Skip to main content

How to analyse nova logs via logstash

In Elasticsearch family, there is a three that collects, analyses and plots logs, which I found quite beneficial. The three is  Logstash + Elasticsearch + Kibana.

Logstash collects logs with various formats and parses them by using a given recipe. then parsed logs are stored into elasticsearch or another selected back-end. After all, using indexes in elasticsearch, Kibana will let you analyse logs in various ways with great visuality.

In this post, I will quickly show how to work on openstack-nova logs on an already set up environment.

First let's forward nova logs to where logstash is listening. To do it, we will use logstash-forwarder which will run on where logs are located. Its job is very simple: going to log files and forward each line in it. Your /etc/logstash-forwarder should look like this:


{
  "network": {
    "servers": [ "10.10.10.10:5000" ],
    "timeout": 15,
    "ssl ca": "part/to/crt"
  },

  "files": [
    {
      "paths": [
         "/var/log/nova/nova-*.log"
       ],
      "fields": { "type": "nova" }
    }
   ]
}
In network object, do necessary changes as basic configuration of logstah-forwarder. In files array, paths of logs files to be forwarded are defined with a specific type. In our case, it is nova.

In logstash side, which listens and indexes logs, you need to specify how Logstash will parse logs. For this one, we will edit filter part. In order to build my environment, I have followed this guide. In this one, the filter part is defined in /etc/logstash/conf.d/10-syslog.conf. We will simply edit this one.


filter{
  if [type] == "nova" {

    grok {
      match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} %{LOGLEVEL:loglevel} %{NOVA_MODULE:nova_module} (?:%{DATA})"}
    }
    date {
      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSS" ]
    }
    if "_grokparsefailure" in [tags] {
      drop { }
    }

  }
}
For filtering ,we have three parts: grok, date, and failure part. Grok parses the gathered logs. With the grok format above, we are indexing timestamp, process id, log level and nova module. Optionally, you can increase number of indexes here such as request_id may be split, by editing match filter in grok. Date is a format of how timestamp will be saved. The last part functions to ignore logs which don't suite to our match case.

Finally, in your Kibana dashboard, by doing some configuration, you can get good-looking representation of nova logs. Here is a table populated by nova logs:


Labels:

Comments

Post a Comment

Popular posts from this blog

Migration from Proxmox to Openstack

I needed to migrate virtual machines in proxmox to openstack. VMs are in raw format. I needed to take some actions for a succesfull migration. I have perform all actions on Ubuntu 12.04 with virt-manager. qemu-kvm is installed. Here is the list of actions that I took: First, close the machine and copy the image file into your Ubuntu. Convert raw image to qcow2 format: qemu-img convert -O qcow2 image1.raw image1.qcow2 You need the image in qcow2 format for compatibility with openstack platform.  Open the converted image in virt-manager. Before opening, edit disk options. Under ' advanced options ' section, select ' qcow2 ' as ' storage forma t '. Start the virtual machine. You should see the login screen soon. (If you don't set storage format, vm will not find a bootable device. )   If everything is ok so far, close the vm. Take qcow2 image and upload it into glance. It may take time depending on size of it. After this process is completed, open a
Post a Comment
Read more

Integration of MuPDF Project as a Library into an Android Studio Project

I have needed to use MuPDF library in my android project. After some research, I have seen that there are many integration tutorials but, but integrated projects are developed on Eclipse. For projects on AndroidStudio+Gradle, there is no example. I mean there is no specific example which exactly refers to this issue. So, after achieving my goal, I want to share the steps publicly so that it can be reused by others.
27 comments
Read more

Xposed - How to hook a method with primitive-type parameter

Xposed Framework is a great tool to take actions which Android SDK doesn't provide for developers. One of the great hacks that you can do is hooking a method. You can see parameters given to a method, with many other properties of it. There are some tutorials on Internet, but in this tutorials, they show hooking method without parameters or with class parameters. Its code is: findAndHookMethod("com.android.settings.Settings", lpparam.classLoader, "updateHeaderList", List.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { //your code } });
6 comments
Read more