Heka: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
Строка 276: Строка 276:
 
This number in log is PRI rsyslog field:
 
This number in log is PRI rsyslog field:
 
<BR>
 
<BR>
{{quote|text=
+
{{quote|
 
The PRI value is a combination of so-called severity and facility. The facility indicates where the message originated from (e.g. kernel, mail subsystem) while the severity provides a glimpse of how important the message might be (e.g. error or informational).}}
 
The PRI value is a combination of so-called severity and facility. The facility indicates where the message originated from (e.g. kernel, mail subsystem) while the severity provides a glimpse of how important the message might be (e.g. error or informational).}}
 
and added into message template:
 
and added into message template:

Версия 16:52, 29 января 2016

Heka

Heka is an open source stream processing software system developed by Mozilla. Heka is a “Swiss Army Knife” type tool for data processing, useful for a wide variety of different tasks, such as:

  • Loading and parsing log files from a file system.
  • Accepting statsd type metrics data for aggregation and forwarding to upstream time series data stores such as graphite or InfluxDB.
  • Launching external processes to gather operational data from the local system.
  • Performing real time analysis, graphing, and anomaly detection on any data flowing through the Heka pipeline.
  • Shipping data from one location to another via the use of an external transport (such as AMQP) or directly (via TCP).
  • Delivering processed data to one or more persistent data stores.

Configuration overview

All LMA heka config files are located in /etc/lma_collector folder. e.g. on controller there are follwing confguration files:

amqp-openstack_error.toml
amqp-openstack_info.toml
amqp-openstack_warn.toml
decoder-collectd.toml
decoder-http-check.toml
decoder-keystone_7_0.toml
decoder-keystone_wsgi.toml
decoder-mysql.toml
decoder-notification.toml
decoder-openstack.toml
decoder-ovs.toml
decoder-pacemaker.toml
decoder-rabbitmq.toml
decoder-swift.toml
decoder-system.toml
encoder-elasticsearch.toml
encoder-influxdb.toml
encoder-nagios_afd_nodes_debug.toml
encoder-nagios_afd_nodes.toml
encoder-nagios_gse_global_clusters.toml
encoder-nagios_gse_node_clusters.toml
filter-afd_api_backends.toml
filter-afd_api_endpoints.toml
filter-afd_node_controller_cpu.toml
filter-afd_node_controller_log-fs.toml
filter-afd_node_controller_root-fs.toml
filter-afd_node_mysql-nodes_mysql-fs.toml
filter-afd_service_apache_worker.toml
filter-afd_service_cinder-api_http_errors.toml
filter-afd_service_glance-api_http_errors.toml
filter-afd_service_heat-api_http_errors.toml
filter-afd_service_keystone-admin-api_http_errors.toml
filter-afd_service_keystone-public-api_http_errors.toml
filter-afd_service_mysql_node-status.toml
filter-afd_service_neutron-api_http_errors.toml
filter-afd_service_nova-api_http_errors.toml
filter-afd_service_rabbitmq_disk.toml
filter-afd_service_rabbitmq_memory.toml
filter-afd_service_rabbitmq_queue.toml
filter-afd_service_swift-api_http_errors.toml
filter-afd_workers.toml
filter-gse_global.toml
filter-gse_node.toml
filter-gse_service.toml
filter-heka_monitoring.toml
filter-http_metrics.toml
filter-influxdb_accumulator.toml
filter-influxdb_annotation.toml
filter-instance_state.toml
filter-resource_creation_time.toml
filter-service_heartbeat.toml
global.toml
httplisten-collectd.toml
httplisten-http-check.toml
input-aggregator.toml
logstreamer-keystone_7_0.toml
logstreamer-keystone_wsgi.toml
logstreamer-mysql.toml
logstreamer-openstack_7_0.toml
logstreamer-openstack_dashboard.toml
logstreamer-ovs.toml
logstreamer-pacemaker.toml
logstreamer-rabbitmq.toml
logstreamer-swift.toml
logstreamer-system.toml
multidecoder-aggregator.toml
output-aggregator.toml
output-dashboard.toml
output-elasticsearch.toml
output-influxdb.toml
output-nagios_afd_nodes.toml
output-nagios_gse_global_clusters.toml
output-nagios_gse_node_clusters.toml
scribbler-aggregator_flag.toml
splitter-openstack.toml
splitter-rabbitmq.toml

Heka's configuration files can be divided into follwing groups:

  • Inputs
  • Splitters
  • Decoders
  • Filters
  • Encoders
  • Outputs

Inputs

On controller there are following inputs groups:

AMQPInput

AMQP input (https://hekad.readthedocs.org/en/v0.10.0/config/inputs/amqp.html)
There are followinf AMQP inputs:

  • amqp-openstack_error.toml
  • amqp-openstack_info.toml
  • amqp-openstack_warn.toml

All AMQP inputs looks like:

[openstack_error_amqp]
type = "AMQPInput"
url = "amqp://nova:nova_password@192.168.0.2:5673/"
exchange = "nova"
exchange_type = "topic"
exchange_durability = false
exchange_auto_delete = false
queue_auto_delete = false
queue = "lma_notifications.error"
routing_key = "lma_notifications.error"
decoder = "notification_decoder"
splitter = "NullSplitter"
can_exit = true

The only difference between AMQP inputs are queue and routing_key parameter:

queue = "lma_notifications.info"
routing_key = "lma_notifications.info"

All AMQP inputs use one decoder to decode AMQP messages: notification_decoder, configuration can be found in decoder-notification.toml file.

