.. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 .. (c) OPNFV, Spirent, AT&T, Ixia and others. .. Anuket ViNePerf LMA Documentation master file. *************** Logs User Guide *************** Prerequisites ============= - Require 3 VMs to setup K8s - ``$ sudo yum install ansible`` - ``$ pip install openshift pyyaml kubernetes`` (required for ansible K8s module) - Update IPs in all these files (if changed) ====================================================================== ====================== Path Description ====================================================================== ====================== ``ansible-server/group_vars/all.yml`` IP of K8s apiserver and VM hostname ``ansible-server/hosts`` IP of VMs to install ``ansible-server/roles/logging/files/persistentVolume.yaml`` IP of NFS-Server ``ansible-server/roles/logging/files/elastalert/ealert-rule-cm.yaml`` IP of alert-receiver ====================================================================== ====================== Architecture ============ .. image:: images/setup.png Installation - Clientside ========================= Nodes ----- - **Node1** = 10.10.120.21 - **Node4** = 10.10.120.24 How installation is done? ------------------------- - TD-agent installation ``$ curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent3.sh | sh`` - Copy the TD-agent config file in **Node1** ``$ cp tdagent-client-config/node1.conf /etc/td-agent/td-agent.conf`` - Copy the TD-agent config file in **Node4** ``$ cp tdagent-client-config/node4.conf /etc/td-agent/td-agent.conf`` - Restart the service ``$ sudo service td-agent restart`` Installation - Serverside ========================= Nodes ----- Inside Jumphost - POD12 - **VM1** = 10.10.120.211 - **VM2** = 10.10.120.203 - **VM3** = 10.10.120.204 How installation is done? ------------------------- **Using Ansible:** - **K8s** - **Elasticsearch:** 1 Master & 1 Data node at each VM - **Kibana:** 1 Replicas - **Nginx:** 2 Replicas - **Fluentd:** 2 Replicas - **Elastalert:** 1 Replica (get duplicate alert, if increase replica) - **NFS Server:** at each VM to store elasticsearch data at following path - ``/srv/nfs/master`` - ``/srv/nfs/data`` How to setup? ------------- - **To setup K8s cluster and EFK:** Run the ansible-playbook ``ansible/playbooks/setup.yaml`` - **To clean everything:** Run the ansible-playbook ``ansible/playbooks/clean.yaml`` Do we have HA? -------------- Yes Configuration ============= K8s --- Path of all yamls (Serverside) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``ansible-server/roles/logging/files/`` K8s namespace ^^^^^^^^^^^^^ ``logging`` K8s Service details ^^^^^^^^^^^^^^^^^^^ ``$ kubectl get svc -n logging`` Elasticsearch Configuration --------------------------- Elasticsearch Setup Structure ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. image:: images/elasticsearch.png Elasticsearch service details ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | **Service Name:** ``logging-es-http`` | **Service Port:** ``9200`` | **Service Type:** ``ClusterIP`` How to get elasticsearch default username & password? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - User1 (custom user): | **Username:** ``elasticsearch`` | **Password:** ``password123`` - User2 (by default created by Elastic Operator): | **Username:** ``elastic`` | To get default password: | ``$ PASSWORD=$(kubectl get secret -n logging logging-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')`` | ``$ echo $PASSWORD`` How to increase replica of any index? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | $ curl -k -u "elasticsearch:password123" -H 'Content-Type: application/json' -XPUT "https://10.10.120.211:9200/indexname*/_settings" -d ' | { | "index" : { | "number_of_replicas" : "2" } | }' Index Life ^^^^^^^^^^ **30 Days** Kibana Configuration -------------------- Kibana Service details ^^^^^^^^^^^^^^^^^^^^^^ | **Service Name:** ``logging-kb-http`` | **Service Port:** ``5601`` | **Service Type:** ``ClusterIP`` Nginx Configuration ------------------- IP ^^ The IP address with https. Ex: "10.10.120.211:32000" Nginx Setup Structure ^^^^^^^^^^^^^^^^^^^^^ .. image:: images/nginx.png Ngnix Service details ^^^^^^^^^^^^^^^^^^^^^ | **Service Name:** ``nginx`` | **Service Port:** ``32000`` | **Service Type:** ``NodePort`` Why NGINX is used? ^^^^^^^^^^^^^^^^^^ `Securing ELK using Nginx `_ Nginx Configuration ^^^^^^^^^^^^^^^^^^^ **Path:** ``ansible-server/roles/logging/files/nginx/nginx-conf-cm.yaml`` Fluentd Configuration - Clientside (Td-agent) --------------------------------------------- Fluentd Setup Structure ^^^^^^^^^^^^^^^^^^^^^^^ .. image:: images/fluentd-cs.png Log collection paths ^^^^^^^^^^^^^^^^^^^^ - ``/tmp/result*/*.log`` - ``/tmp/result*/*.dat`` - ``/tmp/result*/*.csv`` - ``/tmp/result*/stc-liveresults.dat.*`` - ``/var/log/userspace*.log`` - ``/var/log/sriovdp/*.log.