淺談AWS上的Log解決方案

淺談AWS上的Log分析解決方案
Hans Hsu

About me: Hans
● A Solutions Architect for Cloud Computing
○ AWS Certified 7/11, GCP Certified Professional Cloud Architect
○ Well-Architected Ambassador improves clients’ workload on AWS
○ High Traffic Volume Website (CDN Solutions) and Big Data Solutions
● A Contributor for the Open Source Project
○ Moto: a library easily mock tests based on AWS infrastructure
● An ML Amateur
○ AWS DeepRacer League ranking 11th/89 in Taipei Summit, 2019
○ Trend Micro Malware Detection Competition ranking 50th/424, 2018
○ The Analytics Edge Kaggle competition ranking 20th/2923, 2015

Agenda
● Introduction
● Challenge
● Compare Solutions
● Practice
● Summary

Introduction
● Objectives of Logs
○ Debug
○ Report for System or Business
○ Audit (the other report type)

Introduction
● We all know that log is important but…
● Some people don’t care it. The truth is not
important; however, the responsibility is true
● Let’s talk about the challenge

Challenge
● Organization
● Budget
● Technology Stack
● Operation & Development
● Mechanism

Organization
● Political Correctness is the most important
○ I don’t like it, but this is true
● Example
○ Developer Team Versus Operation Team
○ The boss hates the agent on the servers
○ Lazy

Budget
● Financial Policy
○ Purchasing or Finance Department
● Example
○ Fiscal year ending tomorrow and you
request to start a project now
○ Finance team doesn’t understand what are
you doing so reject your proposal

Technology Stack
● Technology Stack = Technical Debt
We always care about the business logic
but forget the log
● Never use the logging system
● Cannot integrate legacy system to logging
system

Operation & Development
● Operation Complexity
○ The more components you maintain, the
more operation task you need to do
● Development Complexity
○ If logging system is lack of functions,
you need to develop it

Mechanism
https://d1.awsstatic.com/whitepapers/lambda-architecure-on-for-batch-aws.pdf/

Mechanism
https://aws.amazon.com/tw/blogs/big-data/unite-real-time-and-batch-analytics-using-the-big-data-lambda-architecture-without-servers/

Mechanism
● Log Type
● Log Format
● Log Rotation
● Push or Pull
● Where to Store Logs
● How to Store
● How to Analyze Logs

Log Type
● OS Level:
CPU, Memory, Network IO, Process…
● Application Level:
Web Server Access Log, User Deﬁned Log...

Log Format
● Flavor
○ Flat or Bracket, JSON or…
● Level
○ Python: CRITICAL, ERROR, WARNING,
INFO, DEBUG, NOTSET
○ Logback: ERROR, WARN, INFO, DEBUG,
TRACE

Log Rotation
● Time Interval
○ Hourly, Daily, Monthly...
● Size
○ 128KB, 1MB, 10MB...

Where to Store Logs
● Hot
○ Streaming System
● Warm
○ Logging Server, CloudWatch Log
● Cold:
○ S3, HDFS...

How to Store
● Partition
● Compression
○ Gzip, Snappy…
● Storage Format
○ Txt, Parquet, Avro...
● Aggregation, Rotation and Archive Time
○ Daily, Hourly, Monthly...

How to Analyze Logs
● Human Eyes
○ Notepad++ is enough
● Program
○ GoAccess, Python (Pandas), R (Dplyr)...
● Database
○ MySQL, Elasticsearch...

Compare Solutions
http://www.kai-waehner.de/blog/2016/02/04/framework-and-product-comparison-for-big-data-log-analytics-and-itoa/

Compare Solutions
● Let’s think about a basic logging system…
○ Log Producer
○ Log Consumer
○ Log Storage
○ Log Analyze Tool

Splunk
https://community.blackboard.com/thread/5120-splunk-architecture

Splunk
● 號稱業界最完整的解決方案
○ 主要是稽核跟SIEM
○ 詐騙偵測、異常流量偵測...等等
○ 支援中文搜尋
● 最貴的，但沒有聽到說難用
https://community.blackboard.com/thread/5120-splunk-architecture

Splunk
http://dev.splunk.com/view/event-collector/SP-CAAAE73
Producer
Consumer
Storage & Analyze Tool

AWS Log to Splunk
https://aws.amazon.com/tw/blogs/big-data/power-data-ingestion-into-splunk-using-amazon-kinesis-data-firehose/

Splunk
https://aws.amazon.com/tw/blogs/big-data/power-data-ingestion-into-splunk-using-amazon-kinesis-data-firehose/

Splunk
https://www.splunk.com/blog/2014/05/20/deploy-your-own-splunk-cluster-on-aws-in-minutes.html

ELK
https://www.elastic.co/guide/en/logstash/current/deploying-and-scaling.html
Producer Consumer
Storage & Analyze Tool

ELK
● 入門簡單，但維運仍需要注意設定
● 要自己整合解決方案
○ 近年有開始增加模組: 應用程式監控、SIEM、
機器學習等等
○ 最近被OOO背刺(誤

Elasticsearch Service or EC2
● 如果你想要支援中文搜尋: EC2
○ 謎之聲: Elasticsearch Service不是有內建的
中文分詞器?
○ 這邊有一個花1個月研究Elasticsearch Service
如何支援中文搜尋的笨蛋
● 如果你只想當Log分析用: Elasticsearch Service

