Application Logging With The ELK Stack

@bwaine - #DPC15

Monday, 29 June 15

Ben Andersen-Waine

Software Engineer Contractor

Deployed ELK To Prod Numerous Times

Monday, 29 June 15

Logging?

Monday, 29 June 15

System Logs

Monday, 29 June 15

Application Log

Monday, 29 June 15

Debug Information - Errors (connections, uncaught exceptions, resource exhaustion)

Narrative Information - Methods Calls, Event Triggers

Business Events - Purchases, Logins, Registrations, Unsubscribes

Application Log

Monday, 29 June 15

ssh webserver@mydomain.nettail -f /var/log/nginx/my-site.access.logtail -f /var/log/my.application.log

ssh data@mydomain.nettail -f /var/log/mysql/mysql.log

ssh q@mydomain.nettail -f /var/log/rabbitmq/nodename.log

Keeping Track Of All This....

Monday, 29 June 15

The Elk Stack

Monday, 29 June 15

1) Monolog2) Everything else....

PHP Logging Tools

Monday, 29 June 15

1) Monolog: Loggers And Handlers2) Monolog: Tags & Formatters3) Logging business events

Basic Logging Examples

Monday, 29 June 15

use Monolog\Logger;use Monolog\Handler\FingersCrossedHandler;use Monolog\Handler\StreamHandler;

$logEnv = getenv('LOG_LEVEL');$level = empty($logLevel) ? $logEnv : Logger::WARNING;

$appLog = new Logger('AppLog');

$strHandler = new StreamHandler('/var/log/app.log', Logger::DEBUG); $fcHandler = new FingersCrossedHandler($strHandler, $level);

$appLog−>pushHandler($fcHandler);$appLog−>debug('LOGGING!');

EG1: Loggers And Handlers

Monday, 29 June 15

// Set A Log Level$logEnv = getenv('LOG_LEVEL');$level = empty($logLevel) ? $logEnv : Logger::WARNING;

// Create A Logger$appLog = new Logger('AppLog');

Monday, 29 June 15

$strHandler = new StreamHandler('/var/log/app.log', Logger::DEBUG);

$fcHandler= new FingersCrossedHandler($strHandler, $level);

// Create Handlers

$appLog−>pushHandler($fcHandler);

$appLog−>debug('Start Logging!');$appLog−>emergency('Something Terrible Happened');

// Push The Handler And Start Logging

Monday, 29 June 15

EG 2: Tagging Formatting

$appLog = new Logger('AppLog');

$strHandler = new StreamHandler('/var/lg.lg', $level);$formatter = new LogstashFormatter("helloapp", "application");

$strHandler−>setFormatter($formatter); $appLog−>pushHandler($strHandler));

$id = $_SERVER('X_VARNISH');$tag = new TagProcessor(['request−id' => $id])

$appLog−>pushProcessor($tag); $appLog−>debug("LOGGING!");

Monday, 29 June 15

// Create A Logger$appLog = new Logger('AppLog');

$strHandler = new StreamHandler('/var/lg.lg', $level);$formatter = new LogstashFormatter("helloapp", "app");

// Create A Handler & Formatter

// Set Formatter Onto Handler$strHandler−>setFormatter($formatter);

$appLog−>pushHandler($strHandler));

//Push Handler Onto Logger

Monday, 29 June 15

$id = $_SERVER('X_VARNISH');$tag = new TagProcessor(['request−id' => $id])$appLog−>pushProcessor($tag); $appLog−>debug("LOGGING!");

// Capture A Unique Id, Create A Tag Processor, Push

Monday, 29 June 15

2009 - RFC 5424 - Syslog Protocol

Code / Severity

0 Emergency: system is unusable1 Alert: action must be taken immediately2 Critical: critical conditions3 Error: error conditions4 Warning: warning conditions5 Notice: normal but significant condition6 Informational: informational messages7 Debug: debug-level messages

https://tools.ietf.org/html/rfc542419

Log Levels

Monday, 29 June 15

2013 - PSR03 - PHP Logging Interface Standard

http://www.php-fig.org/psr/psr-3/

Monday, 29 June 15

EG 3: Event Logginguse Monolog\Logger;use Symfony\Component\EventDispatcher\EventDispatcher;

$dispatcher = new EventDispatcher();

