Page MenuHomePhabricator
Create Task
Maniphest T268806

ELK: uniquely identify network syslog
Closed, ResolvedPublic
Actions

Description

Since I started I've been sending network logs as local3.
Those syslog are being sent from appliances so the configuration options are very limited, they're also of various quality.

Unfortunately today other systems (cloudcontrol) started to send log to local3 as well. Making network dashboard much more difficult to use.

I was wondering if there was a way to identify network logs uniquely, eg at the ingestion point. So this issue stops and doesn't happen again.

Other option is to declare local3 as network only and prevent anyone else to use it for other purposes.

Details

SubjectRepoBranchLines +/-
profile: identify network devices logging inputoperations/puppetproduction+51 -62
Customize query in gerrit

Related Objects

Event Timeline

ayounsi created this task.Nov 26 2020, 9:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2020, 9:01 AM
ayounsi mentioned this in T268175: central logging for OpenStack services.Nov 26 2020, 9:06 AM
lmata moved this task from Inbox to Backlog on the observability board.Nov 30 2020, 4:27 PM
colewhite added a comment.Dec 1 2020, 5:05 PM

A regex in logstash that detects type based on the source hostname could work. Another possibility is to correctly tag the logs as they are ingested by the syslog receiver. Neither option is great, but we lack configuration options at the source. I would opt for a regex in logstash because we have a testing framework in place.

@ayounsi if we choose this route, we'll need to develop a regex based on the network appliances naming convention.
Are there details or docs about this convention somewhere that we could reference? An overview of the convention here on task is acceptable as well.

ayounsi added a comment.Dec 2 2020, 11:07 AM

https://wikitech.wikimedia.org/wiki/Infrastructure_naming_conventions#Networking

Note that I don't think they send the hostname with all the logs (yeah, they're not good at it).
Would tagging it by IPs be an option? For example using something like: https://gerrit.wikimedia.org/r/c/operations/puppet/+/643703 to re-use existing IP definitions. We would need to make sure that logs come from matching IPs though.

jbond mentioned this in T229397: Puppet: get data (row, rack, site, and other information) from Netbox.Dec 2 2020, 11:14 AM
colewhite added a comment.Dec 2 2020, 5:59 PM
In T268806#6662503, @ayounsi wrote:

Note that I don't think they send the hostname with all the logs (yeah, they're not good at it).

I was unable to find an example of log entries getting into Logstash without the host field set. Could you point me to where I might find or reproduce an example of this behavior?

Interestingly, I could not find logs from the following prefixes in logstash (assuming facility:local3). Is it intentional that logs from these hosts not be captured?

  • pfw
  • ps (found on centrallog)
  • psw
  • scs (found on centrallog)
  • cloudsw

Would tagging it by IPs be an option? For example using something like: https://gerrit.wikimedia.org/r/c/operations/puppet/+/643703 to re-use existing IP definitions. We would need to make sure that logs come from matching IPs though.

It might be a possibility. It's probably a more complicated setup and would need some discussion to flesh out what it would look like.

ayounsi mentioned this in T269340: Junos changes for management-instance support on QFX.Dec 3 2020, 10:41 AM
ayounsi added a comment.Dec 3 2020, 1:03 PM

I was unable to find an example of log entries getting into Logstash without the host field set. Could you point me to where I might find or reproduce an example of this behavior?

I guess there are none then. I still feel like relying on a regex is brittle though, but if you think it's fine, then let's do it.

Interestingly, I could not find logs from the following prefixes in logstash (assuming facility:local3). Is it intentional that logs from these hosts not be captured?
pfw

Fixed

ps (found on centrallog)

Expected

psw

Not in use anymore

scs (found on centrallog)

Expected

cloudsw

Fixed

Slightly relevant, is there a way to be notified if a device haven't sent logs in a while?

colewhite added a comment.Dec 3 2020, 5:14 PM
In T268806#6666539, @ayounsi wrote:

I guess there are none then. I still feel like relying on a regex is brittle though, but if you think it's fine, then let's do it.

I was informed earlier today that we gave network devices a special input (udp/10514 on centrallog). This single input may make it easier to tag at ingest so we will investigate this option first.

Slightly relevant, is there a way to be notified if a device haven't sent logs in a while?

We have an exporter that runs queries against Logstash and exports metrics. We could populate a graph and alert off that reasonably easy.

gerritbot added a comment.Dec 3 2020, 10:08 PM

Change 645181 had a related patch set uploaded (by Cwhite; owner: Cwhite):
[operations/puppet@production] profile: identify network devices input

https://gerrit.wikimedia.org/r/645181

gerritbot added a project: Patch-For-Review.Dec 3 2020, 10:08 PM
gerritbot added a comment.Dec 17 2020, 10:00 PM

Change 645181 merged by Cwhite:
[operations/puppet@production] profile: identify network devices logging input

https://gerrit.wikimedia.org/r/645181

Maintenance_bot removed a project: Patch-For-Review.Dec 17 2020, 10:10 PM
colewhite closed this task as Resolved.Dec 17 2020, 10:42 PM
colewhite claimed this task.

Network syslog now is type => "netdev" in Logstash.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL