2. Sponsored by
• state51
• Pb of mogilefs, 100+ boxes.
• > 4 million tracks on-demand via API
• > 400 reqs/s per server, >1Gb peak from backhaul
• Suretec VOIP Systems
• UK voice over IP provider
• Extensive API, including WebHooks for notifications
• TIM Group
• “Alpha capture” applications
• Java / Scala / Clojure / ruby / puppet / python / perl
6. Why?
• I’d better stop, and explain a specific
problem.
• The solution that grew out of this is more
generic.
7. Why?
• I’d better stop, and explain a specific
problem.
• The solution that grew out of this is more
generic.
• But it illustrates my concerns and design
choices well.
8. Why?
• I’d better stop, and explain a specific
problem.
• The solution that grew out of this is more
generic.
• But it illustrates my concerns and design
choices well.
• And everyone likes a story, right?
9. Once upon a time...
• I was bored of tailing log files across dozens
of servers
10. Once upon a time...
• I was bored of tailing log files across dozens
of servers
• splunk was amazing, but unaffordable
16. Centralised logging
• Syslog isn’t good enough
• UDP is lossy, TCP not much better
• Limited fields
• No structure to actual message
17. Centralised logging
• Syslog isn’t good enough
• UDP is lossy, TCP not much better
• Limited fields
• No structure to actual message
• RFC3164 - “This document describes the
observed behaviour of the syslog protocol”
19. Centralised logging
• Syslog isn’t good enough
• Structured app logging
• We want to log data, rather than text
from our application
20. Centralised logging
• Syslog isn’t good enough
• Structured app logging
• We want to log data, rather than text
from our application
• E.g. HTTP request - vhost, path, time to
generate, N db queries etc..
24. Centralised logging
• Syslog isn’t good enough
• Structured app logging
• Post-process log files to re-structure
• Cases we do not control (e.g. apache)
25. Centralised logging
• Syslog isn’t good enough
• Structured app logging
• Post-process log files to re-structure
• Cases we do not control (e.g. apache)
• SO MANY DATE FORMATS. ARGHH!!
42. Centralised logging
• Syslog isn’t good enough
• Structured app logging
• Post-process log files to re-structure
• Publish logs as JSON to a message queue
43. Centralised logging
• Syslog isn’t good enough
• Structured app logging
• Post-process log files to re-structure
• Publish logs as JSON to a message queue
• JSON is fast, and widely supported
44. Centralised logging
• Syslog isn’t good enough
• Structured app logging
• Post-process log files to re-structure
• Publish logs as JSON to a message queue
• JSON is fast, and widely supported
• Great for arbitrary structured data!
47. Message queue
• Flattens load spikes!
• Only have to keep up with average message
volume, not peak volume.
48. Message queue
• Flattens load spikes!
• Only have to keep up with average message
volume, not peak volume.
• Logs are bursty! (Peak rate 1000x average.)
49. Message queue
• Flattens load spikes!
• Only have to keep up with average message
volume, not peak volume.
• Logs are bursty! (Peak rate 1000x average.)
• Easy to scale - just add more consumers
50. Message queue
• Flattens load spikes!
• Only have to keep up with average message
volume, not peak volume.
• Logs are bursty! (Peak rate 1000x average.)
• Easy to scale - just add more consumers
• Allows smart routing
51. Message queue
• Flattens load spikes!
• Only have to keep up with average message
volume, not peak volume.
• Logs are bursty! (Peak rate 1000x average.)
• Easy to scale - just add more consumers
• Allows smart routing
• Great as a common integration point.
54. elasticsearch
• Just tip JSON documents into it
• Figures out type for each field, indexes
appropriately.
55. elasticsearch
• Just tip JSON documents into it
• Figures out type for each field, indexes
appropriately.
• Free sharding and replication
56. elasticsearch
• Just tip JSON documents into it
• Figures out type for each field, indexes
appropriately.
• Free sharding and replication
• Histograms!
57. Logstash
In JRuby, by Jordan Sissel
Input
Simple: Filter
Output
Flexible
Extensible
Plays well with others
Nice web interface
63. Logstash on each host
is totally out...
• Running it on elasticsearch servers which
are already dedicated to this is fine..
64. Logstash on each host
is totally out...
• Running it on elasticsearch servers which
are already dedicated to this is fine..
• I’d still like to reuse all of it’s parsing
65. Logstash on each host
is totally out...
• Running it on elasticsearch servers which
are already dedicated to this is fine..
• I’d still like to reuse all of it’s parsing
• How about I just log to AMQP from my
app?
66. Logstash on each host
is totally out...
• Running it on elasticsearch servers which
are already dedicated to this is fine..
