate by

    time is hard when there is actual load on your system •  There is no clever automated way to get requests traced •  It needs to happen in your application logic 14
  9. Annoying things about logfiles They contain more than you think

    they do •  Customer Data (credit card numbers) •  „Betriebsratsrelevant“ •  SSH Keys and AWS Keys •  Loglevels all over the place 15
  10. Annoying things about logfiles •  Every Logfile is a unique,

    beautiful Snowflake •  They need Space •  Human readable != Machine Readable •  They contain more than you think they do •  Correlation is hard 16
  11. Basic ELK Architecture Unifiy data: extract values from logs • 

    Describe Logs with a RegEx – similar pattern •  Use predefined patters for popular logs •  Use Json and be done with it 19
  12. Basic ELK Architecture Ingestion Development Tips •  Use online tooling

    and tests •  Filter as needed •  JSON and plain Logs can coexist 20
  13. Basic ELK Architecture 22 Shipping •  Logstash brings a JVM

    •  Logstash forwarder is deprecated •  Beats! Filebeat, Topbeat, libbeat •  GELF (or syslog if you must)
  14. Do you need more POWER? 23 logstash logstash logstash Client

    node Client node Data node Data node Data node Data node Master node Master node Master node
  15. Basic ELK Architecture Infrastructure Demands •  Logstash likely CPU bound

    •  Buffers are Memory bound •  Elasticsearch CPU, IO and FS Cache bound •  Kibana doesn‘t really matter => Mostly balanced if run on one Machine 24
  16. Basic ELK Architecture Sizing •  Count your Logfiles •  Size

    ends up 0.5 – 2 x Logsize •  Balance by retention 26
  17. Visualize Democratization of the logs. So what about security? • 

    Authentication & Authorisation available by plug-in •  Encrypted transport out-of-the-box 29
  18. Docker! Immutable Containers and persistent logs do not match When

    Infrastructure lives for minutes instead of days – central logging becomes unavoidable 31
  19. Docker! 32 Safely aggregate the logs from a LOT of

    machines 1.  logstash forwarder / filebeat in the container 2. Shared data volume 3. Pipe stdout / stderr 4. Logappender
  20. Docker! 33 Logstash forwarder / filebeat in the container • 

    Easiest thing to do •  Violates “one thing per container” rule •  Lots of shared configuration
  21. Docker! 34 Shared data volume •  Less forwarding instances needed

    •  Integrates nicely with some clusters •  Backpressure instead of queueing
  22. Docker! 35 Pipe stderr/stdout •  Less forwarding instances needed • 

    More freedom where to put the stream •  No buffers, no space
  23. Docker! 36 Logging framework / appender talks to logstash directly

    •  Easy infastructure (as in none) •  Does not work in all ecosystems •  No buffering •  No balancing
  24. codecentric AG Merscheider Straße 1 42699 Solingen, Deutschland mobil: +49

    (0) 151.16706496 fax: +49 (0) 212.23362879 www.codecentric.de blog.codecentric.de Some text here Fragen? 38 Christian Uhl, christian.uhl@codecentric .de @chrisuhlcc IT Consultant, Search Guy