Aleš Komárek | ac2c0fb | 2017-04-11 10:14:46 +0200 | [diff] [blame] | 1 | =============== |
| 2 | Fluentd Formula |
| 3 | =============== |
Michael Kutý | e554d79 | 2014-04-12 21:54:46 +0200 | [diff] [blame] | 4 | |
Aleš Komárek | ac2c0fb | 2017-04-11 10:14:46 +0200 | [diff] [blame] | 5 | Many web/mobile applications generate huge amount of event logs |
| 6 | (c,f. login, logout, purchase, follow, etc). Analyzing these event |
| 7 | logs can be quite valuable for improving services. However, collecting |
| 8 | these logs easily and reliably is a challenging task. |
Michael Kutý | e554d79 | 2014-04-12 21:54:46 +0200 | [diff] [blame] | 9 | |
Aleš Komárek | ac2c0fb | 2017-04-11 10:14:46 +0200 | [diff] [blame] | 10 | Fluentd solves the problem by having: easy installation, small footprint, |
| 11 | plugins reliable buffering, log forwarding, etc. |
Michael Kutý | e554d79 | 2014-04-12 21:54:46 +0200 | [diff] [blame] | 12 | |
Bartosz Kupidura | aefd039 | 2017-11-06 09:27:40 +0100 | [diff] [blame] | 13 | **NOTE: WORK IN PROGRES** |
| 14 | NOTE: DESIGN OF THIS FORMULA IS NOT YET STABLE AND MAY CHANGE |
| 15 | NOTE: FORMULA NOT COMPATIBLE WITH OLD VERSION |
| 16 | |
Aleš Komárek | ac2c0fb | 2017-04-11 10:14:46 +0200 | [diff] [blame] | 17 | Sample Pillars |
| 18 | ============== |
| 19 | |
Bartosz Kupidura | aefd039 | 2017-11-06 09:27:40 +0100 | [diff] [blame] | 20 | General pillar structure |
| 21 | ------------------------ |
| 22 | |
Aleš Komárek | ac2c0fb | 2017-04-11 10:14:46 +0200 | [diff] [blame] | 23 | .. code-block:: yaml |
Michael Kutý | e554d79 | 2014-04-12 21:54:46 +0200 | [diff] [blame] | 24 | |
Bartosz Kupidura | aefd039 | 2017-11-06 09:27:40 +0100 | [diff] [blame] | 25 | fluentd: |
| 26 | config: |
| 27 | label: |
| 28 | filename: |
| 29 | input: |
| 30 | input_name: |
| 31 | params |
| 32 | filter: |
| 33 | filter_name: |
| 34 | params |
| 35 | filter_name2: |
| 36 | params |
| 37 | match: |
| 38 | match_name: |
| 39 | params |
| 40 | input: |
| 41 | filename: |
| 42 | input_name: |
| 43 | params |
| 44 | input_name2: |
| 45 | params |
| 46 | filename2: |
| 47 | input_name3: |
| 48 | params |
| 49 | filter: |
| 50 | filename: |
| 51 | filter_name: |
| 52 | params |
| 53 | filter_name2: |
| 54 | params |
| 55 | filename2: |
| 56 | filter_name3: |
| 57 | params |
| 58 | match: |
| 59 | filename: |
| 60 | match_name: |
| 61 | params |
Michael Kutý | e554d79 | 2014-04-12 21:54:46 +0200 | [diff] [blame] | 62 | |
Bartosz Kupidura | aefd039 | 2017-11-06 09:27:40 +0100 | [diff] [blame] | 63 | Example pillar |
| 64 | -------------- |
| 65 | .. code-block:: yaml |
Michael Kutý | e554d79 | 2014-04-12 21:54:46 +0200 | [diff] [blame] | 66 | |
Bartosz Kupidura | aefd039 | 2017-11-06 09:27:40 +0100 | [diff] [blame] | 67 | fluentd: |
| 68 | enabled: true |
| 69 | config: |
| 70 | label: |
| 71 | monitoring: |
| 72 | filter: |
| 73 | parse_log: |
| 74 | tag: 'docker.monitoring.{alertmanager,remote_storage_adapter,prometheus}.*' |
| 75 | type: parser |
| 76 | reserve_data: true |
| 77 | key_name: log |
| 78 | parser: |
| 79 | type: regexp |
| 80 | format: >- |
| 81 | /^time="(?<time>[^ ]*)" level=(?<severity>[a-zA-Z]*) msg="(?<message>.+?)"/ |
| 82 | time_format: '%FT%TZ' |
| 83 | remove_log_key: |
| 84 | tag: 'docker.monitoring.{alertmanager,remote_storage_adapter,prometheus}.*' |
| 85 | type: record_transformer |
| 86 | remove_keys: log |
| 87 | match: |
| 88 | docker_log: |
| 89 | tag: 'docker.**' |
