Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log collection through Filebeat daemonset #88

Closed
wants to merge 13 commits into from
Closed

Log collection through Filebeat daemonset #88

wants to merge 13 commits into from

Conversation

solsson
Copy link
Contributor

@solsson solsson commented Nov 4, 2017
edited

Pending native kafka support for fluent-bit (fluent/fluent-bit#94 or a go plugin) I'm evaluating filebeat which has kafka-support as an intermediate step for aggregation to ELK.

Candidate for merge to v3.0.0 (#84), with advantages over the tail-based solution:

  • Resumes at previous position
  • Discovers new files without restart
  • Adds (some) kubernetes metadata.
  • Every message contains source, compared to the delimeters approach from tail.
    • You'd can use jq to do like kubectl logs -f but for arbitrary filters on pods.

Sadly the kubernetes object lacks node name (zone name would be great too), a typical record having:

    "offset": 8770457,
    "source": "/var/lib/docker/containers/671a46ea4b400c73424a9f438fa1102f83b4db2d9fe3e229f61824df953b5b26/671a46ea4b400c73424a9f438fa1102f83b4db2d9fe3e229f61824df953b5b26-json.log",
    "kubernetes": {
      "container": {
        "name": "testcase"
      },
      "labels": {
        "test-target": "logs-streaming-raw",
        "pod-template-hash": "1087956622",
        "test-type": "readiness"
      },
      "namespace": "test-kafka",
      "pod": {
        "name": "logs-raw-54dcf9bb66-898h5"
      }
    }

@solsson
Copies the result of the original filebeat branch ...
3a0b097 
but changes naming and namespace, to run alongside -raw.
@solsson
filebeat 6.0.0-rc2
760cff5
@solsson
Fixes pod start in GKE, read-only file system
fcc184a 
Error: failed to start container "filebeat": Error response from daemon:
error while creating mount source path '/kubernets-filebeat-state': mkdir /kubernets-filebeat-state: read-only file system
@solsson
Adds test (without asserts) for filebeat topic, jq-compatible log
7f0e564
@solsson
Tentative RBAC; kubectl describe's error messages are helpful
a401bda
@solsson
ClusterRoleBinding fixes RBAC for filebeat
f0b7fde
@solsson
Fixes JSON syntax getting broken by "Reached end of topic"
52c28e8
@solsson
Fixes kubernetes metadata inclusion
504911a 
thanks to https://discuss.elastic.co/t/kubernetes-metadata/90865/15
@solsson
Removes kubernetes debug as the result is ...
8878b5c 
lots and lots of messages like
2017/11/04 16:16:03.383326 indexing.go:58: DBG Using container id: %!(EXTRA string=509e0dd0dcfdf526779c116ca3634c31c1b58102e762671ee31ab41febe22e3e)
2017/11/04 16:16:03.386038 indexing.go:52: DBG Incoming source value: %!(EXTRA string=/var/lib/docker/containers/509e0dd0dcfdf526779c116ca3634c31c1b58102e762671ee31ab41febe22e3e/509e0dd0dcfdf526779c116ca3634c31c1b58102e762671ee31ab41febe22e3e-json.log)
@solsson
Dropped the logs- prefix now in the logs-kafka namespace
e04a403
@solsson solsson changed the base branch from master to 1.8-logs-streaming November 4, 2017 16:35
solsson
solsson commented Nov 4, 2017
View reviewed changes
Copy link
Contributor Author

@solsson solsson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Contrary to what 504911a#diff-81195533b894e72927dc12f0d5d58b35L14 suggests we still get lots and lots of INFO Same file found as symlink and originap. Skipping file: /var/lib/docker/containers/fa80887d5c1a580a35c298708c610d4c098e2b173d48d60172440303dd6df364/fa80887d5c1a580a35c298708c610d4c098e2b173d48d60172440303dd6df364-json.log in logs.

Combined with the fact that that 504911a#diff-81195533b894e72927dc12f0d5d58b35R13 breaks e04a403 we get lots and lots of logs.

@solsson
Copy link
Contributor Author

solsson commented Nov 5, 2017
edited

Just need to note a few ideas, so I don't have to implement them now :)

  • We'd prefer to have node name, and/or pod name, as key. Ordering is unimportant between pods, but within pods it's quite essential.
  • Can we de-duplicate entries? Quite interesting for the raw impl of Addon: Collect logs to Kafka topic #40.
    • How is state storage implemented in filebeat? Does it produce first and then record position? Or does it record position when it has read a batch from the file, then produce?

solsson added a commit that referenced this pull request Nov 6, 2017
@solsson
Uses node name as key so we can preserver ordering
de0b1f5 
Addresses #88 (comment).

I deemed it safe to assume that operational daemonset pods never co-exist on a node.

Tests edenhill/kcat#123,
as does 53f355a.
This was referenced Nov 8, 2017
Closed
Closed
Closed
@solsson solsson mentioned this pull request Dec 13, 2017
Merged
@solsson
Copy link
Contributor Author

solsson commented Jan 22, 2018

I find Fluent Bit more promising. See #131.

@solsson solsson closed this Jan 22, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@solsson