*`` - ``/var/log/pods/**/*.log`` Logs sent to ^^^^^^^^^^^^ Another fluentd instance of K8s cluster (K8s Master: 10.10.120.211) at Jumphost. Td-agent logs ^^^^^^^^^^^^^ Path of td-agent logs: ``/var/log/td-agent/td-agent.log`` Td-agent configuration ^^^^^^^^^^^^^^^^^^^^^^ | Path of conf file: ``/etc/td-agent/td-agent.conf`` | **If any changes is made in td-agent.conf then restart the td-agent service,** ``$ sudo service td-agent restart`` Config Description ^^^^^^^^^^^^^^^^^^ - Get the logs from collection path - | Convert to this format | { | msg: "log line" | log_path: “/file/path” | file: “file.name” | host: “pod12-node4” | } - Sends it to fluentd Fluentd Configuration - Serverside ---------------------------------- Fluentd Setup Structure ^^^^^^^^^^^^^^^^^^^^^^^ .. image:: images/fluentd-ss.png Fluentd Service details ^^^^^^^^^^^^^^^^^^^^^^^ | **Service Name:** ``fluentd`` | **Service Port:** ``32224`` | **Service Type:** ``NodePort`` Logs sent to ^^^^^^^^^^^^ Elasticsearch service (Example: logging-es-http at port 9200) Config Description ^^^^^^^^^^^^^^^^^^ - **Step 1** - Get the logs from Node1 & Node4 - **Step 2** ======================================== ====================== log_path add tag (for routing) ======================================== ====================== ``/tmp/result.*/.*errors.dat`` errordat.log ``/tmp/result.*/.*counts.dat`` countdat.log ``/tmp/result.*/stc-liveresults.dat.tx`` stcdattx.log ``/tmp/result.*/stc-liveresults.dat.rx`` stcdatrx.log ``/tmp/result.*/.*Statistics.csv`` ixia.log ``/tmp/result.*/vsperf-overall*`` vsperf.log ``/tmp/result.*/vswitchd*`` vswitchd.log ``/var/log/userspace*`` userspace.log ``/var/log/sriovdp*`` sriovdp.log ``/var/log/pods*`` pods.log ======================================== ====================== - **Step 3** Then parse each type using tags. - error.conf: to find any error - time-series.conf: to parse time series data - time-analysis.conf: to calculate time analyasis - **Step 4** ================================ ====================== host add tag (for routing) ================================ ====================== ``pod12-node4`` node4 ``worker`` node1 ================================ ====================== - **Step 5** ================================ ====================== Tag elasticsearch ================================ ====================== ``node4`` index “node4*” ``node1`` index “node1*” ================================ ====================== Elastalert ========== Send alert if ------------- - Blacklist - "Failed to run test" - "Failed to execute in '30' seconds" - "('Result', 'Failed')" - "could not open socket: connection refused" - "Input/output error" - "dpdk|ERR|EAL: Error - exiting with code: 1" - "Failed to execute in '30' seconds" - "dpdk|ERR|EAL: Driver cannot attach the device" - "dpdk|EMER|Cannot create lock on" - "dpdk|ERR|VHOST_CONFIG: * device not found" - Time - vswitch_duration > 3 sec How to configure alert? ----------------------- - Add your rule in ``ansible/roles/logging/files/elastalert/ealert-rule-cm.yaml`` (`Elastalert Rule Config `_) | name: anything | type: #The RuleType to use | index: node4* #index name | realert: | minutes: 0 #to get alert for all cases after each interval | alert: post #To send alert as HTTP POST | http_post_url: # Provide URL - Mount this file to elastalert pod in ``ansible/roles/logging/files/elastalert/elastalert.yaml``. Alert Format ------------ {"type": "pattern-match", "label": "failed", "index": "node4-20200815", "log": "error-log-line", "log-path": "/tmp/result/file.log", "reson": "error-message" } Data Management =============== Elasticsearch ------------- Q&As ^^^^ Where data is stored now? Data is stored in NFS server with 1 replica of each index (default). Path of data are following: - ``/srv/nfs/data (VM1)`` - ``/srv/nfs/data (VM2)`` - ``/srv/nfs/data (VM3)`` - ``/srv/nfs/master (VM1)`` - ``/srv/nfs/master (VM2)`` - ``/srv/nfs/master (VM3)`` If user wants to change from NFS to local storage, can he do it? Yes, user can do this, need to configure persistent volume. (``ansible-server/roles/logging/files/persistentVolume.yaml``) Do we have backup of data? Yes. 1 replica of each index When K8s restart, the data is still accessible? Yes (If data is not deleted from /srv/nfs/data) Troubleshooting =============== If no logs receiving in Elasticsearch ------------------------------------- - Check IP & port of server-fluentd in client config. - Check client-fluentd logs, ``$ sudo tail -f /var/log/td-agent/td-agent.log`` - Check server-fluentd logs, ``$ sudo kubectl logs -n logging `` If no notification received --------------------------- - Search your "log" in Elasticsearch. - Check config of elastalert - Check IP of alert-receiver Reference ========= - `Elastic cloud on K8s `_ - `HA Elasticsearch on K8s `_ - `Fluentd Configuration `_ - `Elastalert Rule Config `_