GithubHelp home page GithubHelp logo

fluent-plugin-elb-log's Introduction

Amazon ELB log input plugin for fluentd

Gem Version Build Status Code Climate Test Coverage

Overview

  • Amazon Web Services ELB log input plubin for fluentd

Requirements

fluent-plugin-elb-log fluentd ruby
>= 0.3.0 >= v0.14.0 >= 2.1
< 0.3.0 >= v0.12.0 >= 1.9

Installation

$ fluentd-gem fluent-plugin-elb-log

AWS ELB Settings

Different from version 0.4.x

  • Using version 3 of the AWS SDK for Ruby.

Support Application Load Balancer (ver 0.4.0 or later)

When SSL certification error

log:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Do env setting follows:

SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt (If you using amazon linux)

Configuration

<source>
  @type elb_log

  # following attibutes are required
  region            <region name>
  s3_bucketname     <bucketname>
  s3_prefix         <elb log's prefix>
  timestamp_file    <proc last file timestamp record filename>
  buf_file          <buffer file path>
  refresh_interval  <interval number by second>
  tag               <tag name(default: elb.access)>
  delete            <boolean delete processed log files from S3(default: false)>
  include_all_message <boolean (default:false)>

  # following attibutes are required if you don't use IAM Role
  access_key_id     <access_key>
  secret_access_key <secret_access_key>
</source>

Example setting

<source>
  @type elb_log
  region            us-east-1
  s3_bucketname     my-elblog-bucket
  s3_prefix         prodcution/web
  timestamp_file    /tmp/elb_last_at.dat
  buf_file          /tmp/fluentd-elblog.tmpfile
  refresh_interval  300
  tag               elb.access
  delete            false
  include_all_message false
  access_key_id     XXXXXXXXXXXXXXXXXXXX
  secret_access_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</source>

<match **>
  @type stdout
</match>

json output example

{
    "account_id":"123456789012",
    "region":"ap-northeast-1",
    "logfile_date":"2015/06/15",
    "logfile_elb_name":"my-elb-name",
    "elb_ip_address":"52.0.0.0",
    "logfile_hash":"12squv5w",
    "elb_timestamp":"20150615T0400Z",
    "key":"TEST/AWSLogs/123456789012/elasticloadbalancing/ap-northeast-1/2015/06/15/123456789012_elasticloadbalancing_ap-northeast-1_my-elb-name_20150615T0400Z_52.68.215.138_69squv5w.log",
    "prefix":"TEST",
    "elb_timestamp_unixtime":1434340800,
    "time":"2015-06-15T03:47:12.728427+0000",
    "elb":"my-elb-name",
    "client":"54.1.1.1",
    "client_port":"43759",
    "backend":"10.0.0.1",
    "backend_port":"80",
    "request_processing_time":4.0e-05,
    "backend_processing_time":0.105048,
    "response_processing_time":2.4e-05,
    "elb_status_code":"200",
    "backend_status_code":"200",
    "received_bytes":0,
    "sent_bytes":4622,
    "request_method":"GET",
    "request_uri":"https://my-elb-test.example.com/",
    "request_protocol":"HTTP/1.1",
    "user_agent":"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
    "ssl_cipher":"DHE-RSA-AES128-SHA",
    "ssl_protocol":"TLSv1.2",
    "type":"http",
    "target_group_arn": "arn:aws:elasticloadbalancing:ap-northeast-1:123456789012:targetgroup/lbgrp1/605122a4e4ee9f2d",
    "trace_id": "\"Root=1-xxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx\"",
    "domain_name": "-",
    "chosen_cert_arn": "-",
    "matched_rule_priority": "0",
    "request_creation_time": "2099-10-26T06:10:03.050000Z",
    "actions_executed": "forward",
    "redirect_url": "-",
    "error_reason": "-",
    "option1": "\"192.168.0.1:443\"",
    "option2": "\"301\"",
    "option3": null
}

fluent-plugin-elb-log's People

Contributors

andromedarabbit avatar cosmo0920 avatar davidjmemmett avatar dragon3 avatar gozer avatar martinssipenko avatar mpon avatar okkez avatar shinsaka avatar shinsukeyokota avatar thorikiri avatar tyabe avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

dragon3 tyabe inokappa yuji thorikiri nicofff rhoml cosmo0920 gozer mpon yomon8 shii-take okkez nfelsen martinssipenko aredmond nibrown andromedarabbit davidjmemmett reverbdotcom carnei-ro adityamunjal1212 basdemir

fluent-plugin-elb-log's Issues

Plugin is not pulling logs from S3, fails without error log

I am running this plugin on EKS, k8s 1.21, on a custom fluentd container built like so (for testing not using the ES plugins):

`FROM fluent/fluentd:v1.15.2-1.0

USER root

RUN apk add --no-cache --update --virtual .build-deps
sudo build-base ruby-dev
&& sudo gem sources --clear-all
&& sudo gem install nokogiri
&& sudo gem install elasticsearch -v 7.13.3
&& sudo gem install fluent-plugin-elasticsearch --no-document --version 5.0.5
&& sudo gem install fluent-plugin-elb-log -v 1.3.2
&& sudo gem install fluent-plugin-aws-elasticsearch-service
&& apk del .build-deps
&& rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems//cache/.gem

USER fluent`

Config:
<source> @type elb_log @log_level debug region us-east-1 s3_bucketname my-bucket-name-us-east-1 s3_prefix awselasticloadbalancing/dev timestamp_file /tmp/elb_last_at.dat buf_file /tmp/fluentd-elblog.tmpfile refresh_interval 300 tag elb.access delete false include_all_message false </source>

Logs:

2022-10-25 19:53:59 +0000 [info]: starting fluentd-1.15.2 pid=7 ruby="3.1.2" 2022-10-25 19:53:59 +0000 [info]: spawn command to main: cmdline=["/usr/bin/ruby", "-Eascii-8bit:ascii-8bit", "/usr/bin/fluentd", "--config", "/fluentd/etc/../../../etc/fluent/fluentd.conf", "--plugin", "/fluentd/plugins", "--under-supervisor"] 2022-10-25 19:54:00 +0000 [info]: adding match in @FLUENT_LOG pattern="**" type="null" 2022-10-25 19:54:00 +0000 [info]: adding match in @OUTPUT pattern="**" type="stdout" 2022-10-25 19:54:00 +0000 [info]: adding source type="elb_log" 2022-10-25 19:54:01 +0000 [debug]: #0 searching for bucket my-bucket-name-us-east-1 2022-10-25 19:54:01 +0000 [debug]: #0 S3 client connect 2022-10-25 19:54:01 +0000 [info]: #0 starting fluentd worker pid=16 ppid=7 worker=0 2022-10-25 19:54:01 +0000 [info]: #0 fluentd worker is now running worker=0

Occasionally, if I time it right, I also get these logs:

image

I'm really at a loss as to why this is happening. My config looks correct, I've spent some time going over the plugin code and still not sure where it is actually failing. Any help would be greatly appreciated.

Failed to execute: uninitialized constant Fluent::Elb_LogInput::AWS

Hi,

I'm having a problem when I try to run fluentd with an error on fluent-plugin-elb-log.

My environment is:
OS: CentOS 7
ruby: ruby 2.1.5p273 (2014-11-13 revision 48405) [x86_64-linux]
gems: (written below)
fluentd: 0.12.2

 2014-12-22 18:27:59 +0900 [info]: fluent/engine.rb:94:configure: using configuration file: <ROOT>
  <source>
    type forward
    port 24224
  </source>
  <source>
    type elb_log
    access_key_id xxxxxx
    secret_access_key xxxxxxxx
    s3_endpoint s3-ap-northeast-1.amazonaws.com
    s3_bucketname log-log
    s3_prefix AWSLogs
    timestamp_file /tmp/elb_last_at.dat
    refresh_interval 3600
  </source>
  <match *.**>
    type copy
    <store>
      type elasticsearch
      host localhost
      port 9200
      include_tag_key true
      tag_key @log_name
      logstash_format true
      flush_interval 10s
      index_name fluentd
      type_name fluentd
    </store>
  </match>
</ROOT>
2014-12-22 18:27:59 +0900 [info]: fluent/agent.rb:123:add_match: adding match pattern="*.**" type="copy"
2014-12-22 18:27:59 +0900 [debug]: plugin/out_copy.rb:39:block in configure: adding store type="elasticsearch"
2014-12-22 18:27:59 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'elasticsearch'
2014-12-22 18:27:59 +0900 [info]: fluent/root_agent.rb:142:add_source: adding source type="forward"
2014-12-22 18:27:59 +0900 [info]: fluent/root_agent.rb:142:add_source: adding source type="elb_log"
2014-12-22 18:27:59 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'elb_log'
2014-12-22 18:27:59 +0900 [warn]: plugin/in_elb_log.rb:66:rescue in init_s3bucket: fluent-plugin-elb-log: s3 bucket fetch error: uninitialized constant Fluent::Elb_LogInput::AWS
2014-12-22 18:27:59 +0900 [error]: fluent/supervisor.rb:269:rescue in main_process: config error file="/etc/fluentd/fluent.conf" error="s3 bucket fetch error log-log"
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-log-0.1.1/lib/fluent/plugin/in_elb_log.rb:29:in `configure'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/root_agent.rb:149:in `add_source'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/root_agent.rb:91:in `block in configure'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/root_agent.rb:88:in `each'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/root_agent.rb:88:in `configure'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/engine.rb:97:in `configure'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/engine.rb:77:in `run_configure'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:393:in `run_configure'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:138:in `block in start'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:266:in `call'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:266:in `main_process'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:241:in `block in supervise'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:240:in `fork'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:240:in `supervise'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/supervisor.rb:134:in `start'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/lib/fluent/command/fluentd.rb:167:in `<top (required)>'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/lib/ruby/gems/2.1.0/gems/fluentd-0.12.2/bin/fluentd:6:in `<top (required)>'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/bin/fluentd:23:in `load'
  2014-12-22 18:27:59 +0900 [debug]: fluent/supervisor.rb:240:fork: /usr/local/bin/fluentd:23:in `<main>'
2014-12-22 18:27:59 +0900 [info]: fluent/supervisor.rb:256:supervise: process finished code=256
2014-12-22 18:27:59 +0900 [warn]: fluent/supervisor.rb:259:supervise: process died within 1 second. exit.

Gems:

*** LOCAL GEMS ***

aws-sdk (2.0.16.pre)
aws-sdk-core (2.0.16)
aws-sdk-resources (2.0.16.pre)
bigdecimal (1.2.4)
builder (3.2.2)
cool.io (1.2.4)
elasticsearch (1.0.6)
elasticsearch-api (1.0.6)
elasticsearch-transport (1.0.6)
faraday (0.9.0)
fluent-plugin-elasticsearch (0.6.1)
fluent-plugin-elb-log (0.1.1)
fluentd (0.12.2)
http_parser.rb (0.6.0)
io-console (0.4.2)
jmespath (1.0.2)
json (1.8.1)
minitest (4.7.5)
msgpack (0.5.9)
multi_json (1.10.1)
multi_xml (0.5.5)
multipart-post (2.0.0)
patron (0.4.18)
psych (2.0.5)
rake (10.1.0)
rdoc (4.1.0)
sigdump (0.2.2)
string-scrub (0.0.5)
test-unit (2.1.5.0)
thread_safe (0.3.4)
tzinfo (1.2.2)
tzinfo-data (1.2014.10)
yajl-ruby (1.2.1)

Please let me know if you need more information.

Best Regards,

Out of memory error

Hello. I've encountered with such an issue.
This is the full stack trace of the error:
2021-03-03 07:31:57.132920493 +0000 fluent.warn: {"message":"error occurred: Out of memory @ io_write - /tmp/fluentd-elblog.tmpfile, [\"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:239:in `write'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:239:in `block (3 levels) in inflate'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:237:in `loop'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:237:in `block (2 levels) in inflate'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:235:in `open'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:235:in `block in inflate'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:234:in `open'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:234:in`inflate'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:259:in `block in get_file_from_s3'\", \"/usr/lib/ruby/2.7.0/tempfile.rb:332:in `create'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:253:in `get_file_from_s3'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:153:in `block in input'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:138:in `each'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-elb-log-1.3.2/lib/fluent/plugin/in_elb_log.rb:138:in `input'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.4/lib/fluent/plugin_helper/timer.rb:80:in `on_timer'\", \"/usr/lib/ruby/gems/2.7.0/gems/cool.io-1.7.1/lib/cool.io/loop.rb:88:in `run_once'\", \"/usr/lib/ruby/gems/2.7.0/gems/cool.io-1.7.1/lib/cool.io/loop.rb:88:in `run'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.4/lib/fluent/plugin_helper/event_loop.rb:93:in `block in start'\", \"/usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.4/lib/fluent/plugin_helper/thread.rb:78:in `block in thread_create'\"]"}
Is that because we`re using Ruby 2.7.0?
My fluentd config:

<label @FLUENT_LOG>
  <match fluent.**>
    @type stdout
  </match>
</label>

<source>
  @type elb_log
  region "#{ENV['S3_REGION']}"
  s3_bucketname "#{ENV['S3_ELB_BUCKET']}"
  timestamp_file /tmp/elb_last_at.dat
  buf_file /tmp/fluentd-elblog.tmpfile
  refresh_interval 60
  include_all_message false
</source>

<filter elb.access>
  @type elasticsearch_genid
  use_entire_record true
  hash_type sha1
  hash_id_key _hash
  separator _
  include_time_in_seed true
  include_tag_in_seed true
</filter>

<match elb.access>
  @type elasticsearch
  hosts "#{ENV['FLUENT_ELASTICSEARCH_HOSTS']}"
  user "#{ENV['USER']}"
  password "#{ENV['PASSWORD']}"
  logstash_format true
  type_name fluentd
  id_key _hash
  remove_keys _hash
  ssl_verify false
  ssl_version TLSv1_2
  ca_file /fluentd/ssl/ca.crt
  logstash_prefix "#{ENV['APP_NAME']}-elb"
  include_timestamp true
  time_key date_time
  time_key_format %Y-%m-%d %H:%M:%S.%N
  suppress_type_name true
  request_timeout 120s
  reload_on_failure true
  reconnect_on_error true
  reload_connections false
  slow_flush_log_threshold 1200.0
  log_es_400_reason true
  <buffer>
    @type memory
    chunk_limit_size 256M
    total_limit_size 1024M
    flush_mode immediate
    flush_at_shutdown true
    overflow_action drop_oldest_chunk
    flush_thread_count 4
    retry_forever true
    retry_type exponential_backoff
    retry_max_interval 30
  </buffer>
</match>

plugin loads but there are no logs

i have the following set. The plugin loads but i do not see any log flow or errors for that matter.
How do i go about debugging this ?

    <source>
      @type elb_access_log
      account_id **********
      aws_key_id "#{ENV['S3_AWS_ACCESS_KEY_ID']}"
      aws_sec_key "#{ENV['S3_AWS_SECRET_ACCESS_KEY']}"
      s3_bucket access-logs
      elb_type alb
      tag alb.access_log
      #request_separator " "
      region eu-central-1
    </source>

Delete processed objects

Hi,

Is there a plan to add feature that would delete the processed ELB log objects from S3?
Perhaps there is a reason why this feature is not implemented?

Do you think this would make sense, if yes I'd be happy to contribute.

Question: Why only 100 objects are retrieved from the AWS API?

Hello,
I was looking at the code and saw that get_object_list function calls the AWS API with maxKeys=100 and prefix=[myPrefix]. In the bucket there are potentionally hundreds of thousands of objects spread across partitions like /year/month/day. I didn't saw any logic for calculating the correct partition e.g. the day when the call is executed and provide this partition as a prefix. There is also no logic for implementing paging with the api. Is this intentional or it is a bug? If this is a flaw, a big part of the stored data won't be ingested.
Thanks.

Some log lines are absent from ALB access log

According to syntax of ALB access logs, there are 5 fields of log line that are missing if using this plugin. The most important one are "actions taken" and "error reason", that are useful during troubleshooting. Is it possible to rewrite regex used in plugin to get these fields?

ELB logs not reflecting in ElasticSearch for a custom index.

I have the following configuration for grabbing ELB logs from S3.

<source>
  type elb_log
  access_key_id     
  secret_access_key 
  region            
  s3_bucketname    
  s3_prefix         
  timestamp_file   
  buf_file          
  refresh_interval  
  tag               
</source>

I have defined the mapping for the ELB logs in elasticSearch. The plugin doesn't process the ELB logs for a custom index that I define. The log statements like Processing 0 objects reflect into ES.

To be honest, I really don't know if this is a issue at ES level or plugin level. The plugin logs are getting into ES but ELB logs aren't. Thank you for the help.

unable to make this work

hi,
i have a running graylog2 server with gelf udp input with this config:
override_source:
recv_buffer_size: 1048576
port: 12201
bind_address: 0.0.0.0

i installed the plugin and added the right configuration like the example but there is no data in graylog and it seems its not working.

how can make it work ?

thanks.

Lots of "nomatch log found" errors

I have encountered with issue, when most of ALB access logs are not being processed. Issue could be reproduced from plugin v1.2.0 to v1.3.2.

Example log output:

fluentd_logger_1  | 2020-03-03 11:42:57 +0000 [info]: #0 nomatch log found: 76680:targetgroup/targetgroupname/xxxxxxxxxxxx "Root=1-xxxxxxxxxxxxxxx" "example.com" "arn:aws:acm:us-west-2:xxxxxxxxxx:certificate/xxxxxx-xxxxxx-xxxxx-xxxxx" 0 2020-03-01T04:33:10.789000Z "forward" "-" "-" "-" "-"
fluentd_logger_1  |  in xxxxx-stage/AWSLogs/xxxxxxxxxxxxx/elasticloadbalancing/us-west-2/2020/03/01/xxxxxxxxxx_elasticloadbalancing_us-west-2_app.xxxxxxx-stage.cb180478b40a934e_20200301T0435Z_xxx.xx.xx.xx_5jqg40pg.log.gz

Environment:

$ fluentd --version
fluentd 1.7.3
$ fluent-gem list --local | grep elb
fluent-plugin-elb-log (1.3.2)
$ cat /etc/alpine-release
3.11.3
$ ruby --version
ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux-musl]

plugin stops working

Hello,
yet another problem.
Here is a relevant part of /var/log/td-agent/td-agent.log (Ubuntu 12.04 setup)
. . .
2014-06-14 03:46:51 +0000 [info]: fluent-plugin-elb-log: input start
2014-06-14 03:46:51 +0000 [info]: fluent-plugin-elb-log: timestamp at start: 2014-06-14 03:41:37 +0000
2014-06-14 03:48:36 +0000 [info]: fluent-plugin-elb-log: timestamp save: 2014-06-14 03:45:32 +0000
2014-06-14 03:48:36 +0000 [info]: fluent-plugin-elb-log: timestamp save: 2014-06-14 03:47:34 +0000
2014-06-14 06:39:52 +0000 [info]: force flushing buffered events

  • after this plugin does nothing. Fluentd keeps staying in RAM but writes nothing into the log file. I don't know if this is a problem of the plugin or agent, or both in conjunction. If I restart the 'td-agent' service then it starts catching up but eventually the problem happens again. Let me know if you need more info, I was unable to attach whole log file here - it also displays my fluentd config which might be helpful.

emit transaction failed: error_class=NoMethodError error="undefined method `to_msgpack'

Hi,

I just encounter this issue
#0 emit transaction failed: error_class=NoMethodError error="undefined method to_msgpack' for 2018-07-01 02:35:16 UTC:Time" location="/var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:61:in write'"

This is the full stack trace of the error:

fluentd    | 2018-08-30 04:41:38 +0000 [warn]: #0 emit transaction failed: error_class=NoMethodError error="undefined method `to_msgpack' for 2018-07-01 02:35:16 UTC:Time" location="/var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:61:in `write'" tag="elb_access_log"
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:61:in `write'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:61:in `block in to_msgpack_stream'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:193:in `block in each'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:192:in `each'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:192:in `each'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event.rb:60:in `to_msgpack_stream'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/output.rb:904:in `block in <class:Output>'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/buffer.rb:566:in `block in write_once'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /usr/lib/ruby/2.3.0/monitor.rb:214:in `mon_synchronize'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/buffer.rb:557:in `write_once'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/buffer.rb:282:in `block in write'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/buffer.rb:280:in `each'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/buffer.rb:280:in `write'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/output.rb:981:in `block in handle_stream_simple'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/output.rb:865:in `write_guard'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/output.rb:980:in `handle_stream_simple'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/output.rb:855:in `execute_chunking'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin/output.rb:778:in `emit_buffered'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event_router.rb:159:in `emit_events'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event_router.rb:96:in `emit_stream'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/event_router.rb:87:in `emit'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:289:in `block (2 levels) in emit_lines_from_buffer_file'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:282:in `each_line'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:282:in `block in emit_lines_from_buffer_file'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:281:in `open'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:281:in `emit_lines_from_buffer_file'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:154:in `block in input'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:138:in `each'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluent-plugin-elb-log-0.9.0/lib/fluent/plugin/in_elb_log.rb:138:in `input'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin_helper/timer.rb:80:in `on_timer'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/cool.io-1.5.3/lib/cool.io/loop.rb:88:in `run_once'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/cool.io-1.5.3/lib/cool.io/loop.rb:88:in `run'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin_helper/event_loop.rb:93:in `block in start'
fluentd    |   2018-08-30 04:41:38 +0000 [warn]: #0 /var/lib/gems/2.3.0/gems/fluentd-1.2.5/lib/fluent/plugin_helper/thread.rb:78:in `block in thread_create'cd

AFAIK, RubyTime object can't immediately packed into msgpack, instead you have to convert it to string first, before you can pack it into msgpack binary

# this will error:
x = { a: Time.now }.to_msgpack

# this will ok:
x = { a: Time.now }.to_s.to_msgpack

In https://github.com/shinsaka/fluent-plugin-elb-log/blob/master/lib/fluent/plugin/in_elb_log.rb#L289, i see that it use Time.parse(line_match[:time]) and when i check your other library https://github.com/shinsaka/fluent-plugin-rds-pgsql-log/blob/master/lib/fluent/plugin/in_rds_pgsql_log.rb#L193, you use Fluent::Engine.now .

I've tried overwrite your in_elb_log.rb and replace Time.parse(...) with Fluent::Engine.now - and it works.

Wrong handling of ipv6 clients

The regexp that parses the log line doesn't properly parse ipv6 client addressess.

eg:

2015-06-29T18:20:58.072335Z MY-ELB 2601:240:4002:5883:b5f3:aaaa:bbbb:64ec:53016 10.12.34.56:80 0.000052 0.006129 0.000037 200 200 0 0 "GET https://www.example.com/ HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17" ECDHE-RSA-AES128-SHA256 TLSv1.2

Parses to:

{
  "time": "2015-06-29T18:20:58.072335Z",
  "elb": "MY-ELB",
  "client": "2601",
  "client_port": "240:4002:5883:b5f3:aaaa:bbbb:64ec:53016",
  "backend": "10.12.34.56",
  "backend_port": "80",
  "request_processing_time": "0.000052",
  "backend_processing_time": "0.006129",
  "response_processing_time": "0.000037",
  "elb_status_code": "200",
  "backend_status_code": "200",
  "received_bytes": "0",
  "sent_bytes": "0",
  "request_method": "GET",
  "request_uri": "https://www.example.com/",
  "request_protocol": "HTTP/1.1",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17",
  "option1": "ECDHE-RSA-AES128-SHA256",
  "option2": "TLSv1.2",
  "option3": null
}

'''

Cannot remove non-necessary fields in output

I tried to use other plugins as usual that is fluent-plugin-record-reformer or fluent-plugin-record-modifier, but it's doesn't work.
Maybe something strange in your output type?

<match elb.access>
  type record_reformer
  remove_keys backend_port,client_port
  enable_ruby false
  output_tag elb.dot
</match>

<match elb.dot>
  type copy
  <store>
    type file
    path /tmp/elb-out.log
  </store>
</match>

Could you help to check it?
Many thanks.

Generating lots of binary files during runtime, without cleaning them up

While running and processing logs from alb, fluentd generates tons of binary files like this:

-rw-------    1 fluent   nogroup       2712 Jun 20 05:42 fluent-elblog20190620-112-yeqzyb
-rw-------    1 fluent   nogroup        194 Jun 20 02:02 fluent-elblog20190620-112-yezs6
-rw-------    1 fluent   nogroup        341 Jun 20 03:21 fluent-elblog20190620-112-ygqdyd
-rw-------    1 fluent   nogroup        178 Jun 20 00:48 fluent-elblog20190620-112-yqsiwh
-rw-------    1 fluent   nogroup      26999 Jun 20 05:42 fluent-elblog20190620-112-yqvrt4
-rw-------    1 fluent   nogroup       5044 Jun 20 01:02 fluent-elblog20190620-112-ysm8bn
-rw-------    1 fluent   nogroup      21367 Jun 20 02:42 fluent-elblog20190620-112-yzk0fz
-rw-------    1 fluent   nogroup      24632 Jun 20 06:02 fluent-elblog20190620-112-z2cjp3
-rw-------    1 fluent   nogroup       5997 Jun 20 05:01 fluent-elblog20190620-112-za7ms7
-rw-------    1 fluent   nogroup        438 Jun 20 04:32 fluent-elblog20190620-112-zaf7fp
-rw-------    1 fluent   nogroup       7102 Jun 20 06:52 fluent-elblog20190620-112-ze012b
-rw-------    1 fluent   nogroup     235387 Jun 20 01:53 fluent-elblog20190620-112-zls0jt
-rw-------    1 fluent   nogroup      31678 Jun 20 04:07 fluent-elblog20190620-112-zlwbu3
-rw-------    1 fluent   nogroup     248524 Jun 20 01:43 fluent-elblog20190620-112-zm42ni
-rw-------    1 fluent   nogroup     273393 Jun 20 04:33 fluent-elblog20190620-112-ztq6jv

The problem is that these files are not cleaning up, even after plugin processed whole bucket (about 2 months of access logs from 10 balancers) and continued to process only newcomming ones.

$ ll | grep fluent | wc -l
166003

Is it a correct behavior and should I clean these files manually?

$ fluentd --version
fluentd 1.5.1
$ fluent-gem list --local | grep elb
fluent-plugin-elb-log (1.0.1)
$ cat /etc/alpine-release
3.9.4

Unknown input plugin 'elb_log'

After updating the conf file with the required values, when I restart the docker container, it's crashing. In the logs I am seeing this error: [error]: config error file="/fluentd/etc/fluentd.conf" error_class=Fluent::ConfigError error="Unknown input plugin 'elb_log'.

Plugin does not work with application load balancers

Amazon now has Application Load Balancers as well as Classic Load Balancers. Application Load Balancers have a slightly different set of fields in the logs saved to S3 - see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html?icmpid=docs_elbv2_console vs http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html.

Specifically application load balancers have type at the start of the line and target_group_arn and trace_id at the end.

The following regex works for both classic and application load balancers as far as I can tell:

ACCESSLOG_REGEXP = /^((?<type>[a-z0-9]+) )?(?<time>\d{4}-\d{2}-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d{6}Z) (?<elb>.+?) (?<client>[^ ]+)\:(?<client_port>.+?) (?<backend>.+?)(\:(?<backend_port>.+?))? (?<request_processing_time>.+?) (?<backend_processing_time>.+?) (?<response_processing_time>.+?) (?<elb_status_code>.+?) (?<backend_status_code>.+?) (?<received_bytes>.+?) (?<sent_bytes>.+?) \"(?<request_method>.+?) (?<request_uri>.+?) (?<request_protocol>.+?)\"( \"(?<user_agent>.*?)\" (?<ssl_cipher>.+?) (?<ssl_protocol>[^ ]+)( (?<target_group_arn>arn:.+) (?<trace_id>.+))?(| (?<option3>.*)))?/

Also, the files are gzipped and have a .log.gz extension. The follow regex matches both the Classic and the Application Load Balancer file names:

LOGFILE_REGEXP = \^((?<prefix>.+?)\/|)AWSLogs\/(?<account_id>[0-9]{12})\/elasticloadbalancing\/(?<region>.+?)\/(?<logfile_date>[0-9]{4}\/[0-9]{2}\/[0-9]{2})\/[0-9]{12}_elasticloadbalancing_.+?_(?<logfile_elb_name>[^_]+)_(?<elb_timestamp>[0-9]{8}T[0-9]{4}Z)_(?<elb_ip_address>.+?)_(?<logfile_hash>.+)\.log(.gz)?$\

Unfortunately, we would still need to uncompress the files after we have retrieved them. I'm not a Ruby programmer, but I am assuming something like:

  def get_file_from_s3(object_name)
    begin
      log.debug "getting object from s3 name is #{object_name}"

      # read an object from S3 to a file and write buffer file
      File.open(@buf_file, File::WRONLY|File::CREAT|File::TRUNC) do |file|
        s3_client.get_object(
          bucket: @s3_bucketname,
          key: object_name
        ) do |chunk|
          if object_name[-3, 3] == '.gz'
            sio = StringIO.new(chunk)
            gz = Zlib::GzipReader.new(sio)
            data = gz.read
            gz.close
            file.write(data)
          else
            file.write(chunk)
          end
        end
      end
    rescue => e
      log.warn "error occurred: #{e.message}"
    end
  end

ACCESSLOG_REGEXP problem

Hi,
I've described this issue in good details here:
https://groups.google.com/forum/?hl=en#!topic/fluentd/z8XvkiSgogk
I've debugged and fixed it as follows:
In the
https://github.com/shinsaka/fluent-plugin-elb-log/blob/master/lib/fluent/plugin/in_elb_log.rb
line #5:

ACCESSLOG_REGEXP = /^(?.+?) (?.+?) (?.+):(?<client_port>.+) (?.+):(?<backend_port>.+) (?<request_processing_time>.+?) (?<backend_processing_time>.+?) (?<response_processing_time>.+?) (?<elb_status_code>.+?) (?<backend_status_code>.+?) (?<received_bytes>.+?) (?<sent_bytes>.+?) "(?<request_method>.+?) (?<request_uri>.+?) (?<request_protocol>.+?)"$/

to be

ACCESSLOG_REGEXP = /^(?\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{6}Z) (?.+?) (?.+):(?<client_port>.+) (?.+):(?<backend_port>.+) (?<request_processing_time>.+?) (?<backend_processing_time>.+?) (?<response_processing_time>.+?) (?<elb_status_code>.+?) (?<backend_status_code>.+?) (?<received_bytes>.+?) (?<sent_bytes>.+?) "(?<request_method>.+?) (?<request_uri>.+?) (?<request_protocol>.+?)"$/

-- (?\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{6}Z) instead of (?.+?)
-- solves the problem.

Please apply this fix to your code.
Thank you.

Release request

@shinsaka can you do a release of this? The changes I've made in #38 are not in 1.0.0.

IfI download the gam and unpack it I can see the changes are not there.

s3bucket_is_ok incompatible with cross account setups

I got the following error:

2017-08-01 17:16:12 +0000 [error]: unexpected error error_class=StandardError error=#<StandardError: s3 bucket not found xxxx-redacted>

but I've verified the bucket exists and is accessible for my access key. I digged into the code and it appears this exception is caused here

 raise StandardError.new("s3 bucket not found #{@s3_bucketname}") unless s3bucket_is_ok()

and the bug being here:

  def s3bucket_is_ok
    begin
      log.debug "search bucket #{@s3_bucketname}"

      s3_client.list_buckets.buckets.any? do |bucket|
        bucket.name == @s3_bucketname
      end
    rescue => e
      log.warn "S3 Client error occurred: #{e.message}"
    end
end

I'm not a ruby programmer, but I think this is basically doing aws s3api list-buckets and searching for the bucket that way, which doesn't work if I'm trying to access a bucket in a different aws account. I'd recommend to remove this check and just raise an exception if the bucket is actually not accessible.

I'm on the current stable fluentd (0.12) and the latest fluent-plugin-elb-log that still supports this version (0.2.8).

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.