{"id":146,"date":"2018-10-26T16:05:47","date_gmt":"2018-10-26T16:05:47","guid":{"rendered":"http:\/\/tonysbit.blog\/?p=146"},"modified":"2018-10-26T16:05:47","modified_gmt":"2018-10-26T16:05:47","slug":"the-l-in-elkdocker-scale-out-logging","status":"publish","type":"post","link":"https:\/\/tonysbit.blog\/?p=146","title":{"rendered":"The L in ELK+Docker Scale-out Logging"},"content":{"rendered":"<p><strong>Warning:\u00a0<\/strong>This article assumes a basic understanding of<\/p>\n<ol>\n<li><a href=\"https:\/\/www.docker.com\/\">Docker<\/a><\/li>\n<li><a href=\"https:\/\/www.elastic.co\/products\/elasticsearch\">Elasticsearch<\/a><\/li>\n<li><a href=\"https:\/\/www.elastic.co\/products\/logstash\">Logstash<\/a><\/li>\n<\/ol>\n<h1>Why Log to Elasticsearch?<\/h1>\n<p>Elasticsearch is a fantastic tool for logging as it allows for logs to be viewed as just another time-series piece of data. This is important for any organizations&#8217; journey through the evolution of data.<\/p>\n<p>This evolution can be outlined as the following:<\/p>\n<ol>\n<li><strong>Collection<\/strong>: Central collection of logs with required indexing<\/li>\n<li><strong>Shallow Analysis<\/strong>: The real-time detection of specific data for event based actions<\/li>\n<li><strong>Deep Analysis:<\/strong>\u00a0The study of trends using ML\/AI for pattern driven actions<\/li>\n<\/ol>\n<p>Data that is not purposely collected for this journey will simply be bits wondering through the abyss of computing purgatory without a meaningful destiny! In this article we will be discussing using Docker to scale out your Logstash deployment.<\/p>\n<h1>The Challenges<\/h1>\n<p>If you have ever used Logstash (LS) to push logs to Elasticsearch (ES) here are a number of different challenges you may encounter:<\/p>\n<ul>\n<li><strong>Synchronization:<\/strong> of versions when upgrading ES and LS<\/li>\n<li><strong>Binding:<\/strong> to port 514 on a Linux host as it is a reserved port<\/li>\n<li><strong>High availability:<\/strong> with 100% always-on even during upgrades<\/li>\n<li><strong>Configurations management:<\/strong> across Logstash nodes<\/li>\n<\/ul>\n<p>When looking at solutions, the approach I take is:<\/p>\n<ul>\n<li>Maintainability<\/li>\n<li>Reliability<\/li>\n<li>Scalability<\/li>\n<\/ul>\n<h1>The Solution<\/h1>\n<p>Using Docker, a generic infrastructure can be deployed due to the abstraction of containers and underlying OS (Besides the difference between Windows and Linux hosts).<\/p>\n<p>Docker solves the challenges inherent in the LS deployment:<\/p>\n<ul>\n<li><strong>Synchronization<\/strong>: Service parallelism is managed by Docker and new LS versions can be deployed just by editing the Docker Compose file<\/li>\n<li><strong>Port bindings:<\/strong> The docker service is able to bind on Linux hosts port 514 which can be forwarded to the input port exposed by your pipeline<\/li>\n<li><strong>High availability:<\/strong> Using replica settings, you can ensure that a certain amount of LS deployments will always be deployed as long as there is always one host available. This makes workload requirements after load testing purely a calculation as follows:<\/li>\n<\/ul>\n<ol>\n<li><strong>Max required logs per LS instanc<\/strong>e = (Maximum estimated Logs)\/(N Node)<\/li>\n<li><strong>LS container size<\/strong> = LoadTestNode(Max required logs per LS instance)<\/li>\n<li><strong>Node Size<\/strong> =\u00a0LS container size * 1 + (Max N Node Loss)<\/li>\n<\/ol>\n<p><strong>I.e.<\/strong> Let&#8217;s say you have 1M logs required to be logged per day, and have a requirement to have 3 virtual machines for a maximum of 1 virtual machine loss.<\/p>\n<ol>\n<li>\u00a0333,333 = 1M \/ 3<\/li>\n<li>Assume 2 CPU, 4 GB RAM<\/li>\n<li>4 CPU, 8 GB = (2 CPU , 4 GB RAM) * 2<\/li>\n<\/ol>\n<p>Why not deploy straight onto OS 3 Logstashes sized at 4 CPU and 8 GB RAM?<\/p>\n<ul>\n<li>Worker number does not scale automatically when you increase the CPU count and RAM, as such even with more CPU and RAM you cannot ensure that you will effectively be able to continue ingesting the same amount of logs in a &#8220;Node down&#8221; situation<\/li>\n<li>Upgrading the Logstashes become a OS level activity with associated headache<\/li>\n<li>Restrictive auto-scaling capability<\/li>\n<li>No central stout view of Logstashes<\/li>\n<\/ul>\n<h1>Architecture<\/h1>\n<p>Let&#8217;s take a look at how this architecture looks,<\/p>\n<h1><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-147\" src=\"https:\/\/tonysbit.files.wordpress.com\/2018\/10\/node_up.png?resize=640%2C320\" alt=\"Node_Up\" width=\"640\" height=\"320\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/node_up.png?w=674&amp;ssl=1 674w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/node_up.png?resize=300%2C150&amp;ssl=1 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><\/h1>\n<p>When a node goes down the resulting environment looks like:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-148\" src=\"https:\/\/tonysbit.files.wordpress.com\/2018\/10\/node_down.png?resize=640%2C320\" alt=\"Node_Down\" width=\"640\" height=\"320\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/node_down.png?w=674&amp;ssl=1 674w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/node_down.png?resize=300%2C150&amp;ssl=1 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><\/p>\n<p>A added bonus to this deployment is if you wanted to ship logs from Logstash to Elasticsearch for central and real-time monitoring of the logs its as simple as adding Filebeats in the docker-compose.