diff --git a/.github/workflows/gh-page.yml b/.github/workflows/gh-page.yml index d2a5941a..c4a17df1 100644 --- a/.github/workflows/gh-page.yml +++ b/.github/workflows/gh-page.yml @@ -17,14 +17,14 @@ jobs: - name: Setup Python uses: actions/setup-python@v2 with: - python-version: '3.8' + python-version: '3.9' - name: Install dependencies run: | - python3 -m pip install mkdocs # install mkdocs - python3 -m pip install mkdocs-material # install material theme - python3 -m pip install mkdocs-macros-plugin # install macros plugin - python3 -m pip install mkdocs-include-markdown-plugin # install include-markdown + python3 -m pip install mkdocs==1.3.1 # install mkdocs + python3 -m pip install mkdocs-material==8.5.3 # install material theme + python3 -m pip install mkdocs-macros-plugin==0.7.0 # install macros plugin + python3 -m pip install mkdocs-include-markdown-plugin==3.8.1 # install include-markdown - name: Build mkdocs run: | diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a70ebac..7b0857a9 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,21 +1,78 @@ # Change Log + All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [1.0.3] - 2023-06-28 +## [2.0.0] - 2023-08-22 + +### Added + +- Log ingestion from S3 bucket to support more log sources #89 +- Show logs and metrics of the log analytics pipelines #112 +- Quickly enable alarms on log ingestion pipeline #113 +- Show the AWS resource changes when importing AOS using automatic networking mode #53 +- Log Agent Installation: Support of agent installation on AL2023 instances #88 +- Support of multi-AZ standby enabled OpenSearch cluster when creating log pipelines #170 +- Instance Group: Show error message on the console when the installation of log agent fails #169 +- Support same index name in different OpenSearch clusters #166 +- Installation: refresh the aws-exports.json once update the CloudFormation input parameters #161 +- Application log pipeline: Add a step to choose Log Config during the application pipeline creation steps #159 +- Log Agent: Auto rotation of Fluent Bit log file #158 +- Instance group: Add an option to attach IAM policies to Instance Group managed EC2 instances automatically #151 +- Domain management: Check the prerequisites of OpenSearch clusters before import OpenSearch clusters #148 +- Support ingest WAF (associate with CloudFront) sampled logs to OpenSearch in other regions except us-east-1 #129 + +### Fixed + +- Log Config: Time key in Fluent Bit config for Spring Boot should be time type instead of None #71 +- EventBridge will be disabled automatically if deleting instances in instance group #164 +- Log Config should not be created without Regex/Log Format #163 +- Lack of region check before creating WAF log pipeline #162 +- The Fluent bit configuration file generated in sidecar deployment option has a wrong shared volume #160 +- S3 access log dashboard: 5xx Code description is covered #157 +- S3 access log dashboard: The Average Time Unit should be milliseconds #155 +- Cross-account: Unable to get instance list and create instance group in CN region #156 +- The OpenSearch information (e.g., version, data nodes) is not updated automatically after customer upgraded the cluster #150 +- Cannot differentiate the Lambda for different AWS Service log pipeline based on Lambda description #146 +- Fix data lost when cannot find the location with IP address using MaxMind database #126 +- Syslog: Fix port conflict when adding & deleting new log source in parallel #174 + +### Changed + +- Minimize the permissions of EC2 log ingestion IAM role #154 +- Minimize the privileges of cross-account access role #153 +- Soft delete when removing OpenSearch domain #152 +- Save ALB access logs of Nginx based proxy to S3 bucket #149 +- Code refactor: DynamoDB design optimization and GraphQL API design optimization #147 +- Minimize security group egress of the provisioned ECS #145 +- WAF dashboard: Cannot filter results using `nonTerminatingMatchingRules.action` field #144 + +### Removed + +- Domain management: Remove the support of Elasticsearch engine #176 + +## [1.0.3] - 2023-06-27 + ### Fixed -- Fix the processor Lambda function urllib3 version issue + +- Fix the processor Lambda function urllib3 version issue #138 ## [1.0.2] - 2023-06-21 + ### Fixed -- Fix the EKS Fluent-Bit deployment configuration generation issue + +- Support generation of Kubernetes YAML configuration file for EKS 1.24~1.27 #133 ## [1.0.1] - 2023-04-17 + ### Fixed + - Fix deployment failure due to S3 ACL changes ## [1.0.0] - 2023-03-16 + ### Added + - All files, initial version diff --git a/NOTICE.txt b/NOTICE.txt index