Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make teleport log naming convention easier for log aggregators #2388

Closed
ghost opened this issue Nov 28, 2018 · 3 comments
Closed

make teleport log naming convention easier for log aggregators #2388

ghost opened this issue Nov 28, 2018 · 3 comments
Assignees
@klizhentas
Labels
documentation
Milestone
3.1.6 "West Village"

Comments

@ghost
Copy link

ghost commented Nov 28, 2018
edited by ghost
Loading

I followed https://gravitational.com/blog/shipping-ssh-logs-to-sumologic/ to configure sending ssh logs to sumologic. But instead of the sumologic/collector docker image, I used https://github.com/SumoLogic/fluentd-kubernetes-sumologic because it has already been used for kubernetes and containers logs.

The tutorial recommends using /var/lib/teleport/log/*.log as pathExpression to configure sumo sources. However when I configured the sumologic collector that way it started following every file in /var/lib/teleport/log/ (which was more than 100 files because we keep the logs for a long time).

I tried to configure fluentd to keep track of the latest log file only using the following configuration:

      <source>
        @type tail
        tag teleport
        path /mnt/teleport/%Y-%m-%d.*.log
        pos_file /mnt/pos/teleport.log.pos
        <parse>
          @type json
          time_key time
          time_type string
          time_format %Y-%m-%dT%H:%M:%SZ
        </parse>
      </source>
       <filter teleport.**>
        @type kubernetes_sumologic
        source_category teleport
        source_name teleport
      </filter>

where /mnt/teleport/ is a mount of /var/lib/gravity/site/teleport/log/.
The corresponding fluentd documentation can be found at https://docs.fluentd.org/v1.0/articles/in_tail

Here I ran into problems.

  1. Despite having name 2018-11-01.00:00:00.log the file is created 12 hours before that time, and is rotated 12 hours after it.
[root@ip-10-104-2-176 log]# head -1 2018-11-01.00:00:00.log
{"event":"user.login","method":"local","time":"2018-10-31T12:00:11Z","user":"opscenter@gravitational.io"}
[root@ip-10-104-2-176 log]# tail -1 2018-11-01.00:00:00.log
{"event":"user.login","method":"local","time":"2018-11-01T11:59:11Z","user":"opscenter@gravitational.io"}
  1. The name of log files contains dates and times in UTC and doesn't respect local timezone set on the server.

These 2 issues cause fluentd to start reading the latest log file in 12 + local_timezone_difference_with_UTC hours which is a very big delay.

I wonder if it is possible to make this naming convention more predictable and easier to use for log aggregator software?

For instance, teleport could write current records to current.log or last.log, and rotate it to YYYY-mm-DD.00:00:00.log when it is time to rotate.
@klizhentas klizhentas added this to the 3.1.6 "West Village" milestone Jan 29, 2019
@klizhentas klizhentas self-assigned this Jan 30, 2019
klizhentas added a commit that referenced this issue Feb 10, 2019
@klizhentas
Fix file audit log rotation, fixes #2388
20cae15 
This commit improves on-disk events log rotation:

* Previously, log rotation was not deterministic,
as logs could be rotated mid-day UTC, and events
from the same day could end up in different files.

This commit makes sure that logs are rotated
on the UTC boundary of the day, and log entries
from this day are located in the appropriate file,
e.g. 2019-02-09.00:00:00.log will contain all
event logs from 2019-02-09 day.

* To improve UX, additional symlink event.log
is located (by default in /var/lib/teleport/events.log)
and is pointing to the latest events log file.
klizhentas added a commit that referenced this issue Feb 10, 2019
@klizhentas
Fix file audit log rotation, fixes #2388 (#2549)
353842e 
This commit improves on-disk events log rotation:

* Previously, log rotation was not deterministic,
as logs could be rotated mid-day UTC, and events
from the same day could end up in different files.

This commit makes sure that logs are rotated
on the UTC boundary of the day, and log entries
from this day are located in the appropriate file,
e.g. 2019-02-09.00:00:00.log will contain all
event logs from 2019-02-09 day.

* To improve UX, additional symlink event.log
is located (by default in /var/lib/teleport/events.log)
and is pointing to the latest events log file.
klizhentas added a commit that referenced this issue Feb 10, 2019
@klizhentas
Fix file audit log rotation, fixes #2388 (#2549)
cccc890 
This commit improves on-disk events log rotation:

* Previously, log rotation was not deterministic,
as logs could be rotated mid-day UTC, and events
from the same day could end up in different files.

This commit makes sure that logs are rotated
on the UTC boundary of the day, and log entries
from this day are located in the appropriate file,
e.g. 2019-02-09.00:00:00.log will contain all
event logs from 2019-02-09 day.

* To improve UX, additional symlink event.log
is located (by default in /var/lib/teleport/events.log)
and is pointing to the latest events log file.
@ghost
Copy link
Author

ghost commented Feb 10, 2019

@klizhentas thanks!

klizhentas added a commit that referenced this issue Feb 10, 2019
@klizhentas
Fix file audit log rotation, fixes #2388 (#2549)
a3f1afa 
This commit improves on-disk events log rotation:

* Previously, log rotation was not deterministic,
as logs could be rotated mid-day UTC, and events
from the same day could end up in different files.

This commit makes sure that logs are rotated
on the UTC boundary of the day, and log entries
from this day are located in the appropriate file,
e.g. 2019-02-09.00:00:00.log will contain all
event logs from 2019-02-09 day.

* To improve UX, additional symlink event.log
is located (by default in /var/lib/teleport/events.log)
and is pointing to the latest events log file.
@kontsevoy
Copy link
Contributor

re-opening to update the docs

@kontsevoy kontsevoy reopened this Feb 12, 2019
@kontsevoy
Copy link
Contributor

nothing to document. no changes to commands/etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@klizhentas klizhentas

Labels
documentation
Projects
None yet
Milestone
3.1.6 "West Village"
Development

No branches or pull requests
2 participants
@klizhentas @kontsevoy