Page MenuHomePhabricator
Create Task
Maniphest T150734

Make Thumbor logs available in ELK
Closed, ResolvedPublic
Actions

Description

Maybe not the very chatty 404 log, but at least the error log.

Details

SubjectRepoBranchLines +/-
Thumbor: don't rewrite host value in logstash messagesoperations/puppetproduction+6 -1
Thumbor: fix logstash message typeoperations/puppetproduction+1 -1
thumbor: send errors to logstash in beta toooperations/puppetproduction+3 -0
thumbor: add logstash config for codfwoperations/puppetproduction+7 -0
Remove unneeded Thumbor logstash filtermediawiki/vagrantmaster+0 -15
Add logback filter for Thumboroperations/puppetproduction+7 -0
Send Thumbor error log to logstashoperations/puppetproduction+26 -1
Filter Thumbor logstash entries by program, not typemediawiki/vagrantmaster+2 -2
Send Thumbor logs to logstashmediawiki/vagrantmaster+70 -1
Customize query in gerrit

Related Objects

Event Timeline

Gilles created this task.Nov 15 2016, 9:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 15 2016, 9:29 AM
Gilles triaged this task as Low priority.Nov 15 2016, 9:29 AM
Gilles mentioned this in T149980: Investigate why oom_kill mtail program doesn't work properly.Nov 15 2016, 9:10 PM
Gilles added a subscriber: bd808.Dec 6 2016, 2:24 PM

@bd808 any tips or examples on how to set that up for a new service?

bd808 added a comment.Dec 6 2016, 4:22 PM

Generally you need to look at the logging stack that exists for the app and figure out how to ship a copy of the logs to a logstash ingestion node. For a Python app you might want to look at Striker's use of python-logstash. Once the logs are getting sent over to logstash you may need to adjust filters on the particular input channel you use to mutate the log events and tag them for saving in the Elasticsearch backend.

Gilles added a comment.Mar 13 2017, 2:42 PM

This all looks very straightforward. I just need to make a Debian package for python-logstash first, since there isn't one at the moment.

Gilles added a project: Performance-Team.Mar 13 2017, 2:43 PM
Gilles moved this task from Inbox, needs triage to Doing (old) on the Performance-Team board.
Gilles added a comment.Mar 21 2017, 10:20 AM

Debian package ready at https://github.com/gi11es/thumbor-debian/tree/master/python-logstash @fgiunchedi please review and add to our production apt repos when you can.

Gilles moved this task from Doing (old) to Blocked (old) on the Performance-Team board.Mar 21 2017, 10:20 AM
Gilles added a project: Patch-For-Review.
fgiunchedi added a project: User-fgiunchedi.Mar 21 2017, 5:26 PM

ok @Gilles ! I'll review/upload likely next week

fgiunchedi added a comment.May 10 2017, 2:12 PM

"Likely" wasn't so likely, anyways I've uploaded the package to our jessie-wikimedia repo!

fgiunchedi moved this task from Backlog to Doing on the User-fgiunchedi board.May 10 2017, 2:12 PM
fgiunchedi moved this task from Doing to Radar on the User-fgiunchedi board.May 11 2017, 2:53 PM
fgiunchedi added a comment.May 11 2017, 4:27 PM

@Gilles FYI I've imported the repo into operations/debs/python-logstash internally

Gilles removed a project: Patch-For-Review.May 29 2017, 12:49 PM
Gilles mentioned this in T170109: Thumbor should support SVG files that start with <svg:svg.Jul 12 2017, 8:45 AM
Tgr mentioned this in T170352: Large SVG files fail to render in Thumbor (due to lack of use of the --unlimited option in librsvg).Jul 12 2017, 8:53 AM
Gilles moved this task from Blocked (old) to Doing (old) on the Performance-Team board.Jul 12 2017, 7:21 PM
gerritbot subscribed.Jul 13 2017, 8:26 AM

Change 364954 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/vagrant@master] Send Thumbor logs to logstash

https://gerrit.wikimedia.org/r/364954

gerritbot added a project: Patch-For-Review.Jul 13 2017, 8:26 AM
gerritbot added a comment.Jul 13 2017, 8:38 AM