• I’d still like to reuse all of it’s parsing
• How about I just log to AMQP from my
app?
• Doooom!
76. This talk
• Is about my new library: Message::Passing
• The clue is in the name...
77. This talk
• Is about my new library: Message::Passing
• The clue is in the name...
• Hopefully really simple
78. This talk
• Is about my new library: Message::Passing
• The clue is in the name...
• Hopefully really simple
• Maybe even useful!
79. This talk
• Is about my new library: Message::Passing
• The clue is in the name...
• Hopefully really simple
• Maybe even useful!
• Definitely small - you can replace / rewrite
it easily.
80. Lets make it generic!
• So, I wanted a log shipper
81. Lets make it generic!
• So, I wanted a log shipper
• I ended up with a framework for messaging
interoperability
82. Lets make it generic!
• So, I wanted a log shipper
• I ended up with a framework for messaging
interoperability
• Whoops!
83. Lets make it generic!
• So, I wanted a log shipper
• I ended up with a framework for messaging
interoperability
• Whoops!
• Got sick of writing scripts..
85. Does this actually
work?
• YES - In production at four sites for me.
• Some of the adaptors are partially
complete
86. Does this actually
work?
• YES - In production at four sites for me.
• Some of the adaptors are partially
complete
• Dumber than logstash - no multiple
threads/cores
87. Does this actually
work?
• YES - In production at four sites for me.
• Some of the adaptors are partially
complete
• Dumber than logstash - no multiple
threads/cores
• ZeroMQ is insanely fast
88. Other people are using
it in production!
Two people I know of already writing have
already written adaptors!
90. Events - my model for
message passing
• a hash {}
91. Events - my model for
message passing
• a hash {}
• Output consumes events:
• method consume ($event) { ...
92. Events - my model for
message passing
• a hash {}
• Output consumes events:
• method consume ($event) { ...
• Input produces events:
• has output_to => (..
93. Events - my model for
message passing
• a hash {}
• Output consumes events:
• method consume ($event) { ...
• Input produces events:
• has output_to => (..
• Filter does both
97. That’s it.
• No, really - that’s all the complexity you
have to care about!
98. That’s it.
• No, really - that’s all the complexity you
have to care about!
• Except for the complexity introduced by
the inputs and outputs you use.
99. That’s it.
• No, really - that’s all the complexity you
have to care about!
• Except for the complexity introduced by
the inputs and outputs you use.
• Unified attribute names / reconnection
model, etc.. This helps, somewhat..
100. Inputs and outputs
• ZeroMQ In / Out
• AMQP (RabbitMQ) In / Out
• STOMP (ActiveMQ) In / Out
• elasticsearch Out
• Redis PubSub In/Out
• Syslog In
• MongoDB Out
• Collectd In/Out
• HTTP POST (“WebHooks”) Out
• UDP packets In/Out (e.g. statsd)
101. DSL
• Building more complex chains
easy!
• Multiple inputs
• Multiple outputs
• Multiple independent chains
102. CLI
• 1 Input
• 1 Output
• 1 Filter (default Null)
• For simple use, or testing.
103. CLI
• Encode / Decode step is just a Filter
• JSON by default
• Supply command line, or config file
• Daemon features
104. The dist:
Message::Passing
• Core dist supplies CLI, DSL, roles for reuse.
105. The dist:
Message::Passing
• Core dist supplies CLI, DSL, roles for reuse.
• Adaptors for most protocols in other
modules.
106. The dist:
Message::Passing
• Core dist supplies CLI, DSL, roles for reuse.
• Adaptors for most protocols in other
modules.
• Moo based - small footprint, can be
fatpacked (no XS dependencies).
107. The dist:
Message::Passing
• Core dist supplies CLI, DSL, roles for reuse.
• Adaptors for most protocols in other
modules.
• Moo based - small footprint, can be
fatpacked (no XS dependencies).
• Moose compatible.
124. PSGI
• PSGI $env is basically just a hash.
• (With a little fiddling), you can serialize it as
JSON
125. PSGI
• PSGI $env is basically just a hash.
• (With a little fiddling), you can serialize it as
JSON
• PSGI response is just an array.
126. PSGI
• PSGI $env is basically just a hash.
• (With a little fiddling), you can serialize it as
JSON
• PSGI response is just an array.
• Ignore streaming responses!
128. PUSH socket does fan
out between multiple
handlers.
Reply to address
embedded in request
Run multiple ‘handler’
processes. Hot
restarts, hot add /
remove workers
129. Other applications
• Anywhere an asynchronous event stream is
useful!