| 90 | type: file |
| 91 | path: /tmp/flow-docker.log |
| 92 | grok_example: |
| 93 | input: |
| 94 | test_log: |
| 95 | type: tail |
| 96 | path: /var/log/test |
| 97 | tag: test.test |
| 98 | parser: |
| 99 | type: grok |
| 100 | custom_pattern_path: /etc/td-agent/config.d/global.grok |
| 101 | rule: |
| 102 | - pattern: >- |
| 103 | %{KEYSTONEACCESS} |
| 104 | syslog: |
| 105 | filter: |
| 106 | add_severity: |
| 107 | tag: 'syslog.*' |
| 108 | type: record_transformer |
| 109 | enable_ruby: true |
| 110 | record: |
| 111 | - name: severity |
| 112 | value: 'record["pri"].to_i - (record["pri"].to_i / 8).floor * 8' |
| 113 | severity_to_string: |
| 114 | tag: 'syslog.*' |
| 115 | type: record_transformer |
| 116 | enable_ruby: true |
| 117 | record: |
| 118 | - name: severity |
| 119 | value: '{"debug"=>7,"info"=>6,"notice"=>5,"warning"=>4,"error"=>3,"critical"=>2,"alert"=>1,"emerg"=>0}.key(record["severity"])' |
| 120 | severity_for_telegraf: |
| 121 | tag: 'syslog.*.telegraf' |
| 122 | type: parser |
| 123 | reserve_data: true |
| 124 | key_name: message |
| 125 | parser: |
| 126 | type: regexp |
| 127 | format: >- |
| 128 | /^(?<time>[^ ]*) (?<severity>[A-Z])! (?<message>.*)/ |
| 129 | time_format: '%FT%TZ' |
| 130 | severity_for_telegraf_string: |
| 131 | tag: 'syslog.*.telegraf' |
| 132 | type: record_transformer |
| 133 | enable_ruby: true |
| 134 | record: |
| 135 | - name: severity |
| 136 | value: '{"debug"=>"D","info"=>"I","notice"=>"N","warning"=>"W","error"=>"E","critical"=>"C","alert"=>"A","emerg"=>"E"}.key(record["severity"])' |
| 137 | prometheus_metric: |
| 138 | tag: 'syslog.*.*' |
| 139 | type: prometheus |
| 140 | label: |
| 141 | - name: ident |
| 142 | type: variable |
| 143 | value: ident |
| 144 | - name: severity |
| 145 | type: variable |
| 146 | value: severity |
| 147 | metric: |
| 148 | - name: log_messages |
| 149 | type: counter |
| 150 | desc: The total number of log messages. |
| 151 | match: |
| 152 | rewrite_tag_key: |
| 153 | tag: 'syslog.*' |
| 154 | type: rewrite_tag_filter |
| 155 | rule: |
| 156 | - name: ident |
| 157 | regexp: '^(.*)' |
| 158 | result: '__TAG__.$1' |
| 159 | syslog_log: |
| 160 | tag: 'syslog.*.*' |
| 161 | type: file |
| 162 | path: /tmp/syslog |
| 163 | input: |
| 164 | syslog: |
| 165 | syslog_log: |
| 166 | type: tail |
| 167 | label: syslog |
| 168 | path: /var/log/syslog |
| 169 | tag: syslog.syslog |
| 170 | parser: |
| 171 | type: regexp |
| 172 | format: >- |
| 173 | '/^\<(?<pri>[0-9]+)\>(?<time>[^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/' |
| 174 | time_format: '%FT%T.%L%:z' |
| 175 | auth_log: |
| 176 | type: tail |
| 177 | label: syslog |
| 178 | path: /var/log/auth.log |
| 179 | tag: syslog.auth |
| 180 | parser: |
| 181 | type: regexp |
| 182 | format: >- |
| 183 | '/^\<(?<pri>[0-9]+)\>(?<time>[^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/' |
| 184 | time_format: '%FT%T.%L%:z' |
| 185 | prometheus: |
| 186 | prometheus: |
| 187 | type: prometheus |
| 188 | prometheus_monitor: |
| 189 | type: prometheus_monitor |
| 190 | prometheus_output_monitor: |
| 191 | type: prometheus_output_monitor |
| 192 | forward: |
| 193 | forward_listen: |
| 194 | type: forward |
| 195 | port: 24224 |
| 196 | bind: 0.0.0.0 |
| 197 | match: |
| 198 | docker_monitoring: |
| 199 | docker_monitoring: |
| 200 | tag: 'docker.monitoring.{alertmanager,remote_storage_adapter,prometheus}.*' |
| 201 | type: relabel |
| 202 | label: monitoring |