Graylog
Producer
Consumer & Analyze Tool
Storage

Graylog
● 號稱可以替代Splunk的解決方案
● 主打SIEM
● 底層其實就是Elasticsearch，不過收資料的部份
有做特殊處理
● 元件加上MongoDB，雖然有Chef, Puppet or
Ansible等腳本佈署，但後續維運仍是個問題

CloudWatch (Log and Insight)
●
Producer
Storage & Consumer
& Analyze Tool

● 可以不用維運伺服器就能監控跟分析Log
○ 可以滿足基本需求
● Insight功能還是沒上面那些分析工具完整
○ 例如: 跨Log Group查詢，大量歷史資料查詢
等
● 資料收集的金額第1次用的人會嚇到
○ 這邊有個笨蛋沒注意到就花了不少錢

https://www.reddit.com/r/aws/comments/3zycn8/be_careful_with_cloudwatch_logs_to_elasticsearch/

https://forums.aws.amazon.com/thread.jspa?threadID=295573

Compare SolutionsSplunk ELK Graylog CloudWatch
Log
成本高中中低(看狀況)
維運複雜度低中高低
外掛工具多中
(常要自己串)
中偏少
(常要自己串)
少
(常要自己串)
即時查詢可可可可(似乎支援
筆數有限制)

Practice
● AWS Log
○ WAF
○ CloudFront
○ S3
○ ELB
○ VPC
○ RDS
○ CloudTrail

Practice
● My Tool Box
○ Human Eyes (Notepad++ is awesome!)
○ Athena (I love SQL!)
○ Python (Pandas), R (Dplyr)
○ Elasitcsearch + Logstash + Kibana + Beats
○ EMR or Glue

Practice
● 完整的解決方案很美好，
但是這些Solution通常會被打槍
● 原因
○ 成本
○ 維運複雜度過高
○ 政治考量

Practice
● 碰到AWS的Log機會相對比較多
● 客戶都會提個需求...然後我要提方案+執行
○ 當提案的人 = 執行的人，就會覺得...e04，千
萬不能提一個太複雜的架構
● 通常我選擇維運負(ㄨˊ)擔(ㄋㄠˇ )最輕的解法

Practice
● 通常我選擇 Athena 分析AWS服務Log的原因
○ 低成本 ($5/TB)
○ 快速分析
○ 架構簡單 (只用S3 + Athena)
○ 官方或社群已有成熟的Solution或效能優化方
法

Practice
● 通常我選擇 Elasticsearch 分析AWS服務Log的
原因
○ 需要即時性的分析報表
○ 官方或社群已有成熟的Solution或效能優化方
法
○ 不想用程式畫圖的時候(誤

WAF Case (Real-Time)
https://aws.amazon.com/tw/blogs/security/how-to-analyze-aws-waf-logs-using-amazon-elasticsearch-service/

● 1 record ≒ 1.5 KB (uncompressed)
● WAF delivers log to Kinesis Firehose
● 100 million requests = 100 million records
● Do the math:
1.5 KB * 10000000 ≒ 143.05 GB

● The blog solution is good!
● However… something is not right
● Write heavy!
○ Assume Worse Case: C10K
● HeadShot!
○ Elasticsearch Service
Recover soon~
https://www.slideshare.net/AmazonWebServices/elasticsearch-5-in-amazon-elasticsearch-service

CloudFront Case (Batch)
● 1 record ≒ 0.5 KB (uncompressed)
● CloudFront delivers log to S3 in Gzip format
● 100 million requests = 100 million records
● Compression Percentage ≒ 70%
● Do the math:
0.5 KB * 10000000 * 70% ≒ 14 GB
● This is daily assumption...

● Athena is a good choice!
○ Log in S3
● However… something is not right

● Before 2018.12, you need to hands on the
best practice
○ Partition (year=2019/month=07/day=24)
○ Compression (Snappy)
○ Columnar Format (Parquet)
● Now you have a CloudFormation solution!

Analyze your Amazon CloudFront Access Logs at Scale with Amazon Athena
https://aws.amazon.com/tw/blogs/big-data/analyze-your-amazon-cloudfront-access-logs-at-scale/

Athena Benchmark CSV vs Parquet
https://aws.amazon.com/tw/blogs/big-data/analyzing-data-in-s3-using-amazon-athena/

● Benﬁts
○ Use Partition, Compression and Parquet is
fast and cheap
○ Data scaned from 14 GB to 40 MB

Athena Lesson Learn
https://aws.amazon.com/tw/about-aws/whats-new/2018/10/athena_ctas_support/

Athena Lesson Learn
● 這個新功能的發佈的意思是...我終於可以不用
為了轉格式起EMR或Glue了

Athena Lesson Learn
● 但是要小心Athena有執行 30 分鐘的限制
● 這個上限通常是你掃6 - 7TB或SELECT指令包
含複雜的邏輯會遇到
● 解法:
○ 通常Data會按照時間分Partition所以可以照時
間區間轉格式，掃到的檔案大小就變小
○ 一次轉或超過限制還是要乖乖起EMR或Glue

Summary
● 完整的解決方案導入最大的難點是溝通成本
● 雲端原生的功能通常就能滿足基本需求
● 沒有銀彈，至少要會兩種以上的工具
○ 掌握即時分析 + 批次性分析工具
● 整合AWS Blog上的解法通常就有不錯的效果
○ I love open source community!

淺談AWS上的Log解決方案

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 淺談AWS上的Log解決方案

Similar to 淺談AWS上的Log解決方案 (20)

Recently uploaded

Recently uploaded (20)

淺談AWS上的Log解決方案