2. WHO AM I ?
MORE OPS THAN DEV
Started out as an SA at several ISPs
Moved into Games ... IT Manager @
Pandemic (Brisbane)
Moved to BioWare to launch Star Wars:
The Old Republic
Transferred to EA, Manage Cloud Team for
Infrastruture Operations
Through M&As have 9 years tenure at EA.
3. WHO AM I ?
STUFF I LIKE TO DO ...
Automation ( and I don't just mean Puppet
and/or Chef )
Agile ( Scrum / Kanban )
Cloud ( OpenStack, Amazon )
Monitoring / Logging
Solve problems
Cook ( I would be a chef if they didn't work
so hard for such little pay)
4. WHAT IS A LOG?
A log is a human readable, machine parsable
representation of an event.
LOG = TIMESTAMP + DATA
Jan 19 13:01:13 paulczlaptop anacron[7712]:
Normal exit (0 jobs run)
120607 14:07:00 InnoDB: Starting an apply
batch of log records to the database...
[1225306053] SERVICE ALERT:
FTPSERVER;FTP
SERVICE;OK;SOFT;2;FTP OK 0.029
second response time on port 21 [220
ProFTPD 1.3.1 Server ready.]
[Sat Jan 19 01:04:25 2013] [error] [client
78.30.200.81] File does not exist:
/opt/www/vhosts/crappywebsite/html/robots.txt
6. A LOG IS HUMAN READABLE...
“A human readable, machine parsable
representation of an event.”
208.115.111.74 - - [13/Jan/2013:04:28:55 -0500] "GET /robots.txt H
TTP/1.1"
301 303 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@g
mail.com)"
12. LOGS ARE MACHINE PARSEABLE
Users will now call PERL Ninja to solve
every problem they have Hero Syndrome.
Does it work for every possible log line ?
Who's going to maintain that shit ?
Is it even useful without being surrounded
by [bad] sysadmin scripts ?
13. SO WE AGREE ... THIS IS BAD.
208.115.111.74 - - [13/Jan/2013:04:28:55 -0500] "GET /robots.txt H
TTP/1.1"
301 303 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@g
mail.com)"
23. Define Inputs and Filters.
input {
file {
type => "apache"
path => ["/var/log/httpd/httpd.log"]
}
}
filter {
grok {
type => "apache"
pattern => "%{COMBINEDAPACHELOG}"
}
date {
type => "apache"
}
geoip {
type => "apache"
}
}
24. Define some outputs.
output {
statsd {
type => "apache"
increment => "apache.response.%{response}"
# Count one hit every event by response
}
elasticsearch {
type => "apache"
}
}
35. ALREADY HAVE CENTRAL
RSYSLOG/SYSLOGNG SERVER?
input {
file {
type => "syslog"
path => ["/data/rsyslog/**/*.log"]
}
}
filter {
### a bunch of groks, a date, and other filters
}
output {
type => "elasticsearch"
}
36. ACT AS A CENTRAL SYSLOG SERVER
GOOD FOR APPLIANCES / SWITCHES
input {
tcp {
type => "syslog"
port => "514"
}
udp {
type => "syslog"
port => "514"
}
}
filter {
### a bunch of groks, a date, and other filter
s
}
output {
type => "elasticsearch"
}
39. UNIQUE PROBLEM TO SOLVE ?
write a logstash module!
Input Snmptrap
Filter Translate
Can do powerful things with [ boilerplate + ] a
few lines of ruby
40. SCALING LOGSTASH
USE QUEUES ( RABBITMQ, REDIS) TO HELP
SCALE HORIZONTALLY.
Local log dir on clients = cheap queue
45. OTHER TOOLS YOU SHOULD ALL BE USING...
Vagrant
Chef / Puppet ( obviously! )
FPM
Omnibus
LXC containers for lightweight VMs
OpenStack ( run a cloud locally for dev )