cf32743b..4d91c8cf 100755 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -11,11 +11,116 @@ THIRD PARTY COMPONENTS ********************** This software includes third party software subject to the following copyrights: -AWS SDK under the Apache License Version 2.0 -user-agents under the Apache License Version 2.0 -maxminddb under the Apache License Version 2.0 -requests-aws4auth under the Apache License Version 2.0 -urllib3 under the MIT License -requests under the Apache License Version 2.0 +awscli under the Apache License Version 2.0 boto3 under the Apache License Version 2.0 -botocore under the Apache License Version 2.0 \ No newline at end of file +botocore under the Apache License Version 2.0 +defusedxml under the Python Software Foundation License +py-serializable under the Apache License Version 2.0 +pathable under the Apache License Version 2.0 (details in this link: https://github.com/p1c2u/pathable/blob/master/LICENSE) +Jinja2 under the BSD-3-Clause +MarkupSafe under the BSD-3-Clause +Werkzeug under the BSD-3-Clause +attrs under the MIT License +cffi under the MIT License +colorama under the BSD License +coverage under the Apache License Version 2.0 +cryptography under the Apache License Version 2.0 or OR BSD-3-Clause +docker under the Apache License Version 2.0 +docutils under BSD License, GNU General Public License (GPL), Python Software Foundation License, Public Domain (public domain, Python, BSD-2-Clause, GPL 3(see https://docutils.sourceforge.io/COPYING.txt)) +flake8 under the MIT License +iniconfig under the MIT License +ipaddr under the Apache License Version 2.0 +jmespath under the MIT License +jsonschema-spec under the Apache License Version 2.0 +lazy-object-proxy under the BSD-2-Clause +maxminddb under the Apache License Version 2.0 +mccabe under the MIT License +moto under the Apache License Version 2.0 +openapi-schema-validator under the BSD-3-Clause +pluggy under the MIT License +pyOpenSSL under the Apache License Version 2.0 +pyasn1 under the BSD-2-Clause +pycodestyle under the MIT License +pycparser under the BSD License +pydantic under the MIT License +pyflakes under the MIT License +pyrsistent under the MIT License +pytest under the MIT License +pytest-cov under the MIT License +pytest-mock under the MIT License +python-dateutil under Apache Software License, BSD License (Dual License) +requests-aws4auth under the MIT License +requests-mock under the Apache License Version 2.0 +responses under the Apache License Version 2.0 +rfc3339-validator under the MIT License +rsa under the Apache License Version 2.0 +s3transfer under the Apache License Version 2.0 +types-PyYAML under the Apache License Version 2.0 +typing_extensions under Python Software Foundation License +ua-parser under the Apache License Version 2.0 +user-agents under the MIT License +websocket-client under the Apache License Version 2.0 +xmltodict under the MIT License +@aws-cdk/aws-appsync-alpha under the Apache License Version 2.0 +@aws-cdk/aws-kinesisfirehose-alpha under the Apache License Version 2.0 +@aws-cdk/aws-kinesisfirehose-destinations-alpha under the Apache License Version 2.0 +@aws-solutions-constructs/aws-cloudfront-s3 under the Apache License Version 2.0 +@typescript-eslint/eslint-plugin under the MIT License +@typescript-eslint/parser under the BSD-2-Clause +eslint under the MIT License +eslint-config-prettier under the MIT License +eslint-import-resolver-node under the MIT License +eslint-import-resolver-typescript under the ISC License +eslint-plugin-import under the MIT License +eslint-plugin-prettier under the MIT License +aws-cdk under the Apache License Version 2.0 +aws-cdk-lib under the Apache License Version 2.0 +cdk-nag under the Apache License Version 2.0 +source-map-support under the MIT License +fs under the MIT License +exceptiongroup under the MIT License +tomli under MIT License +@apollo/client under the MIT License +@aws-amplify/ui-components under the Apache License Version 2.0 +@aws-amplify/ui-react under the Apache License Version 2.0 +@material-ui/core under the MIT License +@material-ui/icons under the MIT license +@material-ui/lab under the MIT License +@testing-library/jest-dom under the MIT License +@testing-library/react under the MIT License +@testing-library/user-event under the MIT License +@types/jest under the MIT License +@types/node under the MIT License +@types/react under the MIT License +@types/react-dom under the MIT License +amplify under the MIT License +apexcharts under the MIT License +apollo-link under the MIT License +aws-amplify under the Apache License Version 2.0 +aws-appsync-auth-link under the Apache