• Monitoring
• Metrics transport
• Queued jobs - worker pool
130. Other applications
(Web stuff)
• User activity (ajax ‘what are your users
doing’)
• WebSockets / MXHR
• HTTP Push notifications - “WebHooks”
132. What about logstash?
• Use my lightweight code on end nodes.
• Use logstash for parsing/filtering on the
dedicated hardware (elasticsearch boxes)
• Filter to change my hashes to logstash
compatible hashes
• For use with MooseX::Storage and/or
Log::Message::Structured
134. Interoperating - a real
example
• Log JSON events out of apps (in multiple
languages) to ZMQ
135. Interoperating - a real
example
• Log JSON events out of apps (in multiple
languages) to ZMQ
• Collect and munge with Message::Passing
script ‘logcollector’
136. Interoperating - a real
example
• Log JSON events out of apps (in multiple
languages) to ZMQ
• Collect and munge with Message::Passing
script ‘logcollector’
• Send to central logstash
137. Interoperating - a real
example
• Log JSON events out of apps (in multiple
languages) to ZMQ
• Collect and munge with Message::Passing
script ‘logcollector’
• Send to central logstash
• Send onto statsd to aggregate
138. Interoperating - a real
example
• Log JSON events out of apps (in multiple
languages) to ZMQ
• Collect and munge with Message::Passing
script ‘logcollector’
• Send to central logstash
• Send onto statsd to aggregate
• Graphs in graphite
145. statsd
• Rolls up counters and timers into metrics
• One bucket per stat, emits values every 10
seconds
146. statsd
• Rolls up counters and timers into metrics
• One bucket per stat, emits values every 10
seconds
• Counters: Request rate, HTTP status rate
147. statsd
• Rolls up counters and timers into metrics
• One bucket per stat, emits values every 10
seconds
• Counters: Request rate, HTTP status rate
• Timers: Total page time, mean page time,
min/max page times
Mention state51 are hiring in London\nMention Tim Group are hiring in London/Boston.\n
But, before I talk about perl at you, I’m going to go off on a tangent..\n
I wrote code. And writing code is never something to be proud of; at least if your code looks like mine it isn’t... So I’d better justify this hubris somehow..\n
I wrote code. And writing code is never something to be proud of; at least if your code looks like mine it isn’t... So I’d better justify this hubris somehow..\n
I wrote code. And writing code is never something to be proud of; at least if your code looks like mine it isn’t... So I’d better justify this hubris somehow..\n
I wrote code. And writing code is never something to be proud of; at least if your code looks like mine it isn’t... So I’d better justify this hubris somehow..\n
\n
\n
Isn’t he cute? And woody!\nWho knows what this is?\n
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
MooseX::Storage!\nThis isn’t mandatory - you can just log plain hashes if you’re concerned about performance.\nSPOT THE TYPO\n
\n\n
\n\n
\n\n
\n\n
\n\n
\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
No, really - JSON::XS is lightning fast\n
No, really - JSON::XS is lightning fast\n
No, really - JSON::XS is lightning fast\n
No, really - JSON::XS is lightning fast\n
No, really - JSON::XS is lightning fast\n
No, really - JSON::XS is lightning fast\n
Most message queues have bindings in most languages.. So by abstracting message routing out of your application, and passing JSON hashes - you are suddenly nicely cross language!\n
Most message queues have bindings in most languages.. So by abstracting message routing out of your application, and passing JSON hashes - you are suddenly nicely cross language!\n
Most message queues have bindings in most languages.. So by abstracting message routing out of your application, and passing JSON hashes - you are suddenly nicely cross language!\n
Most message queues have bindings in most languages.. So by abstracting message routing out of your application, and passing JSON hashes - you are suddenly nicely cross language!\n
Most message queues have bindings in most languages.. So by abstracting message routing out of your application, and passing JSON hashes - you are suddenly nicely cross language!\n
Most message queues have bindings in most languages.. So by abstracting message routing out of your application, and passing JSON hashes - you are suddenly nicely cross language!\n
\n
\n
\n
\n
Very simple model - input (pluggable), filtering (pluggable by type) in C, output (pluggable)\nLots of backends - AMQP and elasticsearch + syslog and many others\nPre-built parser library for various line based log formats\nComes with web app for searches.. Everything I need!\n
And it has an active community.\nThis is the alternate viewer app..\n
Lets take a simple case here - I’ll shove my apache logs from N servers into elasticsearch\nI run a logstash on each host (writer), and one on each elasticsearch server (reader)..\n\n
First problem...\n
Well then, I’m not going to be running this on the end nodes.\n
Has a whole library of pre-built parsers for common log formats.\nAlso, as noted, it’s faster, and notably it’s multi-threaded, so it’ll use multiple cores..\n