Change 364954 merged by jenkins-bot:
[mediawiki/vagrant@master] Send Thumbor logs to logstash

https://gerrit.wikimedia.org/r/364954

gerritbot added a comment.Jul 17 2017, 3:38 PM

Change 365619 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/puppet@production] Send Thumbor error log to logstash

https://gerrit.wikimedia.org/r/365619

gerritbot added a comment.Aug 16 2017, 4:16 PM

Change 372163 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/vagrant@master] Filter Thumbor logstash entries by program, not type

https://gerrit.wikimedia.org/r/372163

gerritbot added a comment.Aug 16 2017, 4:19 PM

Change 372163 merged by jenkins-bot:
[mediawiki/vagrant@master] Filter Thumbor logstash entries by program, not type

https://gerrit.wikimedia.org/r/372163

gerritbot added a comment.Sep 4 2017, 7:08 PM

Change 375859 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/puppet@production] Send Thumbor error log to logstash

https://gerrit.wikimedia.org/r/375859

gerritbot added a comment.Sep 5 2017, 8:19 AM

Change 365619 merged by Filippo Giunchedi:
[operations/puppet@production] Add logback filter for Thumbor

https://gerrit.wikimedia.org/r/365619

gerritbot added a comment.Sep 5 2017, 8:34 AM

Change 375859 merged by Filippo Giunchedi:
[operations/puppet@production] Send Thumbor error log to logstash

https://gerrit.wikimedia.org/r/375859

fgiunchedi added a comment.Sep 5 2017, 8:52 AM

All patches merged, though this isn't going to work yet:

  • The sent lines might exceed MTU and are not natively split or trimmed
  • The format of lines sent by python-logstash is json for udp and "json_lines" (as logstash calls it) though the logstash udp endpoint we're sending to expects syslog format
Gilles added a comment.Sep 5 2017, 9:43 AM

I think the endpoint is expecting the right format:

logstash::input::udp { 'logback':
    port  => 11514,
    codec => 'json',
}
fgiunchedi added a comment.Sep 5 2017, 9:59 AM

Indeed the logstash configuration is right, I misread 11514 and 10514. The udp packets are making it to e.g. logstash1003 fine but for some reason are not showing up in kibana. I can't find anything in logstash logs themselves on the filesystem

Gilles added a comment.Sep 5 2017, 10:01 AM

Kibana query for the other log entries coming from that endpoint (cassandra):

https://logstash.wikimedia.org/app/kibana#/discover?_g=()&_a=(columns:!(_source),filters:!(('$$hashKey':'object:5689','$state':(store:appState),meta:(alias:!n,disabled:!f,index:'logstash-*',key:type,negate:!f,value:cassandra),query:(match:(type:(query:cassandra,type:phrase))))),index:'logstash-*',interval:auto,query:'',sort:!('@timestamp',desc))

Query where I expect Thumbor log entries would show up:

https://logstash.wikimedia.org/app/kibana#/discover?_g=()&_a=(columns:!(_source),filters:!(('$$hashKey':'object:5689','$state':(store:appState),meta:(alias:!n,disabled:!f,index:'logstash-*',key:type,negate:!f,value:thumbor),query:(match:(type:(query:thumbor,type:phrase))))),index:'logstash-*',interval:auto,query:'',sort:!('@timestamp',desc))

gerritbot added a comment.Sep 5 2017, 11:17 AM

Change 375993 had a related patch set uploaded (by Gilles; owner: Gilles):
[mediawiki/vagrant@master] Remove unneeded Thumbor logstash filter

https://gerrit.wikimedia.org/r/375993

gerritbot added a comment.Sep 5 2017, 11:29 AM

Change 375993 merged by jenkins-bot:
[mediawiki/vagrant@master] Remove unneeded Thumbor logstash filter

https://gerrit.wikimedia.org/r/375993

fgiunchedi added a subscriber: Gehel.Sep 5 2017, 1:30 PM

Indeed, even after removing the filter the situation didn't change. I can see packets e.g. from thumbor1001 making it to logstash1003 but nothing in kibana and no errors logged by logstash either. Maybe @Gehel you've come across this before?

bd808 added a comment.Sep 5 2017, 2:30 PM

Usually logstash will log a save failure if Elasticsearch is rejecting the events for some reason, but it might be worth double checking the Elasticsearch logs on logstash100[456] for errors about conflicting data types in the mappings (T150106).