$dispatcher−>addListener( "business.registration.post", function () use ($busLog) { $busLog−>info("Customer registered"); });

$dispatcher−>dispatch("business.registration.post");

Monday, 29 June 15

Logstash Architecture

1. Logstash Shipper ships logs to logstash

2. Logstash processes them

3. Logstash Inserts Into Elastic Search

4. Kibana exposes a web interface to Elastic Search data

Monday, 29 June 15

Logstash Architecture

Monday, 29 June 15

Why not rate the talk now BEFORE the demo?

https://joind.in/talk/view/14235

Monday, 29 June 15

ELK Demo

1) Discover Data (search / diagnose)2) Visualize Data 3) Produce A Dashboard 4) Demonstrate ‘the new hotness’ of Kibana 4

Monday, 29 June 15

https://github.com/LoveSoftware/getting-started-with-the-elk-stack

Monday, 29 June 15

Logstash Config

Monday, 29 June 15

Logstash Collecting{ "network": { "servers": [ "logs.logstashdemo.com:5000" ], "timeout": 15, "ssl ca": "/etc/pki/tls/certs/logstash−forwarder.crt" }, "files": [ { "paths": [ "/var/log/nginx/helloapp.access.log" ], "fields": { "type": "nginx−access" } } ] }

Monday, 29 June 15

Logstash Processing

input { lumberjack { port => 5000 ssl_certificate => "/etc/pki/tls/certs/logstash−forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash−forwarder.key"}

Monday, 29 June 15

Logstash ProcessingFilteringfilter { if [type] == "nginx−access" { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } date { match => [ "logdate", "dd/MMM/yyyy:HH:mm:ss Z" ] } } }

Monday, 29 June 15

Logstash ProcessingOutput

output { elasticsearch { host => localhost }}

Monday, 29 June 15

Groking grok { match => { "message" => "%{COMBINEDAPACHELOG}" } }

https://github.com/elasticsearch/logstash/blob/v1.4.2/patterns/grok-patterns

http://grokdebug.herokuapp.com/

55.3.244.1 GET /index.html 15824 0.043

%{IP:client}%{WORD:method}%{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}

Monday, 29 June 15

Hey Ben.... Have you got time for that

gratuitously flashy geo data demo?

Monday, 29 June 15

Logging IdeasRelease MarkerError rates of various applications over timeLatency in various percentiles of each application tierHTTP Responses: 400 series responsesHTTP Responses: 500 series responsesAuto git blame production errorsAuth and Syslogs

Monday, 29 June 15

Go Forth And Log....BUT

Remember log rotation

Beware running out of space

Beware file logging on NFS

Monday, 29 June 15

Questions?

Monday, 29 June 15

https://joind.in/talk/view/14235

Monday, 29 June 15

Application Logging With The ELK Stack

Technology

Diventare famosi con lo stack ELK

Open source Approach to Design and Deployment of ...events17.linuxfoundation.org/sites/events/files/slides/Microservices... · •Logging • ELK stack Opensource Ecosystem. Host

BUILDING HA ELK STACK FOR DRUPAL

Elk - Elasticsearch Logstash Kibana stack explained

Update (sys)logging UNIPR a Elastic Stack

ELK LOGGER ALT HVA NÅ? - Nasjonal sikkerhetsmyndighet · 01.01.1970 · AGENDA SENTRALISERT LOGGING Forstå viktighet av sentralisert logging Rask innføring i The Elastic Stack

Suivre son activité avec une stack Elastic (ELK)

ELK stack Big Data visualization using D3 library

logentries - content.ebulletins.comlogentries.com 4 Introduction The ELK Stack is the current preferred stack for do-it-yourself (DIY) logging. It is generally thought to be composed

Learning ELK Stack - Sample Chapter

ELK stack at weibo.com

Docker logging with Elastic stack

ELK - Stack - Munich .net UG

ATM Monitoring using the ELK stack

Using the ELK Stack for CASTOR Application Logging at RAL

Analyzing Data with the ELK Stack

Zentrales Logging mit dem Elastic Stack - FrOSCon€¦ · Zentrales Logging mit dem Elastic Stack Simon Schneider Froscon 2019

Centralised logging with ELK stack

Parallel Coordinates Visualization in the ELK Stack

ELK Stack - Kibana操作實務