Heka Inputs: различия между версиями
Sirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
Строка 163: | Строка 163: | ||
===Spliter short remark=== |
===Spliter short remark=== |
||
For better undestanding in is necessary to say few words about splitters.<BR> |
For better undestanding in is necessary to say few words about splitters.<BR> |
||
− | This splitter is very simple: each openstack log contains leading |
+ | This splitter is very simple: each openstack log contains leading '<number>' which used as "message start mark".<> |
+ | E.g. you can see in logs: |
||
<PRE> |
<PRE> |
||
# cat /var/log/*all.log | sort -u -t'>' -k1,1 |
# cat /var/log/*all.log | sort -u -t'>' -k1,1 |
||
Строка 180: | Строка 181: | ||
</PRE> |
</PRE> |
||
− | This number in |
+ | This 'leading number' in logs is PRI rsyslog field injected by rsyslog system logger: |
<BR> |
<BR> |
||
{{quote| |
{{quote| |
Версия 17:48, 31 января 2016
Inputs
On controller there are following inputs groups:
AMQPInput
AMQP input (https://hekad.readthedocs.org/en/v0.10.0/config/inputs/amqp.html)
There are followinf AMQP inputs:
- amqp-openstack_error.toml
- amqp-openstack_info.toml
- amqp-openstack_warn.toml
All AMQP inputs looks like:
[openstack_error_amqp] type = "AMQPInput" url = "amqp://nova:nova_password@192.168.0.2:5673/" exchange = "nova" exchange_type = "topic" exchange_durability = false exchange_auto_delete = false queue_auto_delete = false queue = "lma_notifications.error" routing_key = "lma_notifications.error" decoder = "notification_decoder" splitter = "NullSplitter" can_exit = true
The only difference between AMQP inputs are queue and routing_key parameter:
queue = "lma_notifications.info" routing_key = "lma_notifications.info"
All AMQP inputs use one decoder to decode AMQP messages: notification_decoder, configuration can be found in decoder-notification.toml file.
LMA plugin configures openstack services to use 'lma_notifications' as notification_topics, e.g :
# cat /etc/nova/nova.conf | grep lma notification_topics=lma_notifications
so heka is enable to get messages from queue and decode it.
Also, it is possible to see rabbitmq messages using trace plugin, for details please see: http://wiki.sirmax.noname.com.ua/index.php/Rabbitmq_trace#RabbitMQ_log_messages
HttpListenInput
HttpListenInput plugins start a webserver listening on the specified address and port. For more detail: https://hekad.readthedocs.org/en/v0.10.0/config/inputs/httplisten.html
There are the folljwing HttpListen inputs configured in LMA (controller)
- httplisten-collectd.toml
- httplisten-http-check.toml
httplisten-collectd
This is input used to get data only from local collectd.
[collectd_httplisten] type="HttpListenInput" address = "127.0.0.1:8325" decoder = "collectd_decoder" splitter = "NullSplitter"
httplisten-http-check
[http-check_httplisten] type="HttpListenInput" address = "192.168.0.2:5566" decoder = "http-check_decoder" splitter = "NullSplitter"
This is 'opened port' used for haproxy http check.
As you can see in haproxy config, this port is used only for check 'is heka running or not' for expose port 5565 from input-aggregator.
/etc/haproxy/conf.d/999-lma.cfg
listen lma bind 192.168.0.7:5565 balance roundrobin mode tcp option httpchk option tcplog server node-6 192.168.0.2:5565 check port 5566
TcpInput
There is only one tcp input in LMA configuration:
- input-aggregator.toml
[aggregator_tcpinput] type="TcpInput" address = "192.168.0.2:5565" decoder = "aggregator_decoder" splitter = "HekaFramingSplitter"
This input is used to aggregate data in HA configuration and this port is exposed using haproxy on Virtual IP.
So in HA multi-cotroller configuration this port will be exposed only on one controller.
More details will be provided below.
LogstreamerInput
Logstream input tails a single log file, a sequential single log source, or multiple log sources of either a single logstream or multiple logstreams.
