Monica ist Mit-Schöpferin von Elastic Beats. Bevor sie Beats erfand, arbeitete sie als Core Developer für IPTEGO, einem Start-Up Unternehmen aus Berlin, das eine komplette Monitoring und Trouble-Shooting Solution für VoIP Netzwerke anbietet. Das Produkt wurde weltweit verkauft, und wird derzeit von großen Firmen der Telekommunikationsbranche verwendet.
24. Filebeat adapts its speed
automatically to as much as the
next stage can process
25. @monicasarbu
When next stage is down …
• Filebeat patiently waits
• Log lines are not lost
• It doesn’t allocate memory
• It doesn’t buffer log lines on disk
25
31. @monicasarbu
001 Gelf driver + Logstash
Pros:
• logs send directly to
Logstash
31
Cons:
• UDP based, no delivery
guarantees, no
congestion control
32. @monicasarbu
010 json-file driver + Filebeat
Pros:
• Simple to setup as it’s the
default driver
• Easy to add container
metadata (name, labels,
etc.)
• `docker logs` works
32
Cons:
• json-file driver can slow
down Docker container
33. @monicasarbu
011 Syslog driver + Syslog server + Filebeat
Pros:
• Good control over the
path where the files are
written, rotation strategies,
etc.
33
Cons:
• you need to manage the
syslog server
• metadata is serialized as
string, needs to be de-
serialized again
• multiline is difficult
because data from
containers can be mixed
34. @monicasarbu
100 Journald driver + Filebeat
Pros:
• journald is often already
available
• convenient support for
container metadata
(name, labels, etc.)
• `docker logs` works
34
Cons:
• Filebeat doesn’t yet
support journald
• You can use the
community Beat,
Journalbeat
35. @monicasarbu
101 Shared volume + Filebeat
Pros:
• If your app can rotate it’s
own logs, it’s very easy to
setup
• Scales well
35
Cons:
• Difficult to pass container
metadata (name, labels,
etc.)
41. @monicasarbu
Querying the Docker API
• CPU and memory
• Docker container information
• network (in/out bytes, dropped)
• diskIO (reads/writes)
• status of containers (# of stopped, running, etc)
41
42. @monicasarbu
Docker module in Metricbeat
• Get container metrics by querying the Docker API
• Has access to container names and labels
• Easy to setup
42
in progress
43. @monicasarbu
Reading cgroup data from /proc/
• Doesn’t require access to the Docker API
(can be a security issue)
• Works for any container runtime (Docker,
rkt, runC, LXD, etc.)
• Cannot get the container name and labels
only the container ID
43
44. @monicasarbu
System module + cgroup data
• if cgroup option is enabled (by default is
disabled)
• Automatically enhances process data with
cgroup information
44
49. #velo
@monicasarbu
Why Elasticsearch for time series
• Horizontal scalability. Mature and
battle tested cluster support.
• Flexible aggregations (incl moving
averages & Holt Winters)
• One system for both logs and
metrics
• Timelion UI, Grafana
• Great ecosystem: e.g. alerting
tools
49
53. @monicasarbu
Unknown traffic, use flows
•Look into data for which we don’t
understand the application layer protocol
•TLS
•Protocols we don’t yet support
•Get data about IP / TCP / UDP layers
•number of packets & bytes
•retransmissions
•inter-arrival time
53