LMA plugin configures openstack services to use 'lma_notifications' as notification_topics, e.g :

# cat /etc/nova/nova.conf | grep lma
notification_topics=lma_notifications

so heka is enable to get messages from queue and decode it.
Also, it is possible to see rabbitmq messages using trace plugin, for details please see: http://wiki.sirmax.noname.com.ua/index.php/Rabbitmq_trace#RabbitMQ_log_messages

HttpListenInput

HttpListenInput plugins start a webserver listening on the specified address and port. For more detail: https://hekad.readthedocs.org/en/v0.10.0/config/inputs/httplisten.html
There are the folljwing HttpListen inputs configured in LMA (controller)

  • httplisten-collectd.toml
  • httplisten-http-check.toml
httplisten-collectd

This is input used to get data only from local collectd.

[collectd_httplisten]
type="HttpListenInput"
address = "127.0.0.1:8325"
decoder = "collectd_decoder"
splitter = "NullSplitter"
httplisten-http-check
[http-check_httplisten]
type="HttpListenInput"
address = "192.168.0.2:5566"
decoder = "http-check_decoder"
splitter = "NullSplitter"

This is 'opened port' used for haproxy http check. As you can see in haproxy config, this port is used only for check 'is heka running or not' for expose port 5565 from input-aggregator.
/etc/haproxy/conf.d/999-lma.cfg

listen lma
  bind 192.168.0.7:5565
  balance  roundrobin
  mode  tcp
  option  httpchk
  option  tcplog
  server node-6 192.168.0.2:5565  check port 5566

TcpInput

There is only one tcp input in LMA configuration:

  • input-aggregator.toml
[aggregator_tcpinput]
type="TcpInput"
address = "192.168.0.2:5565"
decoder = "aggregator_decoder"
splitter = "HekaFramingSplitter"

This input is used to aggregate data in HA configuration and this port is exposed using haproxy on Virtual IP.
So in HA multi-cotroller configuration this port will be exposed only on one controller.
More details will be provided below.

LogstreamerInput

Logstream input tails a single log file, a sequential single log source, or multiple log sources of either a single logstream or multiple logstreams.
More detals: https://hekad.readthedocs.org/en/v0.10.0/config/inputs/logstreamer.html
There are following inputs configured on controller:

  • logstreamer-keystone_7_0.toml
  • logstreamer-keystone_wsgi.toml
  • logstreamer-mysql.toml
  • logstreamer-openstack_7_0.toml
  • logstreamer-openstack_dashboard.toml
  • logstreamer-ovs.toml
  • logstreamer-pacemaker.toml
  • logstreamer-rabbitmq.toml
  • logstreamer-swift.toml
  • logstreamer-system.toml

All logstream inputs are very closed to each other. E.g logstreamer-openstack:

[openstack_7_0_logstreamer]
type = "LogstreamerInput"
log_directory = "/var/log"
file_match = '(?P<Service>nova|cinder|glance|heat|neutron|murano)-all\.log$'
differentiator = [ 'openstack.', 'Service' ]
decoder = "openstack_decoder"
splitter = "openstack_splitter"

This input do the following:

  • read files from /var/log/ matches file_match expression
  • diffirentiator is a set of strings that will be used in the naming of the logger. E.g. records from /var/log/nova-all.log will be marked as :Logger: openstack.nova
:Timestamp: 2016-01-27 15:44:05.114000128 +0000 UTC
:Type: log
:Hostname: node-6
:Pid: 17814
:Uuid: c2a1db38-1f24-48b6-a96b-34be7b364eb3
:Logger: openstack.nova
:Payload: nova.osapi_compute.wsgi.server [-] 192.168.0.7 "OPTIONS / HTTP/1.0" status: 200 len: 317 time: 0.0005581
:EnvVersion:
:Severity: 6
:Fields:
    | name:"syslogfacility" type:double value:22
    | name:"environment_label" type:string value:"test2"
    | name:"http_client_ip_address" type:string value:"192.168.0.7"
    | name:"http_response_time" type:double value:0.0005581
    | name:"http_method" type:string value:"OPTIONS"
    | name:"http_version" type:string value:"1.0"
    | name:"http_url" type:string value:"/"
    | name:"openstack_release" type:string value:"2015.1.0-7.0"
    | name:"http_response_size" type:double value:317
    | name:"openstack_region" type:string value:"RegionOne"
    | name:"http_status" type:string value:"200"
    | name:"openstack_roles" type:string value:"primary-controller"
    | name:"deployment_mode" type:string value:"ha_compact"
    | name:"programname" type:string value:"nova-api"
    | name:"deployment_id" type:string value:"3"
    | name:"severity_label" type:string value:"INFO"
  • "openstack_decoder" is lua decoder, /usr/share/lma_collector/decoders/openstack_log.lua
  • "openstack_splitter" is regexp splitter:
[openstack_splitter]
type = "RegexSplitter"
delimiter = '(<[0-9]+>)'
delimiter_eol = false