Has a whole library of pre-built parsers for common log formats.\nAlso, as noted, it’s faster, and notably it’s multi-threaded, so it’ll use multiple cores..\n
Has a whole library of pre-built parsers for common log formats.\nAlso, as noted, it’s faster, and notably it’s multi-threaded, so it’ll use multiple cores..\n
Has a whole library of pre-built parsers for common log formats.\nAlso, as noted, it’s faster, and notably it’s multi-threaded, so it’ll use multiple cores..\n
The last point here is most important - ZMQ networking works entirely in a background thread perl knows nothing about, which means that you can asynchronously ship messages with no changes to your existing codebase.\n
The last point here is most important - ZMQ networking works entirely in a background thread perl knows nothing about, which means that you can asynchronously ship messages with no changes to your existing codebase.\n
The last point here is most important - ZMQ networking works entirely in a background thread perl knows nothing about, which means that you can asynchronously ship messages with no changes to your existing codebase.\n
The last point here is most important - ZMQ networking works entirely in a background thread perl knows nothing about, which means that you can asynchronously ship messages with no changes to your existing codebase.\n
The last point here is most important - ZMQ networking works entirely in a background thread perl knows nothing about, which means that you can asynchronously ship messages with no changes to your existing codebase.\n
The last point here is most important - ZMQ networking works entirely in a background thread perl knows nothing about, which means that you can asynchronously ship messages with no changes to your existing codebase.\n
Yes, this could still be ‘a script’, in fact I did that at first...\nBut I now have 3 protocols, who’s to say I won’t want a 4th..\n\n
Note the fact that we have a cluster of ES servers here.\nAnd we have two log indexers. You can cluster RabbitMQ also.\nHighly reliable solution (against machine failure). Highly scaleable solution (just add ES servers)\nWe use RabbitMQ as this also allows someone to tap a part of the log stream, could just use ZMQ throughout.\n
At the same time, I want something that can be used for real work (i.e. not just a toy)\n
At the same time, I want something that can be used for real work (i.e. not just a toy)\n
At the same time, I want something that can be used for real work (i.e. not just a toy)\n
At the same time, I want something that can be used for real work (i.e. not just a toy)\n
At the same time, I want something that can be used for real work (i.e. not just a toy)\n
I had a log shipper script. A long indexer script. An alerting (nagios) script. An irc notification script.\n
I had a log shipper script. A long indexer script. An alerting (nagios) script. An irc notification script.\n
I had a log shipper script. A long indexer script. An alerting (nagios) script. An irc notification script.\n
I had a log shipper script. A long indexer script. An alerting (nagios) script. An irc notification script.\n
By insanely fast, I mean I can generate, encode as JSON, send, receive, decode as JSON over 25k messages a second. On this 3 year old macbook..\n
By insanely fast, I mean I can generate, encode as JSON, send, receive, decode as JSON over 25k messages a second. On this 3 year old macbook..\n
By insanely fast, I mean I can generate, encode as JSON, send, receive, decode as JSON over 25k messages a second. On this 3 year old macbook..\n
By insanely fast, I mean I can generate, encode as JSON, send, receive, decode as JSON over 25k messages a second. On this 3 year old macbook..\n
\n
Filters are just a combination of input and output\n
Filters are just a combination of input and output\n
Filters are just a combination of input and output\n
Filters are just a combination of input and output\n
So the input has an output, that output always has a consume method...\nTADA!\n
You can build a “chain” of events. This can work either way around.\nThe input can be a log file, the output can be a message queue (publisher)\nInput can be a message queue, output can be a log file (consumer)\n
The docs still suck, sorry - I have tried ;)\n
The docs still suck, sorry - I have tried ;)\n
The docs still suck, sorry - I have tried ;)\n
All of these are on CPAN already.\n
DSL - Domain specific language.\nTry to make writing scripts really simple.\n
But you shouldn’t have to write ANY code to play around.\n
\n
\n
\n
\n
\n
Demo1\nSimple demo of the CLI in one process (STDOUT/STDIN)\n
Demo1\nSimple demo of the CLI in one process (STDOUT/STDIN)\n
Demo1\nSimple demo of the CLI in one process (STDOUT/STDIN)\n
Less simple demo - lets actually pass messages between two processes.\nArrows indicate message flow. ZeroMQ is a lightning bolt as it’s not quite so trivial..\n
Demo PUBSUB and round robin..\n
So, lets play Jenga with message queues!\n
\n
I would have added ZeroMQ. Except then the diagram doesn’t fit on the page.\nI’ll leave this as an exercise for the reader!\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
I’ll talk a very little more about webhooks\n