License Version 2.0 +aws-appsync-subscription-link under the Apache License Version 2.0 +axios under the MIT License +classnames under the MIT License +date-fns under the MIT License +graphql-tag under the MIT License +i18next under the MIT License +i18next-browser-languagedetector under the MIT License +i18next-http-backend under the MIT License +lodash.clonedeep under the MIT License +moment under the MIT License +node-sass under the Apache License Version 2.0 +oidc-client-ts under the Apache License Version 2.0 +react under the MIT License +react-apexcharts under the MIT License +react-copy-to-clipboard under the MIT License +react-dom under the MIT License +react-i18next under the MIT License +react-minimal-datetime-range under the MIT License +react-oidc-context under the MIT License +react-redux under the MIT License +react-router-dom under the MIT License +redux under the MIT License +sweetalert2 under the MIT License +typescript under the Apache License Version 2.0 +web-vitals under the Apache License Version 2.0 +notice-js under the MIT-0 diff --git a/README.md b/README.md index a0495911..0ae1b227 100755 --- a/README.md +++ b/README.md @@ -4,11 +4,13 @@ The Centralized Logging with OpenSearch solution provides comprehensive log mana ## Table of content -- [Solution Overview](#solution-overview) -- [Architecture](#architecture) -- [Deployment](#deployment) -- [Customization](#customization) -- [License](#License) +- [Centralized Logging with OpenSearch](#centralized-logging-with-opensearch) + - [Table of content](#table-of-content) + - [Solution Overview](#solution-overview) + - [Architecture](#architecture) + - [Deployment](#deployment) + - [Customization](#customization) + - [Collection of operational metrics](#collection-of-operational-metrics) ## Solution Overview @@ -17,9 +19,9 @@ The solution has the following features: - **All-in-one log ingestion**: provides a single web console to ingest both application logs and AWS service logs into the Amazon OpenSearch (AOS) domains. -- **Codeless log processor**: supports log processor plugins developed by AWS. You are allowed to enrich the raw log data through a few clicks on the web console. +- **Codeless log processor**: supports log processor plugins developed by AWS. You are allowed to enrich the raw log data through a few clicks on the web console. -- **Out-of-box dashboard template**: offers a collection of reference designs of visualization templates, for both commonly used software such as Nginx and Apache HTTP Server, and AWS services such as Amazon S3 and Amazon CloudTrail. +- **Out-of-box dashboard template**: offers a collection of reference designs of visualization templates, for both commonly used software such as Nginx and Apache HTTP Server, and AWS services such as Amazon S3 and Amazon CloudTrail. @@ -40,7 +42,11 @@ Please follow the [Implementation Guide](https://docs.aws.amazon.com/solutions/l Please follow the [Customization Guide](CUSTOM_BUILD.md) for custom build. -## License +## Collection of operational metrics + +This solution collects anonymous operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/centralized-logging-with-opensearch/collection-of-operational-metrics.html). + +*** Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/deployment/build-s3-dist.sh b/deployment/build-s3-dist.sh index 005b0058..4b990e10 100755 --- a/deployment/build-s3-dist.sh +++ b/deployment/build-s3-dist.sh @@ -276,31 +276,6 @@ echo "${bold}[Create] Templates${normal}" echo "------------------------------------------------------------------------------" if fn_exists create_template_${template_format}; then - rm -vf ./lambda/api/app_pipeline/common.py - rm -vf ./lambda/api/app_log_ingestion/common.py - rm -vf ./lambda/api/app_log_ingestion/util/aws_svc_mgr.py - rm -vf ./lambda/api/app_log_ingestion/aws_svc_mgr.py - rm -vf ./lambda/api/pipeline/aws_svc_mgr.py - rm -vf ./lambda/api/log_agent_status/aws_svc_mgr.py - rm -vf ./lambda/api/instance_meta/aws_svc_mgr.py - rm -vf ./lambda/api/instance_group/aws_svc_mgr.py - rm -vf ./lambda/api/resource/aws_svc_mgr.py - rm -vf ./lambda/api/eks_cluster/aws_svc_mgr.py - rm -vf ./lambda/main/cfnHelper/aws_svc_mgr.py - - cp -vf ./lambda/pipeline/service/log-processor/../../common/custom-resource/boto3_client.py ./lambda/pipeline/service/log-processor/boto3_client.py - cp -vf ./lambda/api/app_pipeline/../common/common.py ./lambda/api/app_pipeline/common.py - cp -vf ./lambda/api/app_log_ingestion/../common/common.py ./lambda/api/app_log_ingestion/common.py - cp -vf ./lambda/api/pipeline/../common/aws_svc_mgr.py ./lambda/api/pipeline/aws_svc_mgr.py - cp -vf ./lambda/api/instance_group/../common/aws_svc_mgr.py ./lambda/api/instance_group/aws_svc_mgr.py - cp -vf ./lambda/api/app_log_ingestion/../common/aws_svc_mgr.py ./lambda/api/app_log_ingestion/aws_svc_mgr.py - cp -vf ./lambda/api/log_agent_status/../common/aws_svc_mgr.py ./lambda/api/log_agent_status/aws_svc_mgr.py - cp -vf ./lambda/api/instance_meta/../common/aws_svc_mgr.py ./lambda/api/instance_meta/aws_svc_mgr.py - cp -vf ./lambda/api/resource/../common/aws_svc_mgr.py ./lambda/api/resource/aws_svc_mgr.py - cp -vf ./lambda/api/eks_cluster/../common/aws_svc_mgr.py ./lambda/api/eks_cluster/aws_svc_mgr.py - cp -vf ./lambda/main/cfnHelper/../../api/common/aws_svc_mgr.py ./lambda/main/cfnHelper/aws_svc_mgr.py - - create_template_${template_format} else echo "Invalid setting for \$template_format: $template_format" diff --git a/deployment/cdk-solution-helper/package.json b/deployment/cdk-solution-helper/package.json index 89fac67a..a523255c 100755 --- a/deployment/cdk-solution-helper/package.json +++ b/deployment/cdk-solution-helper/package.json @@ -1,6 +1,8 @@ { "name": "cdk-solution-helper", + "description": "cdk solution helper", "version": "0.1.0", + "license": "Apache-2.0", "devDependencies": { "fs": "0.0.1-security" }, diff --git a/deployment/run-unit-tests.sh b/deployment/run-unit-tests.sh new file mode 100644 index 00000000..082e4bcd --- /dev/null +++ b/deployment/run-unit-tests.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# +# You can remove this script if you do NOT have unit test. +# +# This script should be run from the repo's deployment directory +# cd deployment +# ./run-unit-tests.sh +# +source_template_dir="$PWD" +cd $source_template_dir/../source +./run-all-tests.sh \ No newline at end of file diff --git a/docs/en/images b/docs/en/images deleted file mode 120000 index 5e675731..00000000 --- a/docs/en/images +++ /dev/null @@ -1 +0,0 @@ -../images \ No newline at end of file diff --git a/docs/en/images b/docs/en/images new file mode 100644 index 00000000..5e675731 --- /dev/null +++ b/docs/en/images @@ -0,0 +1 @@ +../images \ No newline at end of file diff --git a/docs/en/implementation-guide/alarm.md b/docs/en/implementation-guide/alarm.md new file mode 100644 index 00000000..5deed572 --- /dev/null +++ b/docs/en/implementation-guide/alarm.md @@ -0,0 +1,37 @@ +There are different types of log alarms: log processor alarms, buffer layer alarms, and source alarms (only for application log pipeline). The alarms will be triggered when the defined condition is met. + +| Log alarm type | Log alarm condition | Description | +| -------------------------------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Log processor alarms | Error invocation # >= 10 for 5 minutes, 1 consecutive time | When the number of log processor Lambda error calls is greater than or equal to 10 within 5 minutes (including 5 minutes), an email alarm will be triggered. | +| Log processor alarms | Failed record # >= 1 for 1 minute, 1 consecutive time | When the number of failed records is greater than or equal to 1 within a 1-minute window, an alarm will be triggered. | +| Log processor alarms | Average execution duration in last 5 minutes >= 60000 milliseconds | In the last 5 minutes, when the average execution time of log processor Lambda is greater than or equal to 60 seconds, an email alarm will be triggered. | +| Buffer layer alarms | SQS Oldest Message Age >= 30 minutes | When the age of the oldest SQS message is greater than or equal to 30 minutes, it means that the message has not been consumed for at least 30 minutes, an email alarm will be triggered. | +| Source alarms (only for application log pipeline) | Fluent Bit output_retried_record_total >= 100 for last 5 minutes | When the total number of retry records output by Fluent Bit in the past 5 minutes is greater than or equal to 100, an email alarm will be triggered. | + +You can choose to enable log alarms or disable them according to your needs. + +## Enable log alarms + +1. Sign in to the Centralized Logging with OpenSearch console. + +2. In the left navigation bar, under **Log Analytics Pipelines**, choose **AWS Service Log** or **Application Log**. + +3. Select the log pipeline created and choose **View details**. + +4. Select the **Alarm** tab. + +5. Switch on **Alarms** if needed and select an exiting SNS topic. + +6. If you choose **Create a new SNS topic**, you need to provide email address for the newly-created SNS topic to notify. + +## Disable log alarms + +1. Sign in to the Centralized Logging with OpenSearch console. + +2. In the left navigation bar, under **Log Analytics Pipelines**, choose **AWS Service Log** or **Application Log**. + +3. Select the log pipeline created and choose **View details**. + +4. Select the **Alarm** tab. + +5. Switch off **Alarms**. \ No newline at end of file diff --git a/docs/en/implementation-guide/applications/apache.md b/docs/en/implementation-guide/applications/apache.md index 15db281e..5c2b3b70 100644 --- a/docs/en/implementation-guide/applications/apache.md +++ b/docs/en/implementation-guide/applications/apache.md @@ -45,14 +45,38 @@ For Apache HTTP server logs, Centralized Logging with OpenSearch will create a b 2. Go to **Dashboard** section in the left sidebar. 3. Find the dashboard whose name starts with ``. -## Sample Dashboard +## View dashboard + +The dashboard includes the following visualizations. + +| Visualization Name | Source Field | Description | +| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Total Request | log event | Displays aggregated events within a specified time interval. | +| Status Codes | status | Displays the distribution of HTTP response codes served by the Apache web server over a selected time period. | +| Access History | log event | Shows a historical log of all requests handled by the Apache web server, visualized using a bar chart. This allows administrators to analyze traffic volumes and patterns over time. | +| Unique Visitors | remote_addr | Provides an estimation of the total number of users or devices accessing the Apache server for repeated visits from the same IP. | +| Status Code Metric | status | Displays the distribution of HTTP response codes served by the Apache server over a period of time. | +| Top Access Paths | request_uri | Shows the most frequently requested URLs on the Apache server over a selected time period. | +| Top Client IPs | | Displays the 10 source IP addresses generating the highest number of requests received by the Apache server during a selected time period. | +| Bandwidth | response_size_bytes | Tracks the volume of data transferred from the Apache server to clients over a selected time period. | +| Top Agents | http_user_agent | Provides a snapshot of the visitor profile. The data guides decisions to better serve core audiences. | +| Http Methods | request_method | Presents a pie chart that shows the distribution of request methods handled by the Apache server during a selected time period. | +| Top Access URIs | request_uri | Shows the most frequently hit URI paths handled by Apache during a selected period. | +| Top Referers | http_referer | Referers are the URLs of pages that link to requests for the application. Tracking referers reveals the primary external sources of visits and engagement. | +| Bandwidth History | response_size_bytes | Shows the historical trend of the data transfer activities by the Apache server to clients. | +| Apache Error Log | | Provides a detailed record of errors encountered by the web server. | +| Apache Log Examples | | A quick entry for interpreting Apache access and error logs. | + + +### Sample Dashboard -[![nginx-1]][nginx-1] -[![nginx-2]][nginx-2] +{% +include-markdown "../include-dashboard.md" +%} +[![apache]][apache] -[nginx-1]: ../../images/dashboards/nginx-1.png -[nginx-2]: ../../images/dashboards/nginx-2.png +[apache]: ../../images/dashboards/apache.png [apache-http-logs]: https://httpd.apache.org/docs/2.4/logs.html diff --git a/docs/en/implementation-guide/applications/create-applog-pipeline.md b/docs/en/implementation-guide/applications/create-applog-pipeline.md index 95686558..fc4b1484 100644 --- a/docs/en/implementation-guide/applications/create-applog-pipeline.md +++ b/docs/en/implementation-guide/applications/create-applog-pipeline.md @@ -1,12 +1,156 @@ + +#### Instance Group as Log Source + +1. Sign in to the Centralized Logging with OpenSearch Console. + +2. In the left sidebar, under **Log Analytics Pipelines**, choose **Application Log**. + +3. Choose Instance Group as **Log Source**. + +4. Select the instance group you have created, + +5. (Auto Scaling Group only) If your instance group is created based on an Auto Scaling Group, after ingestion status become "Created", then you can find the generated Shell Script in the instance group's detail page. Copy the shell script and update the User Data of the Auto Scaling [Launch configurations](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-configurations.html) or [Launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html). + +6. Choose the **Permission grant method**. If you choose **I will manually add the below required permissions after pipeline creation**, you have to click **Expand to view required permissions** and copy the