winebarrel / fluent-plugin-elb-access-log Goto Github PK

View Code? Open in Web Editor NEW

17.0 5.0 7.0 90 KB

Fluentd input plugin for AWS ELB Access Logs.

License: MIT License

Ruby 100.00%

fluent-plugin-elb-access-log's Introduction

fluent-plugin-elb-access-log

Fluentd input plugin for AWS ELB Access Logs.

Installation

Add this line to your application's Gemfile:

gem 'fluent-plugin-elb-access-log'

And then execute:

$ bundle

Or install it yourself as:

$ gem install fluent-plugin-elb-access-log

Configuration

<source>
  @type elb_access_log
  #aws_key_id YOUR_ACCESS_KEY_ID
  #aws_sec_key YOUR_SECRET_ACCESS_KEY
  #profile PROFILE_NAME
  #credentials_path path/to/credentials_file
  #http_proxy http://...

  account_id 123456789012 # required
  region us-west-1 # required
  s3_bucket BUCKET_NAME # required
  #s3_prefix PREFIX

  #tag elb.access_log
  #tsfile_path /var/tmp/fluent-plugin-elb-access-log.ts
  #histfile_path /var/tmp/fluent-plugin-elb-access-log.history
  #interval 300
  #start_datetime 2015/05/24 17:00
  #buffer_sec 600
  #history_length 100
  #sampling_interval 1
  #debug false
  #elb_type clb # or alb
  #filter elb_status_code:^2,timestamp:^2018
  #filter_operator and # or "or"
  #type_cast true
  #parse_request true
  #split_addr_port true
  #file_filter REGEXP
  #request_separator .
</source>

Outout

CLB

see http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html

{
  "timestamp":"2015-05-24T08:25:36.229576Z",
  "elb":"hoge",
  "client":"14.14.124.20",
  "client_port":52232,
  "backend":"10.0.199.184",
  "backend_port":80,
  "request_processing_time":5.5e-05,
  "backend_processing_time":0.000893,
  "response_processing_time":5.7e-05,
  "elb_status_code":200,
  "backend_status_code":200,
  "received_bytes":0,
  "sent_bytes":3,
  "request":"GET http://hoge-1876938939.ap-northeast-1.elb.amazonaws.com:80/ HTTP/1.1",
  "user_agent":"curl/7.30.0",
  "ssl_cipher":"-",
  "ssl_protocol":"-",
  "request.method":"GET",
  "request.uri":"http://hoge-1876938939.ap-northeast-1.elb.amazonaws.com:80/",
  "request.http_version":"HTTP/1.1",
  "request.uri.scheme":"http",
  "request.uri.user":null,
  "request.uri.host":"hoge-1876938939.ap-northeast-1.elb.amazonaws.com",
  "request.uri.port":80,
  "request.uri.path":"/",
  "request.uri.query":null,
  "request.uri.fragment":null
}

ALB

see http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

{
  "type": "https",
  "timestamp": "2015-05-24T19:55:36.000000Z",
  "elb": "hoge",
  "client_port": 57673,
  "target_port": 80,
  "request_processing_time": 5.3e-05,
  "target_processing_time": 0.000913,
  "response_processing_time": 3.6e-05,
  "elb_status_code": 200,
  "target_status_code": 200,
  "received_bytes": 0,
  "sent_bytes": 3,
  "request": "GET http://hoge-1876938939.ap-northeast-1.elb.amazonaws.com:80/ HTTP/1.1",
  "user_agent": "curl/7.30.0",
  "ssl_cipher": "ssl_cipher",
  "ssl_protocol": "ssl_protocol",
  "target_group_arn": "arn:aws:elasticloadbalancing:ap-northeast-1:123456789012:targetgroup/app/xxx",
  "trace_id": "Root=xxx",
  "domain_name": "-",
  "chosen_cert_arn": "arn:aws:acm:ap-northeast-1:123456789012:certificate/xxx",
  "client": "14.14.124.20",
  "target": "10.0.199.184",
  "request.method": "GET",
  "request.uri": "http://hoge-1876938939.ap-northeast-1.elb.amazonaws.com:80/",
  "request.http_version": "HTTP/1.1",
  "request.uri.scheme": "http",
  "request.uri.user": null,
  "request.uri.host": "hoge-1876938939.ap-northeast-1.elb.amazonaws.com",
  "request.uri.port": 80,
  "request.uri.path": "/",
  "request.uri.query": null,
  "request.uri.fragment": null
}

fluent-plugin-elb-access-log's People

Contributors

Stargazers

Watchers

Forkers

michiomochi cosmo0920 jurassic-c ujun mozamimy nibrown hfm

fluent-plugin-elb-access-log's Issues

Request parse error brings down plugin

2015-06-01 19:10:53 +0000 [info]: plugin/out_elasticsearch.rb:67:client: Connection opened to Elasticsearch cluster => {:host=>"localhost", :port=>9200, :scheme=>"http"}
2015-06-01 19:12:25 +0000 [warn]: plugin/in_elb_access_log.rb:228:rescue in parse_request!: undefined method `scheme' for nil:NilClass:
2015-06-01 19:12:25 +0000 [error]: plugin/in_elb_access_log.rb:284:rescue in on_timer: undefined method `split' for nil:NilClass
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:208:in `split_address_port!'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:172:in `block in emit_access_log'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:165:in `each'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:165:in `emit_access_log'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:133:in `block (3 levels) in fetch'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:123:in `each'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:123:in `block (2 levels) in fetch'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/aws-sdk-core-2.0.47/lib/aws-sdk-core/pageable_response.rb:77:in `each'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:122:in `block in fetch'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:121:in `each'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:121:in `fetch'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:86:in `block in start'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:282:in `call'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:282:in `on_timer'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/cool.io-1.3.0/lib/cool.io/loop.rb:88:in `run_once'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/cool.io-1.3.0/lib/cool.io/loop.rb:88:in `run'
  2015-06-01 19:12:25 +0000 [error]: cool.io/loop.rb:88:run: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:112:in `run'

Once I see this the plugin basically stops. I guess it fails to parse a log line. Any ideas?

Invalid port number on some logs

Seeing at random the following error message appearing in the logs:
2019-12-24 18:45:41 +0000 [warn]: #0 Invalid port number: "443-": http://ca-elb-webservers-xyzfwgh12.ca-central-1.elb.amazonaws.com:443-

Version information:
2019-12-24 18:44:22 +0000 [info]: starting fluentd-1.3.3 pid=11556 ruby="2.4.5"
2019-12-24 18:44:23 +0000 [info]: gem 'fluent-plugin-elb-access-log' version '0.6.1'
2019-12-24 18:44:23 +0000 [info]: gem 'fluentd' version '1.3.3'

Error occurs when are using the AWS SDK 2.1.1

td-agent 0.12.7
aws-sdk (2.1.1)
aws-sdk-core (2.1.1)
aws-sdk-resources (2.1.1)
fluent-plugin-elb-access-log (0.2.4)

2015-06-21 03:09:02 +0000 [error]: undefined method `each' for #<Aws::S3::Types::GetObjectOutput:0x007f37723d8668>
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/aws-sdk-core-2.1.1/lib/seahorse/client/response.rb:79:in `first'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/aws-sdk-core-2.1.1/lib/seahorse/client/response.rb:79:in `method_missing'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:132:in `block (3 levels) in fetch'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:123:in `each'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:123:in `block (2 levels) in fetch'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/aws-sdk-core-2.1.1/lib/aws-sdk-core/pageable_response.rb:75:in `each'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:122:in `block in fetch'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:121:in `each'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:121:in `fetch'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:86:in `block in start'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:282:in `call'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:282:in `on_timer'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/cool.io-1.3.0/lib/cool.io/loop.rb:88:in `run_once'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/cool.io-1.3.0/lib/cool.io/loop.rb:88:in `run'
  2015-06-21 03:09:02 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-elb-access-log-0.2.4/lib/fluent/plugin/in_elb_access_log.rb:112:in `run'

Missing .gz support

I troubleshooted this plugin because it didn't do anything and didn't log anything at all (even with debug output)

          if logfile_suffix !~ /\.log\z/ or logfile_datetime <= (timestamp - @buffer_sec)
            next
          end

It turned out there's no .gz support and it's just ignoring all files ending instead.

Having some parsing issues

Kibana log:
2018-08-22 14:45:40 +0000 [warn]: dump an error event: error_class=Fluent::ElasticsearchErrorHandler::ElasticsearchError error="400 - Rejected by Elasticsearch" location=nil tag="alb.access_log" time=1534948200 record={"type"=>"h2", "timestamp"=>"2018-08-22T14:30:00.877337Z", "elb"=>"app/XXXXXXXXXXXXXXXXXXXX", "client_port"=>38732, "target_port"=>32079, "request_processing_time"=>0.001, "target_processing_time"=>0.041, "response_processing_time"=>0.0, "elb_status_code"=>200, "target_status_code"=>200, "received_bytes"=>628, "sent_bytes"=>1481, "request"=>"GET https://XXXXXXXXXXXXX.us-east-1.elb.amazonaws.com:443/faq/ HTTP/2.0", "user_agent"=>"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "ssl_cipher"=>"ECDHE-RSA-AES128-GCM-SHA256", "ssl_protocol"=>"TLSv1.2", "target_group_arn"=>"arn:aws:elasticloadbalancing:us-east-1:XXXXXXXXXXX:targetgroup/XXXXXX-8000/XXXXXXXXX", "trace_id"=>"Root=1-5b7d7368-XXXXXXXXX", "domain_name"=>"XXXXXXXXXXXXXXXXXXX.us-east-1.elb.amazonaws.com", "chosen_cert_arn"=>"session-reused", "client"=>"XX.36.XXX.52", "target"=>"XX.XX.129.78", "request.method"=>"GET", "request.uri"=>"https://XXXXXX.us-east-1.elb.amazonaws.com:443/faq/", "request.http_version"=>"HTTP/2.0", "request.uri.scheme"=>"https", "request.uri.user"=>nil, "request.uri.host"=>"XXXXXXXXXXXXXXX.us-east-1.elb.amazonaws.com", "request.uri.port"=>443, "request.uri.path"=>"/faq/", "request.uri.query"=>nil, "request.uri.fragment"=>nil}

My config looks like this:

<source>
     @type elb_access_log
     aws_key_id XXXXXXXXXXXX
     aws_sec_key XXXXXXXXXXX

     account_id XXXXXXXX # required
     region us-east-1 # required
     s3_bucket XXXXXXXXX # required

     tag alb.access_log
     
     interval 300
     
     elb_type alb # or clb
     
     parse_request true
     split_addr_port true
   </source>

Any ideas why im not getting the fields properly?