Heka Inputs: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
 
(не показана 1 промежуточная версия этого же участника)
Строка 8: Строка 8:
 
On controller there are following inputs groups:
 
On controller there are following inputs groups:
 
==AMQPInput==
 
==AMQPInput==
AMQP input (https://hekad.readthedocs.org/en/v0.10.0/config/inputs/amqp.html)
+
[https://hekad.readthedocs.org/en/v0.10.0/config/inputs/amqp.html AMQP input]:
 
<BR>
 
<BR>
 
There are followinf AMQP inputs:
 
There are followinf AMQP inputs:
Строка 102: Строка 102:
 
==LogstreamerInput==
 
==LogstreamerInput==
 
Logstream input tails a single log file, a sequential single log source, or multiple log sources of either a single logstream or multiple logstreams.
 
Logstream input tails a single log file, a sequential single log source, or multiple log sources of either a single logstream or multiple logstreams.
<BR>More detals: https://hekad.readthedocs.org/en/v0.10.0/config/inputs/logstreamer.html
+
<BR>More detals: [https://hekad.readthedocs.org/en/v0.10.0/config/inputs/logstreamer.html Logstream input manual]
 
<BR>
 
<BR>
 
There are following inputs configured on controller:
 
There are following inputs configured on controller:

Текущая версия на 17:45, 9 февраля 2016

Inputs

On controller there are following inputs groups:

AMQPInput

AMQP input:
There are followinf AMQP inputs:

  • amqp-openstack_error.toml
  • amqp-openstack_info.toml
  • amqp-openstack_warn.toml

All AMQP inputs looks like:

[openstack_error_amqp]
type = "AMQPInput"
url = "amqp://nova:nova_password@192.168.0.2:5673/"
exchange = "nova"
exchange_type = "topic"
exchange_durability = false
exchange_auto_delete = false
queue_auto_delete = false
queue = "lma_notifications.error"
routing_key = "lma_notifications.error"
decoder = "notification_decoder"
splitter = "NullSplitter"
can_exit = true

The only difference between AMQP inputs are queue and routing_key parameter:

queue = "lma_notifications.info"
routing_key = "lma_notifications.info"

All AMQP inputs use one decoder to decode AMQP messages: notification_decoder, configuration can be found in decoder-notification.toml file.

LMA plugin configures openstack services to use 'lma_notifications' as notification_topics, e.g :

# cat /etc/nova/nova.conf | grep lma
notification_topics=lma_notifications

so heka is enable to get messages from queue and decode it.
Also, it is possible to see rabbitmq messages using trace plugin, for details please see: http://wiki.sirmax.noname.com.ua/index.php/Rabbitmq_trace#RabbitMQ_log_messages

HttpListenInput

HttpListenInput plugins start a webserver listening on the specified address and port. For more detail: https://hekad.readthedocs.org/en/v0.10.0/config/inputs/httplisten.html
There are the folljwing HttpListen inputs configured in LMA (controller)

  • httplisten-collectd.toml
  • httplisten-http-check.toml

httplisten-collectd

This is input used to get data only from local collectd.

[collectd_httplisten]
type="HttpListenInput"
address = "127.0.0.1:8325"
decoder = "collectd_decoder"
splitter = "NullSplitter"

httplisten-http-check

[http-check_httplisten]
type="HttpListenInput"
address = "192.168.0.2:5566"
decoder = "http-check_decoder"
splitter = "NullSplitter"

This is 'opened port' used for haproxy http check. As you can see in haproxy config, this port is used only for check 'is heka running or not' for expose port 5565 from input-aggregator.
/etc/haproxy/conf.d/999-lma.cfg

listen lma
  bind 192.168.0.7:5565
  balance  roundrobin
  mode  tcp
  option  httpchk
  option  tcplog
  server node-6 192.168.0.2:5565  check port 5566

TcpInput

There is only one tcp input in LMA configuration:

  • input-aggregator.toml
[aggregator_tcpinput]
type="TcpInput"
address = "192.168.0.2:5565"
decoder = "aggregator_decoder"
splitter = "HekaFramingSplitter"

This input is used to aggregate data in HA configuration and this port is exposed using haproxy on Virtual IP.
So in HA multi-cotroller configuration this port will be exposed only on one controller.
More details will be provided below.

LogstreamerInput

Logstream input tails a single log file, a sequential single log source, or multiple log sources of either a single logstream or multiple logstreams.
More detals: Logstream input manual
There are following inputs configured on controller:

  • logstreamer-keystone_7_0.toml
  • logstreamer-keystone_wsgi.toml
  • logstreamer-mysql.toml
  • logstreamer-openstack_7_0.toml
  • logstreamer-openstack_dashboard.toml
  • logstreamer-ovs.toml
  • logstreamer-pacemaker.toml
  • logstreamer-rabbitmq.toml
  • logstreamer-swift.toml
  • logstreamer-system.toml

Logstream input explanation

All logstream inputs are very closed to each other. E.g logstreamer-openstack:

[openstack_7_0_logstreamer]
type = "LogstreamerInput"
log_directory = "/var/log"
file_match = '(?P<Service>nova|cinder|glance|heat|neutron|murano)-all\.log$'
differentiator = [ 'openstack.', 'Service' ]
decoder = "openstack_decoder"
splitter = "openstack_splitter"

This input do the following:

