DEV Community: Seth Wang The latest articles on DEV Community by Seth Wang (@sethwxh). https://dev.to/sethwxh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F448862%2F128c70aa-4dce-4366-95f4-43b174a2bd67.jpg DEV Community: Seth Wang https://dev.to/sethwxh en How To Build a Logging Pipeline For Nginx Server Seth Wang Sat, 08 Aug 2020 18:50:25 +0000 https://dev.to/sethwxh/build-a-logging-pipeline-for-nginx-server-in-5-mins-59fh https://dev.to/sethwxh/build-a-logging-pipeline-for-nginx-server-in-5-mins-59fh <h1> Background </h1> <p>Nginx is one of the most widely used web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. By default Nginx writes logs to <code>/var/log/nginx/access.log</code> in a plain text format like this:<br> </p> <div class="highlight"><pre class="highlight shell"><code>157.245.235.57 - <span class="o">[</span>04/Aug/2020:21:16:03 +0000] <span class="s2">"POST /api/ HTTP/1.1"</span> 200 457 13 <span class="s2">"-"</span> <span class="s2">"Vector/0.10.0 (g0f0311a x86_64-unknown-linux-gnu 2020-07-22)"</span> 0.002 0.000 25f146d2aaee0d50f35c4404c9bb1f12 114.227.157.172 - <span class="o">[</span>04/Aug/2020:21:16:11 +0000] <span class="s2">"GET /phpmyadmin/ HTTP/1.1"</span> 404 199 580 <span class="s2">"-"</span> <span class="s2">"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"</span> 0.000 - eb3c6c45f70e9bf7e562956c00a42970 195.54.160.21 - <span class="o">[</span>04/Aug/2020:20:31:07 +0000] <span class="s2">"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"</span> 404 284 209 <span class="s2">"-"</span> <span class="s2">"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"</span> 0.181 - 7455ea5f3bc5512ab544b068600041bc </code></pre></div> <p>Nginx logs contain information like request latency, request IP and etc that are very useful for monitoring system health. But they will be even more useful if they can be in a more structured format. In order to convert logs into useful stats, we will need a log pipeline to process log data, <strong>transform</strong> them into structured data which can be easily aggregated, and then <strong>route</strong> them to analytics tools. </p> <p>In this blog I'll walk through the steps I went through to build a log pipeline to process my Nginx logs and how we can gain insights from structured log events.</p> <h1> Set Up Log Pipeline </h1> <p>We will walk through how to create a log pipeline using <a href="https://signalflex.io">SignalFlex</a>.</p> <p><a href="https://signalflex.io">SignalFlex</a> is a hosted event processing pipeline. It can receives any arbitrary log data from HTTP endpoints. And It allows us to configure transform and processing logic without writing code. After data is received, SignalFlex transform them into structured events and forward them to log management and monitoring tools (Datadog, Elasticsearch etc). We will use SignalFlex to create a log pipeline to process our Nginx logs and send structured data to Honeycomb.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--xmVPUoWp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/rhnctm1c41b3lzpm7k6a.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--xmVPUoWp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/rhnctm1c41b3lzpm7k6a.png" alt="Alt Text"></a></p> <ul> <li><strong>Transform Log Event</strong></li> </ul> <p>Nginx logs are raw text and have no structure:<br> </p> <div class="highlight"><pre class="highlight json"><code><span class="mf">157.245</span><span class="err">.</span><span class="mf">235.57</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="p">[</span><span class="mi">04</span><span class="err">/Aug/</span><span class="mi">2020</span><span class="err">:</span><span class="mi">21</span><span class="err">:</span><span class="mi">16</span><span class="err">:</span><span class="mi">03</span><span class="w"> </span><span class="err">+</span><span class="mi">0000</span><span class="p">]</span><span class="w"> </span><span class="s2">"POST /api/ HTTP/1.1"</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="mi">457</span><span class="w"> </span><span class="mi">13</span><span class="w"> </span><span class="s2">"-"</span><span class="w"> </span><span class="s2">"Vector/0.10.0 (g0f0311a x86_64-unknown-linux-gnu 2020-07-22)"</span><span class="w"> </span><span class="mf">0.002</span><span class="w"> </span><span class="mf">0.000</span><span class="w"> </span><span class="mi">25</span><span class="err">f</span><span class="mi">146</span><span class="err">d</span><span class="mi">2</span><span class="err">aaee</span><span class="mi">0</span><span class="err">d</span><span class="mi">50</span><span class="err">f</span><span class="mi">35</span><span class="err">c</span><span class="mi">4404</span><span class="err">c</span><span class="mi">9</span><span class="err">bb</span><span class="mi">1</span><span class="err">f</span><span class="mi">12</span><span class="w"> </span></code></pre></div> <p>We will need parse them into some structured data like following:<br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ip_address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"157.245.235.57"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"400"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST /api/ HTTP/1.1"</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p> <br> First step is to use regex parsing to extract these value pairs out of raw log. We will use a regex pattern:<br> </p> <div class="highlight"><pre class="highlight diff"><code><span class="err">^(?P&lt;ip&gt;[\w\.]+)</span> - \[(?P&lt;time&gt;.*)\] "(?P&lt;method&gt;[\w]+) (?P&lt;path&gt;.*) (?P&lt;scheme&gt;.*)/(?P&lt;http_version&gt;.*)" (?P&lt;status&gt;[\d]+) (?P&lt;request_length&gt;[\d]+) (?P&lt;bytes_out&gt;[\d]+) "(?P&lt;referer&gt;.*)" "(?P&lt;agent&gt;.*)" (?P&lt;request_time&gt;.*) (?P&lt;upstream_response_time&gt;.*) (?P&lt;request_id&gt;.*)$ </code></pre></div> <p>This Regex pattern will extract key value pair out of each log line. We will use this Regex pattern to configure a <a href="https://docs.signalflex.io/transforms/functions/parser/regex-parser">SignalFlex Regex transform</a>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--OjRp-pGT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/z4eops2quhqhjrmld248.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--OjRp-pGT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/z4eops2quhqhjrmld248.gif" alt=""></a></p> <p>SignalFlex makes it easy to define transform logic. You can test transform with example log data.<br>  <br> After Regex parser transformation, an Nginx log event will be a structured JSON like following:<br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"_message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"157.245.235.57 - [04/Aug/2020:21:22:00 +0000] </span><span class="se">\"</span><span class="s2">POST /api/ HTTP/1.1</span><span class="se">\"</span><span class="s2"> 200 457 13 </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Vector/0.10.0 (g0f0311a x86_64-unknown-linux-gnu 2020-07-22)</span><span class="se">\"</span><span class="s2"> 0.002 0.000 d88709e784d32b83783838ce67cefd16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Vector/0.10.0 (g0f0311a x86_64-unknown-linux-gnu 2020-07-22)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_out"</span><span class="p">:</span><span class="w"> </span><span class="s2">"13"</span><span class="p">,</span><span class="w"> </span><span class="nl">"http_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"157.245.235.57"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"referer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d88709e784d32b83783838ce67cefd16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_length"</span><span class="p">:</span><span class="w"> </span><span class="s2">"457"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.002"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scheme"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"04/Aug/2020:21:22:00 +0000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_response_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.000"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p>We will notice that values of <code>request_length</code>, <code>request_time</code> and <code>upstream_response_time</code> are string, we need to convert them to number so that they can be aggregated. We can add a <a href="https://docs.signalflex.io/transforms/functions/javascript">SignalFlex JavaScript transform</a> to convert these values to numbers.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--7sQgSFxy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/dksx1x479mdthyag0sr6.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--7sQgSFxy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/dksx1x479mdthyag0sr6.gif" alt="Alt Text"></a><br>  <br> After applying Regex and JS transform, our log event will look like following, with values of <code>request_length</code>, <code>request_time</code> and <code>upstream_response_time</code> converted to numbers<br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"_message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"157.245.235.57 - [04/Aug/2020:21:22:00 +0000] </span><span class="se">\"</span><span class="s2">POST /api/ HTTP/1.1</span><span class="se">\"</span><span class="s2"> 200 457 13 </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Vector/0.10.0 (g0f0311a x86_64-unknown-linux-gnu 2020-07-22)</span><span class="se">\"</span><span class="s2"> 0.002 0.000 d88709e784d32b83783838ce67cefd16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Vector/0.10.0 (g0f0311a x86_64-unknown-linux-gnu 2020-07-22)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_out"</span><span class="p">:</span><span class="w"> </span><span class="s2">"13"</span><span class="p">,</span><span class="w"> </span><span class="nl">"http_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"157.245.235.57"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"referer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d88709e784d32b83783838ce67cefd16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_length"</span><span class="p">:</span><span class="w"> </span><span class="mi">457</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_time"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.002</span><span class="p">,</span><span class="w"> </span><span class="nl">"scheme"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"04/Aug/2020:21:22:00 +0000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_response_time"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <ul> <li>Route Data to Honeycomb</li> </ul> <p>We now have structured log events, we can send them to Honeycomb where we will aggregate these events and monitor our Nginx service.</p> <p>We can configure our Honeycomb dataset and API key on SignalFlex.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ofJay9ya--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/uffzvfpxq9rx8maovzzk.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ofJay9ya--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/uffzvfpxq9rx8maovzzk.png" alt="Alt Text"></a></p> <ul> <li>Send Data To Pipeline</li> </ul> <p>Now that the log pipeline is ready on SignalFlex, we can start sending logs to it.</p> <p>To collect Nginx logs (<code>/var/log/nginx/access.log</code>) and send to SignalFlex, we can use a lightweight log shipper called <a href="https://vector.dev/">Vector</a>. It will scan Nginx log file and send logs to our SignalFlex pipeline.</p> <ul> <li>Install Vector. </li> </ul> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$curl</span> <span class="nt">--proto</span> <span class="s1">'=https'</span> <span class="nt">--tlsv1</span>.2 <span class="nt">-sSf</span> <span class="o">[</span>https://sh.vector.dev]<span class="o">(</span>https://sh.vector.dev/<span class="o">)</span> | sh </code></pre></div> <ul> <li>Create a Vector configuration file <code>/etc/vector/nginx.toml</code> </li> </ul> <div class="highlight"><pre class="highlight json"><code><span class="err">data_dir</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="s2">"/var/lib/vector"</span><span class="w"> </span><span class="p">[</span><span class="err">sources.in</span><span class="p">]</span><span class="w"> </span><span class="err">type</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="s2">"file"</span><span class="w"> </span><span class="err">include</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"/var/log/nginx/access.log"</span><span class="p">]</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Output</span><span class="w"> </span><span class="err">data</span><span class="w"> </span><span class="p">[</span><span class="err">sinks.signalflex</span><span class="p">]</span><span class="w"> </span><span class="err">inputs</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"in"</span><span class="p">]</span><span class="w"> </span><span class="err">type</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="s2">"http"</span><span class="w"> </span><span class="err">encoding.codec</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="s2">"text"</span><span class="w"> </span><span class="err">headers.pipeline</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="s2">"${pipeline_id}"</span><span class="w"> </span><span class="err">headers.api_key</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="s2">"${api_key}"</span><span class="w"> </span><span class="err">uri</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="s2">"https://alpha.signalflex.io/api/"</span><span class="w"> </span><span class="err">request.timeout_secs</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span></code></pre></div> <p>We will replace <code>pipeline_id</code> and <code>api_key</code> with real values that can be found in SignalFlex settings</p> <ul> <li>Start Vector </li> </ul> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$vector</span> —config /etc/vector/nginx.toml </code></pre></div> <p>We can verify log data are flowing into SignalFlex by looking at pipeline dashboards</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--JU6DjDiv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/5uhrzll005kn1qz51e3a.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--JU6DjDiv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/5uhrzll005kn1qz51e3a.png" alt="Alt Text"></a></p> <h1> Aggregate Request Time </h1> <p>Once data arrive in Honeycomb, we can use a wide range of aggregation methods to deep dive into server health. </p> <ul> <li><p>View Nginx's average request latency<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--tRnuaXvu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/8vmii9l3a5w8ytgyajo6.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--tRnuaXvu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/8vmii9l3a5w8ytgyajo6.png" alt="Alt Text"></a></p></li> <li><p>View distribution of request latency<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--xL1pEmAH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/rgvkqrdn5vb2zn9twr1c.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--xL1pEmAH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/rgvkqrdn5vb2zn9twr1c.png" alt="Alt Text"></a><br> As we can see, requests inside yellow rectangle are outlier requests that have higher latency than rest of the requests. We can use Honeycomb's Bubble Up feature to find possible reason that causes high latency.</p></li> <li><p>Bubble Up on request latency and request length<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--3am9Z8CH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/905xf2hpc4h8pzres3le.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--3am9Z8CH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/905xf2hpc4h8pzres3le.png" alt="Alt Text"></a><br> Bubble up result shows that outlier requests that have high latency also have bigger request length. So it is obvious that big request length cause high request latency.</p></li> </ul> <h1> Conclusion </h1> <p>In this post we have walked through how to use SignalFlex as log pipeline to process Nginx logs and send data to Honeycomb where we can analyze and monitor system status. <br> SignalFlex removes your burden of managing and scaling your own log pipeline. And it allows you to define complex transform logic for you event stream and supports sending data to various log and metrics tools. If this interests you, join the <a href="https://signalflex.io">waitlist</a>!</p> devops showdev nginx logging