Page MenuHomePhabricator
Create Task
Maniphest T100970

configure less aggressive cassandra log rotation / send cassandra logs to logstash
Closed, ResolvedPublic
Actions

Description

The rotation of /var/log/cassandra/system.log seems quite aggressive, and amounts to a retention of about 2 days (~53MB compressed):

$ ls -lh
total 53M
-rw-r--r-- 1 cassandra cassandra 857K Mar 23 09:26 repair.log
-rw-r--r-- 1 cassandra cassandra 636K Jun  1 09:52 system.log
-rw-r--r-- 1 cassandra cassandra 2.2M May 31 13:36 system.log.10.zip
-rw-r--r-- 1 cassandra cassandra 2.7M May 31 09:41 system.log.11.zip
-rw-r--r-- 1 cassandra cassandra 2.6M May 31 09:02 system.log.12.zip
-rw-r--r-- 1 cassandra cassandra 2.4M May 31 07:57 system.log.13.zip
-rw-r--r-- 1 cassandra cassandra 2.7M May 31 05:33 system.log.14.zip
-rw-r--r-- 1 cassandra cassandra 2.4M May 31 04:19 system.log.15.zip
-rw-r--r-- 1 cassandra cassandra 2.6M May 31 01:33 system.log.16.zip
-rw-r--r-- 1 cassandra cassandra 2.6M May 30 23:56 system.log.17.zip
-rw-r--r-- 1 cassandra cassandra 2.4M May 30 22:11 system.log.18.zip
-rw-r--r-- 1 cassandra cassandra 2.4M May 30 18:23 system.log.19.zip
-rw-r--r-- 1 cassandra cassandra 2.7M Jun  1 09:48 system.log.1.zip
-rw-r--r-- 1 cassandra cassandra 2.4M May 30 14:30 system.log.20.zip
-rw-r--r-- 1 cassandra cassandra 2.9M Jun  1 06:58 system.log.2.zip
-rw-r--r-- 1 cassandra cassandra 3.0M Jun  1 06:17 system.log.3.zip
-rw-r--r-- 1 cassandra cassandra 3.0M Jun  1 04:05 system.log.4.zip
-rw-r--r-- 1 cassandra cassandra 2.7M Jun  1 01:50 system.log.5.zip
-rw-r--r-- 1 cassandra cassandra 2.8M May 31 22:55 system.log.6.zip
-rw-r--r-- 1 cassandra cassandra 2.8M May 31 22:38 system.log.7.zip
-rw-r--r-- 1 cassandra cassandra 2.2M May 31 17:52 system.log.8.zip
-rw-r--r-- 1 cassandra cassandra 2.3M May 31 16:22 system.log.9.zip

I suggest we retain at least a weeks worth of logs.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Cassandra logstash setupoperations/puppetproduction+142 -8
logstash-logback-encoder setupoperations/software/logstash-logback-encodermaster+22 -0
cassandra: ship logback.xml with longer retention periodsoperations/puppet/cassandramaster+61 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Eevans created this task.Jun 1 2015, 10:01 AM
Eevans raised the priority of this task from to Needs Triage.
Eevans updated the task description. (Show Details)
Eevans added projects: RESTBase-Cassandra, acl*sre-team.
Eevans subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 1 2015, 10:01 AM
chasemp triaged this task as Medium priority.Jun 1 2015, 9:08 PM
chasemp set Security to None.
chasemp subscribed.

Is it a better idea to include cassandra logs in logstash or some off-host central place if historical logs are important?

GWicke subscribed.Jun 2 2015, 8:18 AM

Yes, I think we should look into sending cassandra logs to logstash. That way it should be easier to plot trends, set up alerts etc.

GWicke renamed this task from configure less aggressive cassandra log rotation to configure less aggressive cassandra log rotation / send cassandra logs to logstash.Jun 2 2015, 8:19 AM
mobrovac subscribed.Jun 2 2015, 8:26 AM

Since Cassandra uses the /log4j/ back-end for logging, this should be straightforward to configure using Logstash' log4j receiver.

Eevans added a comment.Jun 5 2015, 3:34 PM
In T100970#1328368, @mobrovac wrote:

Since Cassandra uses the /log4j/ back-end for logging, this should be straightforward to configure using Logstash' log4j receiver.

Cassandra actually uses logback these days, I've been eying this: https://github.com/logstash/logstash-logback-encoder

I know there was some concern about the appender blocking in the event it can not write to logstash, according to the README for logstassh-logback-encoder, this shouldn't be a problem:

Internally, the TCP appenders are asynchronous (using the LMAX Disruptor RingBuffer). All the encoding and TCP communication is delegated to a single writer thread. There is no need to wrap the TCP appenders with another asynchronous appender (such as AsyncAppender or LoggingEventAsyncDisruptorAppender).

All the configuration parameters (except for sub-appender) of the async appenders are valid for TCP appenders. For example, waitStrategyType and ringBufferSize.

The TCP appenders will never block the logging thread. If the RingBuffer is full (e.g. due to slow network, etc), then events will be dropped.

I'll do some testing of this and report back with my findings.

mobrovac added a comment.Jun 5 2015, 3:58 PM
In T100970#1341509, @Eevans wrote:

Cassandra actually uses logback these days, I've been eying this: https://github.com/logstash/logstash-logback-encoder

Looks good (on paper)! :)

The TCP appenders will never block the logging thread. If the RingBuffer is full (e.g. due to slow network, etc), then events will be dropped.