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-149\" src=\"https:\/\/tonysbit.files.wordpress.com\/2018\/10\/fbwls.png?resize=640%2C263\" alt=\"FBWLS.png\" width=\"640\" height=\"263\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/fbwls.png?w=936&amp;ssl=1 936w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/fbwls.png?resize=300%2C123&amp;ssl=1 300w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/fbwls.png?resize=768%2C316&amp;ssl=1 768w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><\/p>\n<p>What does the docker-compose look like?<\/p>\n<p><code>version: '3.3'<\/p>\n<div>services:<\/div>\n<div>logstash:<\/div>\n<div>image: docker.elastic.co\/logstash\/logstash:6.4.0#Change image to change LS version<\/div>\n<div>volumes:<\/div>\n<div>- \/etc\/logstash:\/usr\/share\/logstash\/config #Location of the config<\/div>\n<div>networks:<\/div>\n<div>- logstash<\/div>\n<div>ports:<\/div>\n<div>- 1514:1514\/udp<\/div>\n<div>- 9600:9600<\/div>\n<div>- 1514:1514<\/div>\n<div>- 514:1514\/udp # Map from host 514 to a defined pipeline for 1514<\/div>\n<div>- 514:1514<\/div>\n<div>deploy:<\/div>\n<div>mode: global<\/div>\n<div>placement:<\/div>\n<div>constraints:<\/div>\n<div>- node.role == manager<\/div>\n<div>update_config:<\/div>\n<div>parallelism: 1<\/div>\n<div>delay: 10s<\/div>\n<div>resources: #LS size<\/div>\n<div>limits:<\/div>\n<div>cpus: 1<\/div>\n<div>memory: 50M<\/div>\n<div>restart_policy:<\/div>\n<div>condition: on-failure<\/div>\n<div>networks:<\/div>\n<div>logstash:<\/div>\n<div>driver: overlay<\/div>\n<p><\/code><\/p>\n<div>The steps to implement the basic solution (without Filebeats):<\/div>\n<ol>\n<li>Estimate the Virtual Machines (VM) sizes and LS sizes based on estimated ingestion of logs and required redundancy<\/li>\n<li>Deploy VM and install <a href=\"https:\/\/docs.docker.com\/install\/\">docker\u00a0<\/a><\/li>\n<li>Create a <a href=\"https:\/\/docs.docker.com\/get-started\/part4\/\">docker swarm<\/a><\/li>\n<li>Write a <a href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/logstash-settings-file.html\">logstash.yml<\/a> and either include the <a href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/multiple-pipelines.html\">pipeline.yml<\/a> or if you are using ES configure centralised pipeline management.<\/li>\n<li>Copy the config to all VM&#8217;s to the same file location OR create a shared file system (that is also HA) and store the files there to centrally manage config<\/li>\n<li>Start your docker stack after customizing the docker-compose file shared in this article<\/li>\n<li>Set up a external load balancer pointing at all your virtual machines<\/li>\n<li>Enjoy yummy logs!<\/li>\n<\/ol>\n<h1>The BUT!<\/h1>\n<p>As with most good things, there is a caveat. With Docker you add another layer of complexity however I would argue that as the docker images for Logstash are managed and maintained by Elasticsearch, it reduces the implementation headaches.<\/p>\n<p>In saying this I found one big issue with routing UDP traffic within Docker.<\/p>\n<p>This <a href=\"https:\/\/github.com\/moby\/moby\/issues\/8795\">issue<\/a> will cause you to lose a proportional number of logs after container re-deployments!!!<\/p>\n<ul>\n<li><strong>What is your current logging deployment? <\/strong><\/li>\n<li><strong>Have any questions or comments?<\/strong><\/li>\n<li><strong>Are interested seeing a end-to-end video of this deployment?<\/strong><\/li>\n<li><strong>Comment below!<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"color:#999999;\"><strong>Disclaimer<\/strong>: This article only represents my personal opinion and should not be considered professional advice. Healthy dose of skeptism is recommended.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Warning:\u00a0This article assumes a basic understanding of Docker Elasticsearch Logstash Why Log to Elasticsearch? Elasticsearch is a fantastic tool for logging as it allows for logs to be viewed as just another time-series piece of data. This is important for any organizations&#8217; journey through the evolution of data. This evolution can be outlined as the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":149,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,7],"tags":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2018\/10\/fbwls.png?fit=936%2C385&ssl=1","_links":{"self":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/posts\/146"}],"collection":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=146"}],"version-history":[{"count":0,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/posts\/146\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/media\/149"}],"wp:attachment":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}