Structured logging

Structured logging
Embrace the power of
machine-readable logs

View Slide

“
Logging: The process of
recording events during the
execution of a computer
program.

View Slide

22:55:40 INFO Initializing hub
22:55:40 INFO Starting webserver
22:55:42 INFO Incoming connection from
127.0.0.1:37843
22:55:42 DEBUG Connection upgraded
22:55:42 DEBUG Received message:
“ping”

View Slide

>>> import logging

View Slide

log = logging.getLogger()
log.info(“Starting up”)
log.warning(“Something is going
wrong here”)

View Slide

“
Structured logging: Logging
events with specific fields
(key=value)

View Slide

INFO[07-07|22:55:42] Incoming connection
component=websocket.serveWs
remote=127.0.0.1:37843
event=connection.new
DBUG[07-07|22:55:42] Connection upgraded
remote=127.0.0.1:37843
event=connection.upgraded
DBUG[07-07|22:55:42] Received a message
component=websocket.connection
remote=127.0.0.1:37843
event=connection.message
message=ping

View Slide

>>> import structlog

View Slide

Structlog example
>>> log = get_logger()
>>> log = log.bind(
… user=”nick”,
… remote=”127.0.0.1:36509”
… )

View Slide

Structlog example
>>> log.info(“message.new”, message=”ping”)
22:55:42 DEBUG user=”nick”
remote=”127.0.0.1:36509”
message=”ping”
event=”message.new”

View Slide

“Unstructured” logs suffer
from two big problems

View Slide

It is difficult to parse
1

View Slide

Humans are rarely the first
consumer of logs

View Slide

Why?
Parsed and sent to graphite
Filtered or transformed with
awk/cut/grep/sed
Shipped to
logstash/graylog/splunk

View Slide

Parsing free-form logs is hard

View Slide

Jul 15 15:33:06 dhcpd:
DHCPDISCOVER from 00:25:90:4d:0c:a8
via bond0
Jul 15 15:33:06 dhcpd:
DHCPOFFER on 10.1.99.222 to
00:25:90:4d:0c:a8 via bond0
Jul 15 15:33:06 dhcpd:
DHCPDISCOVER from 00:25:90:4d:0c:a8
via bond0.106
Jul 15 15:33:29 dhcpd:
DHCPACK on 10.3.227.169 to 84:2b:2b:6a:ee:24
(idrac-3MQ1Y4J) via bond0

View Slide

Grok filter
((%{SYSLOGTIMESTAMP:timestamp})\s*
dhcpd\S+\s*
(%{WORD:dhcp_action})?.*
[for|on]
(%{IPV4:dhcp_client_ip})?.*
[from|to]
(%{COMMONMAC:remote_mac_addr})?.*
via
(%{USERNAME:interface}))

View Slide

Machine-readable log event
{
"timestamp": "Jul 15 15:33:06 +0000",
"program": "dhcpd",
"message": "Offering DHCP lease",
"event": "DHCPOFFER",
"offered_ip": "10.1.99.222",
"remote_mac_addr": "00:25:90:4d:0c:a8",
"interface": "bond0"
}

View Slide

Structured logs are perfect
for computers to consume
1

View Slide

JSON makes my eyes bleed

View Slide

JSON access logs
$ parse-nginx-log \
--filename /var/log/nginx/access.log \
--fields status,remote_addr,request
302 69.64.46.86 GET /cgi-bin/rtpd.cgi HTTP/1.0
302 180.97.106.37 GET / HTTP/1.1
200 180.97.106.162 GET / HTTP/1.1
200 180.97.106.162 GET /robots.txt HTTP/1.1

View Slide

Individual messages lack
context
2

View Slide

22:55:42 INFO Incoming connection from
127.0.0.1:37843
22:55:42 DEBUG Connection upgraded
22:55:42 DEBUG Received message:
“ping”

View Slide

INFO[07-07|22:55:42] Incoming connection
remote=127.0.0.1:37843
event=connection.new
DBUG[07-07|22:55:42] Connection upgraded
remote=127.0.0.1:37843
event=connection.upgraded
DBUG[07-07|22:55:42] Received a message
component=websocket.connection
remote=127.0.0.1:37843
event=connection.message
message=ping

View Slide

Context makes filtering and
correlation simple
2

View Slide

Ask yourself: Will I ever feed
this to a computer?

View Slide

Thanks!
ANY QUESTIONS?
@NickGroenen
[email protected]

View Slide

Credits
Many thanks to
◦ SlidesCarnival for providing the design
for this presentation.
◦ My employer Byte for hosting these
meet-ups.

View Slide

Structured logging

Structured logging

Nick Groenen

More Decks by Nick Groenen

Other Decks in Programming

Featured

Transcript