Which logging files to send to ELK

lzap · July 10, 2018, 3:29pm

Hello,

I am working on documentation on how to setup Foreman with journald/rsyslog to send all our RoR logs (with custom fields) into ELK (ElasticSearch basically). I have this WIP configuration:

gist.github.com

https://gist.github.com/lzap/6f01c699515358ed04cf047a7f66c2f3

rsyslog-rhel7-foreman.conf

# This configuration is for rsyslog from RHEL7

module(load="mmjsonparse")
module(load="mmnormalize")
#module(load="omelasticsearch")
#module(load="imfile" mode="inotify")
action(type="mmjsonparse")

lookup_table(name="prio_to_level" file="/etc/rsyslog.d/prio_to_level.json")
lookup_table(name="normalize_level" file="/etc/rsyslog.d/normalize_level.json")

This file has been truncated. show original

Now, this only capture logs which are in journal/syslog, but we have some configuration files in Foreman or Katello deployment. Since rsyslog is capable of importing also logs from external files via imfile module, which files should I include in the initial version of the document? I won’t have time to include them all, but I would like to hear what should be the priority.

Smart proxy can be configured to send logs to syslog, so this will work out of box (no extra fields tho).

Candlepin has candlepin.log and couple of others (audit.log, errors.log) as well as tomcat.log, I will likely configure only the first one. Will try to configure candlepin with syslog first, that should work according to docs. If not, imfile is the fallback.

Pulp has multiple files, some components log to syslog, some into files. I need an advice here, struggle here a bit. And then there’s qpid and other stuff related to Pulp.

Bare metal provisioning services TFTP and DHCP log into syslog by default, this will appear in ELK automatically as well.

Dynflow to my knowledge logs via RoR stack, that should go into journal when configured, it used to create some extra log file (dynflow_executor.{log,output}) tho. Also our foreman installer might be useful, but that’s imfile only and with time/date parsing - I will likely leave this to later.

To sum up, I am thinking this:

production.log (via journal - with custom/structured fields)
proxy.log (via syslog)
candlepin.log (via syslog)
cron.log (via imfile)
db_migrate.log and db_seed.log (via imfile)

Any comments on how you integrate with ELK/ES appreciated.

Marek_Hulan · July 11, 2018, 9:15am

I think there’s still /var/log/foreman/dynflow_executor.{log,output} being used by dynflowd that executes Foreman core jobs, it uses RoR log stack only in dev env, where the executor runs in the same process. Another service is smart_proxy_dynflow_core which logs to /var/log/foreman-proxy/smart_proxy_dynflow_core.log, that’s dynflow running in smart proxy. So there are probably good candidates for imfile. @aruzicka please keep me honest here.

aruzicka · July 12, 2018, 11:42am

dynflowd indeed has a couple additional log files:

logfile	contents
dynflow_executor.log	Output from the process monitoring the executor (see daemons[1])
dynflow_executor.output	Logging from Dynflow before the rails environment gets initialized
production.log	Everything after rails env is initialized should end up here

For smart-proxy_dynflow_core, everything should end up in /var/log/foreman-proxy/smart_proxy_dynflow_core.log

[1] - https://www.rubydoc.info/gems/daemons

lzap · July 12, 2018, 2:34pm

@aruzicka do you have example entries by chance of both dynflow files so I can create imfile importer? I need just to see few lines to align timedate

aruzicka · July 13, 2018, 10:42am

Sure, take a look at the attachment
dynflow_executor.tar.gz (4.9 KB)