This splitter is very simple: each openstack log contains leading part '<number>', e.g. we can check all unique fields:

# cat  /var/log/*all.log | sort -u  -t'>' -k1,1
<134>Jan 28 18:00:02 node-6 heat-api-cfn 2016-01-28 18:00:02.115 15557 INFO eventlet.wsgi.server [-] 192.168.0.7 - - [28/Jan/2016 18:00:02] "OPTIONS / HTTP/1.0" 300 275 0.000297
<14>Jan 21 15:00:02 node-6 glance-cache-pruner 2016-01-21 15:00:02.026 24376 INFO glance.image_cache [-] Image cache loaded driver 'sqlite'.
<147>Jan 21 15:08:19 node-6 glance-api 2016-01-21 15:08:19.576 3196 ERROR swiftclient [req-023ef8c5-9b09-40b1-9806-e685e205c16d 56aa47e7bf964ce4a13456f055739c29 7a65891a25f94a3bbda76b99e582ade6 - - -] Container HEAD failed: http://192.168.0.7:8080/v1/AUTH_7a65891a25f94a3bbda76b99e582ade6/glance 404 Not Found
<148>Jan 21 14:47:05 node-6 glance-registry 2016-01-21 14:47:05.943 3141 WARNING keystonemiddleware.auth_token [-] Configuring admin URI using auth fragments. This is deprecated, use 'identity_uri' instead.
<150>Jan 21 14:47:03 node-6 glance-manage 2016-01-21 14:47:03.198 3051 INFO migrate.versioning.api [-] 0 -> 1...
<155>Jan 28 13:18:06 node-6 cinder-scheduler 2016-01-28 13:18:06.088 18090 ERROR oslo_messaging._drivers.impl_rabbit [-] AMQP server 192.168.0.2:5673 closed the connection. Check login credentials: Socket closed
<158>Jan 25 18:00:04 node-6 cinder-api 2016-01-25 18:00:04.089 18212 INFO eventlet.wsgi.server [-] (18212) accepted ('192.168.0.7', 53352)
<166>Jan 28 15:00:09 node-6 neutron-server 2016-01-28 15:00:09.535 17707 INFO neutron.wsgi [-] (17707) accepted ('192.168.0.7', 49085)
<182>Jan 28 15:00:08 node-6 nova-api 2016-01-28 15:00:08.742 7567 INFO nova.osapi_compute.wsgi.server [-] 192.168.0.7 "OPTIONS / HTTP/1.0" status: 200 len: 317 time: 0.0006490
<44>Jan 21 14:49:24 node-6 swift-container-server: Configuration option internal_client_conf_path not defined. Using default configuration, See internal-client.conf-sample for options
<45>Jan 21 14:49:25 node-6 swift-container-server: Started child 26510
<46>Jan 21 14:42:44 node-6 keystone_wsgi_admin_access 192.168.0.2 - - [21/Jan/2016:14:42:42 +0000] "GET /v3/services HTTP/1.1" 200 113 532351 "-" "python-keystoneclient"

This number in log is PRI rsyslog field:

The PRI value is a combination of so-called severity and facility. The facility indicates where the message originated from (e.g. kernel, mail subsystem) while the severity provides a glimpse of how important the message might be (e.g. error or informational).

and added into message template:

$Template RemoteLog, "<%pri%>%timestamp% %hostname% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%\n"

Splitters

Splitter details: https://hekad.readthedocs.org/en/v0.10.0/config/splitters/index.html
There are only one custom splitter:

[openstack_splitter]
type = "RegexSplitter"
delimiter = '(<[0-9]+>)'
delimiter_eol = false

Decoders

decoder-collectd.toml
decoder-libvirt.toml
decoder-openstack.toml
decoder-ovs.toml
decoder-system.toml

Heka Debugging

[RstEncoder]

[output_file]
type = "FileOutput"
#message_matcher = "Fields[aggregator] == NIL && Type == 'heka.sandbox.afd_node_metric'"
message_matcher = "Fields[aggregator] == NIL"
path = "/var/log/heka-debug.log"
perm = "666"
flush_count = 100
flush_operator = "OR"
#encoder = "nagios_afd_nodes_encoder_debug"
encoder = "RstEncoder"