There's also a UDP adapter, which I'd honestly prefer over the TCP one in spite of the ring buffer. UDP is async and non-blocking by design, and I think we all know how Java and TCP sockets work great together until they don't, which also seems to be true in this case.

That said, I think we should evaluate both options. Specifically, testing with looong messages containing tons of back-trace lines should be used.

Eevans added a comment.Jun 5 2015, 7:17 PM
In T100970#1341600, @mobrovac wrote:

There's also a UDP adapter, which I'd honestly prefer over the TCP one in spite of the ring buffer. UDP is async and non-blocking by design, and I think we all know how Java and TCP sockets work great together until they don't, which also seems to be true in this case.

If that's true, that networking in Java is somehow inherently unreliable, then I fear we have problems much larger than this. :)

The only reason that I've leaned toward TCP here, is that our Cassandra nodes are quite a bit chattier than say RB; From the looks of it we're doing something like 32 messages / second. I don't expect that to be a problem all by itself, but if we use UDP everywhere, then its not hard to imagine it causing some of the same problems that it currently does for Graphite (https://phabricator.wikimedia.org/T101141).

That said, I think we should evaluate both options. Specifically, testing with looong messages containing tons of back-trace lines should be used.

I agree.

Eevans added a comment.Jun 5 2015, 9:53 PM

logstash-test.tar.gz20 KBDownload

logstash.conf157 BDownload

To test, I looped indefinitely, logging messages ranging in size from 1 to 1000 words. The code I used is attached, (build w/ mvn package, and run w/ mvn exec:java -Dexec.mainClass=org.wikimedia.logstash.Logstuff).

For both appenders (UDP and TCP), I started and stopped logstash for varying periods of time (upwards of 30 minutes), periodically blocked network access entirely with iptables (DROP and REJECT), and simulated lossy connections (e.g. w/ iptables -A INPUT -i lo -m statistic --mode random --probability 0.1 -p tcp --dport 4050 -j DROP). Both appenders failed gracefully without blocking the application, and both resumed logging immediately as soon as connectivity was restored.

Eevans added a subtask: T102292: deploy logstash-logback-encoder to Archiva.Jun 12 2015, 9:10 PM
Eevans closed subtask T102292: deploy logstash-logback-encoder to Archiva as Resolved.Jun 16 2015, 9:09 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 16 2015, 9:09 PM
Eevans mentioned this in T102715: add operations/software/logstash-logback-encoder git repository.Jun 16 2015, 10:00 PM
Eevans added a subtask: T102715: add operations/software/logstash-logback-encoder git repository.
gerritbot subscribed.Jun 18 2015, 5:48 PM

Change 219210 had a related patch set uploaded (by Filippo Giunchedi):
cassandra: ship logback.xml with longer retention periods

https://gerrit.wikimedia.org/r/219210

gerritbot added a project: Patch-For-Review.Jun 18 2015, 5:48 PM
gerritbot added a comment.Jun 18 2015, 6:38 PM

Change 219210 merged by Filippo Giunchedi:
cassandra: ship logback.xml with longer retention periods

https://gerrit.wikimedia.org/r/219210

fgiunchedi mentioned this in rOPCAc6c3fc7468bd: cassandra: ship logback.xml with longer retention periods.Jun 18 2015, 10:04 PM
GWicke added a comment.Jun 19 2015, 10:44 PM

The only reason that I've leaned toward TCP here, is that our Cassandra nodes are quite a bit chattier than say RB; From the looks of it we're doing something like 32 messages / second.

That's actually a couple of orders of magnitude less chatty than the RB -> graphite traffic.

GWicke added a project: RESTBase.Jun 19 2015, 10:44 PM
GWicke moved this task from Backlog to In progress on the RESTBase board.Jun 20 2015, 12:16 AM
gerritbot added a comment.Jun 25 2015, 3:05 PM

Change 220764 had a related patch set uploaded (by Eevans):
logstash-logback-encoder setup

https://gerrit.wikimedia.org/r/220764

Eevans closed subtask T102715: add operations/software/logstash-logback-encoder git repository as Resolved.Jun 25 2015, 3:10 PM
Eevans claimed this task.Jun 25 2015, 7:36 PM
fgiunchedi mentioned this in rOPUPc6c3fc7468bd: cassandra: ship logback.xml with longer retention periods.Jun 25 2015, 9:06 PM
gerritbot added a comment.Jul 10 2015, 3:21 PM

Change 220764 merged by Eevans:
logstash-logback-encoder setup

https://gerrit.wikimedia.org/r/220764

gerritbot added a comment.Jul 20 2015, 9:30 PM

Change 226025 had a related patch set uploaded (by Eevans):
WIP: Cassanra logstash setup

https://gerrit.wikimedia.org/r/226025

gerritbot added a comment.Jul 28 2015, 2:54 PM

Change 226025 merged by Filippo Giunchedi:
Cassandra logstash setup

https://gerrit.wikimedia.org/r/226025

Eevans closed this task as Resolved.Jul 29 2015, 8:32 PM
Eevans added a subscriber: bd808.

All production instances are now reporting to Logstash, and are viewable from the Kibana dashboard: https://logstash.wikimedia.org/#/dashboard/elasticsearch/cassandra

Many thanks to @bd808 for all his help in getting this setup!

fgiunchedi mentioned this in rOPUP6f7d94913692: Cassandra logstash setup.Jul 30 2015, 10:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits