May 19

How to combine Multiline Fluentd log

<Way 1> Use fluent filter plugin to combine log lines GitHub - fluent/fluent-plugin-parser-cri: CRI log parser for Fluentd Fluentd parser plugin to parse CRI logs. CRI logs consist of time, stream, logtag and message parts like below…github.com <filter ** > @type concat key message use_first_timestamp true partial_key logtag partial_value P seperator "" </filter> <Way 2> Turn your log into JSON format in your application

Fluentd

1 min read

How to combine Multiline Fluentd log

<Way 1> Use fluent filter plugin to combine log lines

GitHub - fluent/fluent-plugin-parser-cri: CRI log parser for Fluentd

Fluentd parser plugin to parse CRI logs. CRI logs consist of time, stream, logtag and message parts like below…

github.com

<filter ** >
  @type concat
  key message
  use_first_timestamp true
  partial_key logtag
  partial_value P
  seperator ""
</filter>

<Way 2> Turn your log into JSON format in your application

e.g. Java application

pom.xml

<dependency>
  <groupId>ch.qos.logback.contrib</groupId>
  <artifactId>logback-json-classic</artifactId>
  <version>0.1.5</version>
</dependency>
<dependency>
  <groupId>ch.qos.logback.contrib</groupId>…

May 10

Use a label to determine whether to forward logs or not with Fluentd daemonset in K8s

While Implementing logging architecture in Kubernetes, we often run Fluentd as a daemonset to collect console logs from all pods and ship logs into EFK (or other storage). Usually, Fluentd daemonset is a cluster-level deployment, in which the config is shared by all namespaces and pods. Under some circumstances, we’ll…

Fluentd

2 min read

May 9

Prometheus Federation

Case 1: 我的 Prometheus佈好後，如何將 Infra level 的 metric 收到我的 Prometheus (前提為Infra有自己一套Prometheus)？透過 Prometheus Federation 機制，在我的 Prometheus 設定 job 去抓 Infra Prometheus 所收集的 metric (類似 DB r …

5 min read

Apr 26

Tools to help develop Kubernetes YAML

K8s Yaml Generator : https://k8syaml.com VS Code Extension : Kubernetes Templates https://marketplace.visualstudio.com/items?itemName=lunuan.kubernetes-templates

1 min read

Tools to help develop Kubernetes YAML

K8s Yaml Generator : https://k8syaml.com
VS Code Extension : Kubernetes Templates
https://marketplace.visualstudio.com/items?itemName=lunuan.kubernetes-templates

Apr 26

Prometheus with Thanos for Long-Term Storage S3

持續複製資料，避免一次要傳送大量資料，以及同步時間問題。減少Prometheus儲存空間，資料複製到 S3。原本Query 的網頁可以直接存取 S3 空間，也可提供Grafana繪製Dashboard。多個元件，可以自由架設。不用Sidecar，採用Receiver 不需要與Prometheus共住。不遺漏即時資料 Key Thanos Components •Receiver: Receives data from Prometheus’s remote-write WAL, exposes it and/or upload it to cloud storage. •Store(API): Thanos Store acts as an API for querying Prometheus metrics stored in the object store. •Query(GUI):Querying via Thanos Query…

2 min read

Apr 13

A Prometheus Alert for Elasticsearch Single Shard too Large

According to Elasticsearch's official guide, there are no hard limits on shard size, but experience shows that shards between 10GB and 50GB typically work well for logs and time series data. Install elasticsearch-exporter 2. Add a Prometheus rule - alert: ElasticsearchShardTooLarge expr: sum by(index, cluster, instance) (elasticsearch_indices_store_size_bytes_primary)/count by (index, cluster, instance)(elasticsearch_indices_shards_docs)/1024/1024/1024 >50 for: 5m labels: severity: warning service: EFK frequency: daily

Elasticsearch

1 min read

A Prometheus Alert for Elasticsearch Single Shard too Large

According to Elasticsearch's official guide, there are no hard limits on shard size, but experience shows that shards between 10GB and 50GB typically work well for logs and time series data.

Install elasticsearch-exporter

2. Add a Prometheus rule

- alert: ElasticsearchShardTooLarge
  expr: sum by(index, cluster, instance)    (elasticsearch_indices_store_size_bytes_primary)/count by (index, cluster, instance)(elasticsearch_indices_shards_docs)/1024/1024/1024 >50
  for: 5m
  labels:
    severity: warning
    service: EFK
    frequency: daily  annotations:
    summary: Elasticsearch Single Shard > 50G
    action: Edit template setting - number_of_shards

3. Setup alertmanager.yml, and fire this alert once a day

route:
  - match:
      frequency: daily
      service: EFK
    group_by: [cluster, instance]
    receiver: efk-receiver
    active_time_intervals:
      - morning
    repeat_interval: 50mtime_intervals:
  - name: morning  
  time_intervals: 
    - times: 
      - start_time: 00:00  # 8-9 AM in GMT+8 timezone
        end_time: 01:00

Apr 8

Add kubernetes metadata to fluentd/fluent bit sidecar

Background: When using fluentd or fluent-bit as a daemonset, we can make use of fluent-plugin-kubernetes_metadata_filter to retrieve rich metadata information and label them into our logs, such as pod name, namespace labels, pod labels… etc. <filter kubernetes.var.log.containers.**.log> @type kubernetes_metadata </filter> But when running fluentd or fluent-bit as a sidecar container…

Fluentd

1 min read

Mar 2

Move shards/index away from an Elasticsearch Data Node

[Type A] Manually move a shard to another data node POST _cluster/reroute { “commands” : [ { “move” : { “index” : “logstash-default-gigacim-2022.01.17”, “shard” : 9, “from_node” : “f12glog29_d3”, “to_node” : “f12glog21_d2” } } ] } [Type B] Move only today’s shards away from a data node Check (sort by…

Elasticsearch

1 min read

Move shards/index away from an Elasticsearch Data Node

[Type A] Manually move a shard to another data node

POST _cluster/reroute
{
“commands” : [
{
“move” : {
“index” : “logstash-default-gigacim-2022.01.17”, “shard” : 9,
“from_node” : “f12glog29_d3”, “to_node” : “f12glog21_d2”
}
}
]
}

[Type B] Move only today’s shards away from a data node

Check (sort by…

Feb 18

[Troubleshooting] Elasticsearch - Client did not trust this server’s certificate, closing connection Netty4TcpChannel

Situation: While adding nodes to an existing elasticsearch cluster, new nodes can’t be discovered and the master node log shows Elasticsearch — Client did not trust this server’s certificate, closing connection Netty4TcpChannel Possible Reasons: elastic-certificate.p12 is different on elasticsearch hosts. Master nodes not started Connections between nodes are blocked behind…

Elasticsearch

1 min read

[Troubleshooting] Elasticsearch - Client did not trust this server’s certificate, closing connection Netty4TcpChannel

Situation:

While adding nodes to an existing elasticsearch cluster, new nodes can’t be discovered and the master node log shows Elasticsearch — Client did not trust this server’s certificate, closing connection Netty4TcpChannel

Possible Reasons:

elastic-certificate.p12 is different on elasticsearch hosts.
Master nodes not started
Connections between nodes are blocked behind…

Jan 27

[Troubleshooting] OpenSSL::SSL::SSLError Due to istio

Error message in a Kubernetes pod: [Faraday::ConnectionFailed] SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS write client hello (OpenSSL::SSL::SSLError) Possible Solution: 1. Add AuthorizationPolicy to allow traffic apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-elasticsearch spec: action: ALLOW rules: - from: - source: ipBlocks: - 172.0.0.0/8 to: - operation: ports: [“9200”]

Istio

1 min read

[Troubleshooting] OpenSSL::SSL::SSLError Due to istio

Error message in a Kubernetes pod:

[Faraday::ConnectionFailed] SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS write client hello (OpenSSL::SSL::SSLError)

Possible Solution:

1. Add AuthorizationPolicy to allow traffic

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-elasticsearch
spec:
  action: ALLOW
  rules:
  - from:
    - source:
      ipBlocks:
      - 172.0.0.0/8
    to:
    - operation:
        ports: [“9200”]

2. Check if…