Slide 1
Slide 1 text
Loggen
mit Beats
Philipp Krenn̴̴̴̴̴@xeraa
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
Infrastructure | Developer Advocate
Slide 6
Slide 6 text
ViennaDB
Papers We Love Vienna
Slide 7
Slide 7 text
Beats are lightweight
shippers that collect and
ship all kinds of
operational data to
Elasticsearch.
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
Wer verwendet mehr als
10 Server / Container?
Slide 10
Slide 10 text
Wie loggt ihr?
Slide 11
Slide 11 text
Was sind Logs?
Slide 12
Slide 12 text
Was nun?
Slide 13
Slide 13 text
You Know, for Search
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
ELK Stack
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
Elastic Stack
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
Filebeat
Slide 27
Slide 27 text
tail -f
̴
̴
Slide 28
Slide 28 text
tail -f
über das Netzwerk
̴
Slide 29
Slide 29 text
tail -f
über das Netzwerk
auf !
Slide 30
Slide 30 text
Parsing: Logstash oder Ingest-Node
Slide 31
Slide 31 text
At-Least-Once,
Backpressure und
Graceful Downtime
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
Multiline
Filtering
JSON Decode
Slide 35
Slide 35 text
Loggen mit Docker
101 Optionen
Slide 36
Slide 36 text
https://docs.docker.com/engine/admin/logging/overview/
Slide 37
Slide 37 text
001 JSON-File
Filebeat für JSON
➕
Simpel, Standard, gut integriert
Metadata (Name, Labels,...)
docker logs
➖
Potentiell langsam
Standardmäßig Dateigröße unlimitiert
Slide 38
Slide 38 text
010 Syslog
Lokaler Syslog Server und Filebeat
➕
Kontrolle über Pfad, Rotation,...
➖
Eigener Syslog Server
Metadaten serialisiert und deserialisiert
Multiline
Slide 39
Slide 39 text
011 Journald
Filebeat
➕
Oft verfügbar
Metadaten
docker logs
➖
Noch nicht von Filebeat unterstützt (Community Beat:
Journalbeat)
Slide 40
Slide 40 text
100 GELF
Logstash-GELF-Input
➕
Direkte Logstash-Anbindung
➖
UDP — keine Zustellungsgarantie, keine Backpressure
Slide 41
Slide 41 text
101 Volume
Filebeat
➕
Einfache Installation (wenn Applikation Logs rotieren kann)
Skalierbar
➖
Metadaten
Slide 42
Slide 42 text
!
Heute: JSON, Syslog, Volume
Zukunft: Journald
Slide 43
Slide 43 text
Metricbeat
Slide 44
Slide 44 text
Metricbeat System
Slide 45
Slide 45 text
Metricbeat Service
Slide 46
Slide 46 text
cgroup Daten von /proc/
lesen
Teil der System Module
Slide 47
Slide 47 text
Kein Zugriff auf Docker API notwendig
Security
Slide 48
Slide 48 text
Alle Container
Docker, rkt, runC, LXD,...
Slide 49
Slide 49 text
Reichert Prozesse automatisch mit cgroup
Information an
Keine Container Name oder Labels
Slide 50
Slide 50 text
But Docker...
Slide 51
Slide 51 text
Dockerbeat
https://github.com/Ingensi/dockerbeat
Slide 52
Slide 52 text
Dockerbeat
https://github.com/Ingensi/dockerbeat
Slide 53
Slide 53 text
Dockbeat
https://github.com/Ingensi/dockbeat
Slide 54
Slide 54 text
Bald in Metricbeat
master
Slide 55
Slide 55 text
Metricbeat und Docker
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
Half Float
Slide 58
Slide 58 text
Packetbeat
Slide 59
Slide 59 text
Protokolle
Slide 60
Slide 60 text
Flows
Nicht unterstützte / verschlüsselte (TLS) Protokolle auf
Applikations-Layer
IP / TCP / UDP
Anzahl Pakete & Bytes
Retransmissions
Zeitliche Abläufe
Slide 61
Slide 61 text
Packetbeat und Docker
Slide 62
Slide 62 text
Winlogbeat
Slide 63
Slide 63 text
Community
Beats
Slide 64
Slide 64 text
Springbeat
Spring Boot /metrics & /health
https://github.com/consulthys/springbeat
Slide 65
Slide 65 text
Execbeat
execbeat:
execs:
- cron: "@every 10s"
command: echo
args: "Hello World"
fields:
host: testhost
Slide 66
Slide 66 text
Nagioscheckbeat
input:
checks:
- name: "disks"
cmd: "plugins/check_disk"
args: "-w 80 -c 90 -x /dev"
period: "1h"
- name: "load"
cmd: "plugins/check_load"
args: "-w 5 -c 10"
period: "1m"
Slide 67
Slide 67 text
Dein Beat
Slide 68
Slide 68 text
libbeat
https://github.com/elastic/beats/tree/
master/generate/beat
Slide 69
Slide 69 text
Docker
Images
Slide 70
Slide 70 text
https://github.com/elastic/elasticsearch-docker
https://github.com/elastic/kibana-docker
https://github.com/elastic/logstash-docker
Slide 71
Slide 71 text
---
version: '2'
services:
kibana:
image: docker.elastic.co/kibana/kibana:5.0.1
links:
- elasticsearch
ports:
- 5601:5601
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:5.0.1
cap_add:
- IPC_LOCK
volumes:
- esdata1:/usr/share/elasticsearch/data
ports:
- 9200:9200
volumes:
esdata1:
driver: local
Slide 72
Slide 72 text
Kein :latest mehr
Slide 73
Slide 73 text
Löst Docker alle
Probleme?
Für Stateful Services
Slide 74
Slide 74 text
Fazit
Slide 75
Slide 75 text
No content
Slide 76
Slide 76 text
No content
Slide 77
Slide 77 text
PS: Mehr
Open Source
Training
Dev Support
Consulting
Support
Slide 78
Slide 78 text
Danke!
Fragen?
Philipp Krenn̴̴̴̴̴@xeraa
PS: Stickers
Slide 79
Slide 79 text
Schnitzel: https://flic.kr/p/9m27wm
Architecture: https://flic.kr/p/6dwCAe
Conchita: https://flic.kr/p/nBqSHT
Elk horn: https://www.theexplora.com/the-irish-elk-
megaloceros-giganteus/
Container ship: https://flic.kr/p/hjxW62
https://flic.kr/p/2AzAVJ
Wooden logs: https://flic.kr/p/9vvbKE
Slide 80
Slide 80 text
Axe: https://flic.kr/p/pBU2VD
Tools: https://flic.kr/p/5JFmTS
Files: https://flic.kr/p/2EFcQ
Metric: https://flic.kr/p/9g5h3f
Packages: https://flic.kr/p/cJFDLN
Windows: https://flic.kr/p/94Z6y
Library: https://flic.kr/p/fiXcBj