  • read files from /var/log/ matches file_match expression
  • diffirentiator is a set of strings that will be used in the naming of the logger. E.g. records from /var/log/nova-all.log will be marked as :Logger: openstack.nova
:Timestamp: 2016-01-27 15:44:05.114000128 +0000 UTC
:Type: log
:Hostname: node-6
:Pid: 17814
:Uuid: c2a1db38-1f24-48b6-a96b-34be7b364eb3
:Logger: openstack.nova
:Payload: nova.osapi_compute.wsgi.server [-] 192.168.0.7 "OPTIONS / HTTP/1.0" status: 200 len: 317 time: 0.0005581
:EnvVersion:
:Severity: 6
:Fields:
    | name:"syslogfacility" type:double value:22
    | name:"environment_label" type:string value:"test2"
    | name:"http_client_ip_address" type:string value:"192.168.0.7"
    | name:"http_response_time" type:double value:0.0005581
    | name:"http_method" type:string value:"OPTIONS"
    | name:"http_version" type:string value:"1.0"
    | name:"http_url" type:string value:"/"
    | name:"openstack_release" type:string value:"2015.1.0-7.0"
    | name:"http_response_size" type:double value:317
    | name:"openstack_region" type:string value:"RegionOne"
    | name:"http_status" type:string value:"200"
    | name:"openstack_roles" type:string value:"primary-controller"
    | name:"deployment_mode" type:string value:"ha_compact"
    | name:"programname" type:string value:"nova-api"
    | name:"deployment_id" type:string value:"3"
    | name:"severity_label" type:string value:"INFO"
  • "openstack_decoder" is lua decoder, /usr/share/lma_collector/decoders/openstack_log.lua
  • "openstack_splitter" is regexp splitter:
[openstack_splitter]
type = "RegexSplitter"
delimiter = '(<[0-9]+>)'
delimiter_eol = false

Spliter short remark

For better undestanding in is necessary to say few words about splitters.
This splitter is very simple: each openstack log contains leading '<number>' which used as "message start mark".<> E.g. you can see in logs:

# cat  /var/log/*all.log | sort -u  -t'>' -k1,1
<134>Jan 28 18:00:02 node-6 heat-api-cfn 2016-01-28 18:00:02.115 15557 INFO eventlet.wsgi.server [-] 192.168.0.7 - - [28/Jan/2016 18:00:02] "OPTIONS / HTTP/1.0" 300 275 0.000297
<14>Jan 21 15:00:02 node-6 glance-cache-pruner 2016-01-21 15:00:02.026 24376 INFO glance.image_cache [-] Image cache loaded driver 'sqlite'.
<147>Jan 21 15:08:19 node-6 glance-api 2016-01-21 15:08:19.576 3196 ERROR swiftclient [req-023ef8c5-9b09-40b1-9806-e685e205c16d 56aa47e7bf964ce4a13456f055739c29 7a65891a25f94a3bbda76b99e582ade6 - - -] Container HEAD failed: http://192.168.0.7:8080/v1/AUTH_7a65891a25f94a3bbda76b99e582ade6/glance 404 Not Found
<148>Jan 21 14:47:05 node-6 glance-registry 2016-01-21 14:47:05.943 3141 WARNING keystonemiddleware.auth_token [-] Configuring admin URI using auth fragments. This is deprecated, use 'identity_uri' instead.
<150>Jan 21 14:47:03 node-6 glance-manage 2016-01-21 14:47:03.198 3051 INFO migrate.versioning.api [-] 0 -> 1...
<155>Jan 28 13:18:06 node-6 cinder-scheduler 2016-01-28 13:18:06.088 18090 ERROR oslo_messaging._drivers.impl_rabbit [-] AMQP server 192.168.0.2:5673 closed the connection. Check login credentials: Socket closed
<158>Jan 25 18:00:04 node-6 cinder-api 2016-01-25 18:00:04.089 18212 INFO eventlet.wsgi.server [-] (18212) accepted ('192.168.0.7', 53352)
<166>Jan 28 15:00:09 node-6 neutron-server 2016-01-28 15:00:09.535 17707 INFO neutron.wsgi [-] (17707) accepted ('192.168.0.7', 49085)
<182>Jan 28 15:00:08 node-6 nova-api 2016-01-28 15:00:08.742 7567 INFO nova.osapi_compute.wsgi.server [-] 192.168.0.7 "OPTIONS / HTTP/1.0" status: 200 len: 317 time: 0.0006490
<44>Jan 21 14:49:24 node-6 swift-container-server: Configuration option internal_client_conf_path not defined. Using default configuration, See internal-client.conf-sample for options
<45>Jan 21 14:49:25 node-6 swift-container-server: Started child 26510
<46>Jan 21 14:42:44 node-6 keystone_wsgi_admin_access 192.168.0.2 - - [21/Jan/2016:14:42:42 +0000] "GET /v3/services HTTP/1.1" 200 113 532351 "-" "python-keystoneclient"

This 'leading number' in logs is PRI rsyslog field injected by rsyslog system logger:

The PRI value is a combination of so-called severity and facility. The facility indicates where the message originated from (e.g. kernel, mail subsystem) while the severity provides a glimpse of how important the message might be (e.g. error or informational).

Log message template in rsyslog configuration:

$Template RemoteLog, "<%pri%>%timestamp% %hostname% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%\n"

So all messages come via system logging (provided by rsyslog in MOS) have <PRI> prefix