More detals: https://hekad.readthedocs.org/en/v0.10.0/config/inputs/logstreamer.html
There are following inputs configured on controller:
- logstreamer-keystone_7_0.toml
- logstreamer-keystone_wsgi.toml
- logstreamer-mysql.toml
- logstreamer-openstack_7_0.toml
- logstreamer-openstack_dashboard.toml
- logstreamer-ovs.toml
- logstreamer-pacemaker.toml
- logstreamer-rabbitmq.toml
- logstreamer-swift.toml
- logstreamer-system.toml
Logstream input explanation
All logstream inputs are very closed to each other. E.g logstreamer-openstack:
[openstack_7_0_logstreamer] type = "LogstreamerInput" log_directory = "/var/log" file_match = '(?P<Service>nova|cinder|glance|heat|neutron|murano)-all\.log$' differentiator = [ 'openstack.', 'Service' ] decoder = "openstack_decoder" splitter = "openstack_splitter"
This input do the following:
- read files from /var/log/ matches file_match expression
- diffirentiator is a set of strings that will be used in the naming of the logger. E.g. records from /var/log/nova-all.log will be marked as :Logger: openstack.nova
:Timestamp: 2016-01-27 15:44:05.114000128 +0000 UTC :Type: log :Hostname: node-6 :Pid: 17814 :Uuid: c2a1db38-1f24-48b6-a96b-34be7b364eb3 :Logger: openstack.nova :Payload: nova.osapi_compute.wsgi.server [-] 192.168.0.7 "OPTIONS / HTTP/1.0" status: 200 len: 317 time: 0.0005581 :EnvVersion: :Severity: 6 :Fields: | name:"syslogfacility" type:double value:22 | name:"environment_label" type:string value:"test2" | name:"http_client_ip_address" type:string value:"192.168.0.7" | name:"http_response_time" type:double value:0.0005581 | name:"http_method" type:string value:"OPTIONS" | name:"http_version" type:string value:"1.0" | name:"http_url" type:string value:"/" | name:"openstack_release" type:string value:"2015.1.0-7.0" | name:"http_response_size" type:double value:317 | name:"openstack_region" type:string value:"RegionOne" | name:"http_status" type:string value:"200" | name:"openstack_roles" type:string value:"primary-controller" | name:"deployment_mode" type:string value:"ha_compact" | name:"programname" type:string value:"nova-api" | name:"deployment_id" type:string value:"3" | name:"severity_label" type:string value:"INFO"
- "openstack_decoder" is lua decoder, /usr/share/lma_collector/decoders/openstack_log.lua
- "openstack_splitter" is regexp splitter:
[openstack_splitter] type = "RegexSplitter" delimiter = '(<[0-9]+>)' delimiter_eol = false
Spliter short remark
For better undestanding in is necessary to say few words about splitters.
This splitter is very simple: each openstack log contains leading '<number>' which used as "message start mark".<>
E.g. you can see in logs:
# cat /var/log/*all.log | sort -u -t'>' -k1,1 <134>Jan 28 18:00:02 node-6 heat-api-cfn 2016-01-28 18:00:02.115 15557 INFO eventlet.wsgi.server [-] 192.168.0.7 - - [28/Jan/2016 18:00:02] "OPTIONS / HTTP/1.0" 300 275 0.000297 <14>Jan 21 15:00:02 node-6 glance-cache-pruner 2016-01-21 15:00:02.026 24376 INFO glance.image_cache [-] Image cache loaded driver 'sqlite'. <147>Jan 21 15:08:19 node-6 glance-api 2016-01-21 15:08:19.576 3196 ERROR swiftclient [req-023ef8c5-9b09-40b1-9806-e685e205c16d 56aa47e7bf964ce4a13456f055739c29 7a65891a25f94a3bbda76b99e582ade6 - - -] Container HEAD failed: http://192.168.0.7:8080/v1/AUTH_7a65891a25f94a3bbda76b99e582ade6/glance 404 Not Found <148>Jan 21 14:47:05 node-6 glance-registry 2016-01-21 14:47:05.943 3141 WARNING keystonemiddleware.auth_token [-] Configuring admin URI using auth fragments. This is deprecated, use 'identity_uri' instead. <150>Jan 21 14:47:03 node-6 glance-manage 2016-01-21 14:47:03.198 3051 INFO migrate.versioning.api [-] 0 -> 1... <155>Jan 28 13:18:06 node-6 cinder-scheduler 2016-01-28 13:18:06.088 18090 ERROR oslo_messaging._drivers.impl_rabbit [-] AMQP server 192.168.0.2:5673 closed the connection. Check login credentials: Socket closed <158>Jan 25 18:00:04 node-6 cinder-api 2016-01-25 18:00:04.089 18212 INFO eventlet.wsgi.server [-] (18212) accepted ('192.168.0.7', 53352) <166>Jan 28 15:00:09 node-6 neutron-server 2016-01-28 15:00:09.535 17707 INFO neutron.wsgi [-] (17707) accepted ('192.168.0.7', 49085) <182>Jan 28 15:00:08 node-6 nova-api 2016-01-28 15:00:08.742 7567 INFO nova.osapi_compute.wsgi.server [-] 192.168.0.7 "OPTIONS / HTTP/1.0" status: 200 len: 317 time: 0.0006490 <44>Jan 21 14:49:24 node-6 swift-container-server: Configuration option internal_client_conf_path not defined. Using default configuration, See internal-client.conf-sample for options <45>Jan 21 14:49:25 node-6 swift-container-server: Started child 26510 <46>Jan 21 14:42:44 node-6 keystone_wsgi_admin_access 192.168.0.2 - - [21/Jan/2016:14:42:42 +0000] "GET /v3/services HTTP/1.1" 200 113 532351 "-" "python-keystoneclient"
This 'leading number' in logs is PRI rsyslog field injected by rsyslog system logger:
The PRI value is a combination of so-called severity and facility. The facility indicates where the message originated from (e.g. kernel, mail subsystem) while the severity provides a glimpse of how important the message might be (e.g. error or informational).
Log message template in rsyslog configuration:
$Template RemoteLog, "<%pri%>%timestamp% %hostname% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%\n"
So all messages come via system logging (provided by rsyslog in MOS) have <PRI> prefix