fgiunchedi added a comment.Sep 8 2017, 2:55 PM

Thanks @bd808 ! Sadly I can't find any smoking gun on /var/log/elasticsearch/production-logstash-eqiad.log about indexing problems and conflicting data types which would have solved the mystery :(

gerritbot added a comment.Sep 11 2017, 9:21 AM

Change 377220 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] thumbor: add logstash config for codfw

https://gerrit.wikimedia.org/r/377220

gerritbot added a comment.Sep 11 2017, 9:32 AM

Change 377220 merged by Filippo Giunchedi:
[operations/puppet@production] thumbor: add logstash config for codfw

https://gerrit.wikimedia.org/r/377220

Gilles moved this task from Doing (old) to Blocked (old) on the Performance-Team board.Sep 12 2017, 9:01 AM
gerritbot added a comment.Sep 13 2017, 10:41 AM

Change 377731 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] thumbor: send errors to logstash in beta too

https://gerrit.wikimedia.org/r/377731

gerritbot added a comment.Sep 13 2017, 10:44 AM

Change 377731 merged by Filippo Giunchedi:
[operations/puppet@production] thumbor: send errors to logstash in beta too

https://gerrit.wikimedia.org/r/377731

fgiunchedi added a comment.Sep 15 2017, 8:48 AM

I poked at this some more this week but go nowhere either in beta or production, to recap:

  • udp messages make it from thumbor machines to logstash frontends
  • said messages are not terminated with newlines and thus to be used with codec json, not json_lines and match logstash configuration for 11514/udp
  • the thumbor messages never make it to kibana, similar messages (e.g. wdqs) do however
  • I couldn't find any errors from elasticsearch indicating a mapping mismatch (or from logstash for that matter)
gerritbot added a comment.Sep 27 2017, 9:37 AM

Change 380942 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/puppet@production] Thumbor: fix logstash message type

https://gerrit.wikimedia.org/r/380942

gerritbot added a comment.Sep 27 2017, 9:37 AM

Change 380943 had a related patch set uploaded (by Gilles; owner: Gilles):
[operations/puppet@production] Thumbor: don’t rewrite host value in logstash messages

https://gerrit.wikimedia.org/r/380943

gerritbot added a comment.Oct 11 2017, 4:13 PM

Change 380942 merged by Filippo Giunchedi:
[operations/puppet@production] Thumbor: fix logstash message type

https://gerrit.wikimedia.org/r/380942

Stashbot subscribed.Oct 11 2017, 4:15 PM

Mentioned in SAL (#wikimedia-operations) [2017-10-11T16:15:13Z] <godog> roll-restart thumbor to apply https://gerrit.wikimedia.org/r/380942 - T150734

Gilles added a comment.EditedOct 12 2017, 5:58 AM

@fgiunchedi it's logstash that needs to be restarted, the change is on the consuming side

Stashbot added a comment.Oct 12 2017, 1:13 PM

Mentioned in SAL (#wikimedia-operations) [2017-10-12T13:12:59Z] <moritzm> rolling restart of logstash to pick up thumbor logs (T150734)

Gilles closed this task as Resolved.Oct 12 2017, 1:25 PM

Success: https://logstash.wikimedia.org/goto/c016a93d8c2cedd96d4cd0937e7230dc

Gehel added a comment.Oct 12 2017, 3:57 PM

https://gerrit.wikimedia.org/r/#/c/380943/ has actually not been merged. I have not followed all the details, but since the logs are flowing, should we abandon this second change?

Gehel mentioned this in T178078: RESTBase logs disappeared from logstash.Oct 12 2017, 4:04 PM
Gilles added a comment.Oct 13 2017, 4:22 AM

The logs are flowing, but the host information is missing. It needs to be merged and deployed.

gerritbot added a comment.Oct 13 2017, 8:42 AM

Change 380943 merged by Filippo Giunchedi:
[operations/puppet@production] Thumbor: don't rewrite host value in logstash messages

https://gerrit.wikimedia.org/r/380943

fgiunchedi added a comment.Oct 13 2017, 9:37 AM

Last change merged and deployed, thumbor hostname is now in logstash \o/

fgiunchedi mentioned this in T212946: Stream Thumbor logs to logstash.Jan 7 2019, 9:09 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits