SlideShare a Scribd company logo

DOD 2016 - Rafał Kuć - Building a Resilient Log Aggregation Pipeline Using Elasticsearch and Kafka

PROIDEA, profile picture
PROIDEA

The document discusses building a resilient log aggregation pipeline using Elasticsearch and Kafka. It recommends using Kafka as a centralized buffer due to its scalability, fault tolerance, and streaming capabilities. Daily or size-based indices in Elasticsearch are preferable to a single large index. The document also provides optimization strategies for Elasticsearch, Kafka, and log shipping, including maintaining separate hot and cold tiers and properly configuring resources for data, master and ingest nodes.

Technology
1 of 61
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Building Resilient Log Aggregation Pipeline Using Elasticsearch and Kafka Rafał Kuć @ Sematext Group, Inc.
Sematext & I Logsene SPM logs metrics
Next 30 minutes… Log shipping - buffers - protocols - parsing Central buffering - Kafka - Redis Storage & Analysis - Elasticsearch - Kibana - Grafana
Log shipping architecture File Shipper File Shipper File Shipper Centralized Buffer ES ES ES ES ES ES ES ES ES data
Focus: Elasticsearch File Shipper File Shipper File Shipper Centralized Buffer ES ES ES ES ES ES ES ES ES data
Elasticsearch cluster architecture client client client data data data data data data master master master ingest ingest ingest
Dedicated masters please client client client data data data data data data master master master discovery.zen.minimum_master_nodes -> N/2 + 1 master eligible nodes ingest ingest ingest
One big index is a no-go Not scalable enough for time based data
One big index is a no-go Indexing slows down with time
One big index is a no-go Expensive merges
One big index is a no-go Delete by query needed for data retention
One big index is a no-go Not scalable enough for time based data Indexing slows down with time Expensive merges Delete by query needed for data retention
Daily indices are a good start 2016.11.18 2016.11.19 2016.11.22 2016.11.23. . . Indexing is faster for smaller indices Deletes are cheap Search can be performed on indices that are needed Static indices are cache friendly indexing most searches
Daily indices are a good start 2016.11.18 2016.11.19 2016.11.22 2016.11.23. . . Indexing is faster for smaller indices Deletes are cheap Search can be performed on indices that are needed Static indices are cache friendly indexing most searches We delete whole indices
Daily indices are sub-optimal black friday saturday sunday load is not even
Size based indices are optimal size limit for indices logs_01 indexing around 5 – 10GB per shard on AWS
Size based indices are optimal size limit for indices logs_01 indexing around 5 – 10GB per shard on AWS
Size based indices are optimal size limit for indices logs_01 indexing logs_02 around 5 – 10GB per shard on AWS
Size based indices are optimal size limit for indices logs_01 indexing logs_02 around 5 – 10GB per shard on AWS
Size based indices are optimal size limit for indices logs_01 logs_02 indexing logs_N. . . around 5 – 10GB per shard on AWS
Slice using size Predictable searching and indexing performance Better indices balancing Fewer shards Easier handling of spiky loads Less costs because of better hardware utilization
Proper Elasticsearch configuration Keep index.refresh_interval at maximum possible value 1 sec -> 100%, 5 sec -> 125%, 30 sec -> 175% You can loosen up merges - possible because of heavy aggregation use - segments_per_tier -> higher - max_merge_at_once-> higher - max_merged_segment -> lower All prefixed with index.merge.policy } higher indexing throughput
Proper Elasticsearch configuration Index only needed fields Use doc values Do not index _source Do not store _all
Optimization time We can optimize data nodes for time based data client client client data data data data data data master master master ingest ingest ingest
Hot – cold architecture ES hot ES cold ES cold -Dnode.attr.tag=hot -Dnode.attr.tag=cold -Dnode.attr.tag=cold
Hot – cold architecture logs_2016.11.22 ES hot ES cold ES cold -Dnode.attr.tag=hot -Dnode.attr.tag=cold -Dnode.attr.tag=cold curl -XPUT localhost:9200/logs_2016.11.22 -d '{ "settings" : { "index.routing.allocation.exclude.tag" : "cold", "index.routing.allocation.include.tag" : "hot" } }'
Hot – cold architecture logs_2016.11.22 ES hot ES cold ES cold indexing
Hot – cold architecture logs_2016.11.22 logs_2016.11.23 ES hot ES cold ES cold indexing
Hot – cold architecture logs_2016.11.22 logs_2016.11.23 ES hot ES cold ES cold indexing move index after day ends curl -XPUT localhost:9200/logs_2016.11.22/_settings -d '{ "index.routing.allocation.exclude.tag" : "hot", "index.routing.allocation.include.tag” : "cold" }'
Hot – cold architecture logs_2016.11.23 logs_2016.11.22 ES hot ES cold ES cold indexing
Hot – cold architecture logs_2016.11.23 logs_2016.11.24 logs_2016.11.22 ES hot ES cold ES cold indexing
Hot – cold architecture logs_2016.11.23 logs_2016.11.24 logs_2016.11.22 ES hot ES cold ES cold indexing move index after day ends
Hot – cold architecture logs_2016.11.24 logs_2016.11.22 logs_2016.11.23 ES hot ES cold ES cold indexing
Hot – cold architecture Hot ES Tier Good CPU Lots of I/O Cold ES Tier Memory bound Decent I/O ES cold Cold ES Tier Memory bound Decent I/O
Hot – cold architecture summary ES cold Optimize costs – different hardware for different tier Performance – use case optimized hardware Isolation – long running searches don’t affect indexing
Elasticsearch client node needs client client client data data data data data data master master master ingest ingest ingest
Elasticsearch client node needs No data = no IOPS Large query throughput = high CPU usage Lots of results = high memory usage Lots of concurrent queries = higher resources utilization
Elasticsearch ingest node needs client client client data data data data data data master master master ingest ingest ingest
Elasticsearch ingest node needs No data = no IOPS Large index throughput = high CPU & memory usage Complicated rules = high CPU usage Larger documents = more resources utilization
Elasticsearch master node needs client client client data data data data data data master master master ingest ingest ingest
Elasticsearch ingest node needs No data = no IOPS Large number of indices = high CPU & memory usage Complicated mappings = high memory usage Daily indices = spikes in resources utilization
Focus: Centralized Buffer File Shipper File Shipper File Shipper Centralized Buffer ES ES ES ES ES ES ES ES ES data
Why Apache Kafka? Fast & easy to use Easy to scale Fault tolerant and highly available Supports streaming Works in publish/subscribe mode
Kafka architecture ZooKeeper ZooKeeper ZooKeeper Kafka Kafka KafkaKafka
Kafka & topics security_logs access_logs app1_logs app2_logs Kafka stores data in topics written on disk
Kafka & topics & partitions & replicas logs partition 2 logs partition 1 logs partition 3 logs partition 4 logs replica partition 2 logs replica partition 1 logs replica partition 3 logs replica partition 4
Scaling Kafka logs partition 1
Scaling Kafka logs partition 1 logs partition 2 logs partition 3 logs partition 4
Scaling Kafka logs partition 1 logs partition 2 logs partition 3 logs partition 4 logs partition 5 logs partition 6 logs partition 7 logs partition 8 logs partition 9 logs partition 10 logs partition 11 logs partition 12 logs partition 13 logs partition 14 logs partition 15 logs partition 16
Things to remember when using Kafka Scales by adding more partitions not threads The more IOPS the better Keep the # of consumers equal to # of partitions Replicas used for HA and FT only Offsets stored per consumer – multiple destinations easily possible
Focus: Shipper File Shipper File Shipper File Shipper Centralized Buffer ES ES ES ES ES ES ES ES ES data
What about the shipper? logs Centralized Buffer Which shipper to use? Which protocol should be used What about the buffering Log to JSON or parse and how
Buffers performance & availability batches & threads when central buffer is gone
Buffer types Disk || memory || combined hybrid approach On source || centralized App Buffer App Buffer file or local log shipper easy scaling – fewer moving parts often with the use of lightweight shipper App App Kafka / Redis / Logstash / etc… one place for all changes extra features made easy (like TTL) ES ES
Buffers Summary Simple Reliable App Buffer App Buffer ES App App ES
Protocols UDP – fast, cool for the application, not reliable TCP – reliable (almost) application gets ACK when written to buffer Application level ACKs may be needed HTTP RELP Beats Kafka Logstash, rsyslog, Fluentd Logstash, rsyslog Logstash, Filebeat Logstash, rsyslog, Filebeat, Fluentd
Choosing the shipper application rsyslog Elasticsearch http socket memory & disk assisted queues
Choosing the shipper application rsyslog Elasticsearch http socket memory & disk assisted queues application file rsyslog filebeat consumer
What about OS? Say NO to swap Set the right disk scheduler CFQ for spinning disks deadline for SSD Use proper mount options for ext4 noatime nodirtime data=writeback, nobarier For bare metal check CPU governor disable transparent huge pages /proc/sys/vm/nr_hugepages=0
We are engineers! We develop DevOps tools! We are DevOps people! We do fun stuff ;) http://sematext.com/jobs
Thank you for listening! Get in touch! Rafał rafal.kuc@sematext.com @kucrafal http://sematext.com @sematext http://sematext.com/jobs Come talk to us at the booth

More Related Content

PPTX
DOD 2016 - Stefan Thies - Monitoring and Log Management for Docker Swarm and...
PROIDEA
 
PDF
Introducing log analysis to your organization
Sematext Group, Inc.
 
PDF
Apache Spark on Kubernetes Anirudh Ramanathan and Tim Chen
Databricks
 
PPTX
SF Big Analytics_20190612: Scaling Apache Spark on Kubernetes at Lyft
Chester Chen
 
PDF
Lessons Learned from Managing Thousands of Production Apache Spark Clusters w...
Databricks
 
PDF
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Databricks
 
PPTX
Feedback on Big Compute & HPC on Windows Azure
Antoine Poliakov
 
PDF
Querying Data Pipeline with AWS Athena
Yaroslav Tkachenko
 
DOD 2016 - Stefan Thies - Monitoring and Log Management for Docker Swarm and...
PROIDEA
 
Introducing log analysis to your organization
Sematext Group, Inc.
 
Apache Spark on Kubernetes Anirudh Ramanathan and Tim Chen
Databricks
 
SF Big Analytics_20190612: Scaling Apache Spark on Kubernetes at Lyft
Chester Chen
 
Lessons Learned from Managing Thousands of Production Apache Spark Clusters w...
Databricks
 
Spark Operator—Deploy, Manage and Monitor Spark clusters on Kubernetes
Databricks
 
Feedback on Big Compute & HPC on Windows Azure
Antoine Poliakov
 
Querying Data Pipeline with AWS Athena
Yaroslav Tkachenko
 

What's hot (19)

PDF
Big Data Tools in AWS
Shu-Jeng Hsieh
 
PPTX
Deploy data analysis pipeline with mesos and docker
Vu Nguyen Duy
 
PDF
Using Spark, Kafka, Cassandra and Akka on Mesos for Real-Time Personalization
Patrick Di Loreto
 
PDF
A New Chapter of Data Processing with CDK
Shu-Jeng Hsieh
 
PDF
Scalable and Reliable Logging at Pinterest
Krishna Gade
 
PDF
Lambda Architecture Using SQL
SATOSHI TAGOMORI
 
PDF
Accelerating Real Time Analytics with Spark Streaming and FPGAaaS with Prabha...
Databricks
 
PDF
Airstream: Spark Streaming At Airbnb
Jen Aman
 
PDF
Spark Working Environment in Windows OS
Universiti Technologi Malaysia (UTM)
 
PDF
The Data Mullet: From all SQL to No SQL back to Some SQL
Datadog
 
PDF
Metrics-Driven Tuning of Apache Spark at Scale with Edwina Lu and Ye Zhou
Databricks
 
PDF
Top 5 mistakes when writing Streaming applications
hadooparchbook
 
PPTX
DataEngConf SF16 - High cardinality time series search
Hakka Labs
 
PDF
Spark Internals Training | Apache Spark | Spark | Anika Technologies
Anand Narayanan
 
PDF
Spark-Streaming-as-a-Service with Kafka and YARN: Spark Summit East talk by J...
Spark Summit
 
PDF
Using Apache Spark in the Cloud—A Devops Perspective with Telmo Oliveira
Spark Summit
 
PDF
Next CERN Accelerator Logging Service with Jakub Wozniak
Spark Summit
 
PDF
Hadoop summit - Scaling Uber’s Real-Time Infra for Trillion Events per Day
Ankur Bansal
 
PDF
Lambda architecture
Szilveszter Molnár
 
Big Data Tools in AWS
Shu-Jeng Hsieh
 
Deploy data analysis pipeline with mesos and docker
Vu Nguyen Duy
 
Using Spark, Kafka, Cassandra and Akka on Mesos for Real-Time Personalization
Patrick Di Loreto
 
A New Chapter of Data Processing with CDK
Shu-Jeng Hsieh
 
Scalable and Reliable Logging at Pinterest
Krishna Gade
 
Lambda Architecture Using SQL
SATOSHI TAGOMORI
 
Accelerating Real Time Analytics with Spark Streaming and FPGAaaS with Prabha...
Databricks
 
Airstream: Spark Streaming At Airbnb
Jen Aman
 
Spark Working Environment in Windows OS
Universiti Technologi Malaysia (UTM)
 
The Data Mullet: From all SQL to No SQL back to Some SQL
Datadog
 
Metrics-Driven Tuning of Apache Spark at Scale with Edwina Lu and Ye Zhou
Databricks
 
Top 5 mistakes when writing Streaming applications
hadooparchbook
 
DataEngConf SF16 - High cardinality time series search
Hakka Labs
 
Spark Internals Training | Apache Spark | Spark | Anika Technologies
Anand Narayanan
 
Spark-Streaming-as-a-Service with Kafka and YARN: Spark Summit East talk by J...
Spark Summit
 
Using Apache Spark in the Cloud—A Devops Perspective with Telmo Oliveira
Spark Summit
 
Next CERN Accelerator Logging Service with Jakub Wozniak
Spark Summit
 
Hadoop summit - Scaling Uber’s Real-Time Infra for Trillion Events per Day
Ankur Bansal
 
Lambda architecture
Szilveszter Molnár
 
Ad

Similar to DOD 2016 - Rafał Kuć - Building a Resilient Log Aggregation Pipeline Using Elasticsearch and Kafka (20)

PPTX
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Streamsets Inc.
 
PPTX
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Rick Bilodeau
 
PPTX
Centralized log-management-with-elastic-stack
Rich Lee
 
PDF
IBM Cloud Day January 2021 Data Lake Deep Dive
Torsten Steinbach
 
PDF
Big Telco Real-Time Network Analytics
Yousun Jeong
 
PDF
Big Telco - Yousun Jeong
Spark Summit
 
PDF
Kafka & Hadoop in Rakuten
Rakuten Group, Inc.
 
PDF
Distributed Data Storage & Streaming for Real-time Decisioning Using Kafka, S...
HostedbyConfluent
 
PPTX
Powering Interactive Data Analysis at Pinterest by Amazon Redshift
Jie Li
 
PDF
AWS Analytics Immersion Day - Build BI System from Scratch (Day1, Day2 Full V...
Sungmin Kim
 
PDF
Spark and Couchbase: Augmenting the Operational Database with Spark
Spark Summit
 
PDF
Architecting Data in the AWS Ecosystem
SingleStore
 
PDF
Análisis del roadmap del Elastic Stack
Elasticsearch
 
PPTX
Otimizações de Projetos de Big Data, Dw e AI no Microsoft Azure
Luan Moreno Medeiros Maciel
 
PPTX
High performance Spark distribution on PKS by SnappyData
VMware Tanzu
 
PPTX
High performance Spark distribution on PKS by SnappyData
Carlos Andrés García
 
PDF
Serverless Data Platform
Shu-Jeng Hsieh
 
PDF
Elastic Stack Roadmap
Imma Valls Bernaus
 
PDF
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Lightbend
 
PDF
Building Super Fast Cloud-Native Data Platforms - Yaron Haviv, KubeCon 2017 EU
Yaron Haviv
 
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Streamsets Inc.
 
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Rick Bilodeau
 
Centralized log-management-with-elastic-stack
Rich Lee
 
IBM Cloud Day January 2021 Data Lake Deep Dive
Torsten Steinbach
 
Big Telco Real-Time Network Analytics
Yousun Jeong
 
Big Telco - Yousun Jeong
Spark Summit
 
Kafka & Hadoop in Rakuten
Rakuten Group, Inc.
 
Distributed Data Storage & Streaming for Real-time Decisioning Using Kafka, S...
HostedbyConfluent
 
Powering Interactive Data Analysis at Pinterest by Amazon Redshift
Jie Li
 
AWS Analytics Immersion Day - Build BI System from Scratch (Day1, Day2 Full V...
Sungmin Kim
 
Spark and Couchbase: Augmenting the Operational Database with Spark
Spark Summit
 
Architecting Data in the AWS Ecosystem
SingleStore
 
Análisis del roadmap del Elastic Stack
Elasticsearch
 
Otimizações de Projetos de Big Data, Dw e AI no Microsoft Azure
Luan Moreno Medeiros Maciel
 
High performance Spark distribution on PKS by SnappyData
VMware Tanzu
 
High performance Spark distribution on PKS by SnappyData
Carlos Andrés García
 
Serverless Data Platform
Shu-Jeng Hsieh
 
Elastic Stack Roadmap
Imma Valls Bernaus
 
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Lightbend
 
Building Super Fast Cloud-Native Data Platforms - Yaron Haviv, KubeCon 2017 EU
Yaron Haviv
 
Ad

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Encapsulation theory and applications.pdf
gurumoop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
KodekX | Application Modernization Development
KodekX
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

DOD 2016 - Rafał Kuć - Building a Resilient Log Aggregation Pipeline Using Elasticsearch and Kafka