provided JSON policy. + +7. Go to **AWS Console > IAM > Policies** on the left column, and + + 1. Choose **Create Policy**, choose **JSON** and replace all the content inside the text block. Remember to substitute `` with your account id. + + 2. Choose **Next**, **Next**, then enter the name for this policy. + + 3. Attach the policy to your EC2 instance profile to grant the log agent permissions to send logs to the application log pipeline. If you are using Auto Scaling group, you need to update the IAM instance profile associated with the Auto Scaling Group. If needed, you can follow the documentation to update your [launch template][launch-template] or [launch configuration][launch-configuration]. + +8. Input **Log Path** and select the log config created in previous setup, choose **Next**. + +9. Specify **Index name** in lowercase. + +10. In the **Buffer** section, choose **S3** or **Kinesis Data Streams**. If you don't want the buffer layer, choose **None**. Refer to the [Log Buffer](./index.md#log-buffer) for more information about choosing the appropriate buffer layer. + + * S3 buffer parameters + + | Parameter | Default | Description | + | ---------------------------- | ------------------------------------------------ | ------------------------------------------------------------ | + | S3 Bucket | *A log bucket will be created by the solution.* | You can also select a bucket to store the log data. | + | S3 Bucket Prefix | `AppLogs//year=%Y/month=%m/day=%d` | The log agent appends the prefix when delivering the log files to the S3 bucket. | + | Buffer size | 50 MiB | The maximum size of log data cached at the log agent side before delivering to S3. For more information, see [Data Delivery Frequency](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#frequency). | + | Buffer interval | 60 seconds | The maximum interval of the log agent to deliver logs to S3. For more information, see [Data Delivery Frequency](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#frequency). | + | Compression for data records | `Gzip` | The log agent compresses records before delivering them to the S3 bucket. | + + * Kinesis Data Streams buffer parameters + + | Parameter | Default | Description | + | -------------------- | ------------------ | ------------------------------------------------------------ | + | Shard number | `` | The number of shards of the Kinesis Data Streams. Each shard can have up to 1,000 records per second and total data write rate of 1MB per second. | + | Enable auto scaling | `No` | This solution monitors the utilization of Kinesis Data Streams every 5 minutes, and scale in/out the number of shards automatically. The solution will scale in/out for a maximum of 8 times within 24 hours. | + | Maximum Shard number | `` | Required if auto scaling is enabled. The maximum number of shards. | + + !!! important "Important" + You may observe duplicate logs in OpenSearch if threshold error occurs in Kinesis Data Streams (KDS). This is because the Fluent Bit log agent uploads logs in [chunk](https://docs.fluentbit.io/manual/administration/buffering-and-storage#chunks-memory-filesystem-and-backpressure) (contains multiple records), and will retry the chunk if upload failed. Each + KDS shard can support up to 1,000 records per second for writes, up to a maximum total data write rate of 1 MB per second. Please estimate your log volume and choose an appropriate shard number. + +11. Choose **Next**. + +12. In the **Specify OpenSearch domain** section, select an imported domain for **Amazon OpenSearch domain**. + +13. In the **Log Lifecycle** section, enter the number of days to manage the Amazon OpenSearch Service index lifecycle. The Centralized Logging with OpenSearch will create the associated [Index State Management (ISM)](https://opensearch.org/docs/latest/im-plugin/ism/index/) policy automatically for this pipeline. + +14. Choose **Next**. + +15. Enable **Alarms** if needed and select an exiting SNS topic. If you choose **Create a new SNS topic**, please provide a name and an email address for the new SNS topic. + +16. Add tags if needed. + +17. Choose **Create**. + +18. Wait for the application pipeline turning to "Active" state. + + + + +### Amazon EKS Cluster as Log Source + +1. Sign in to the Centralized Logging with OpenSearch Console. + +2. In the left sidebar, under **Log Analytics Pipelines**, choose **Application Log**. + +3. Choose the AWS account at which the log is stored and the EKS Cluster that has been imported as Log Source during the **Prerequisites**. + +4. Enter the location of the log files. + +5. Select the log config created in previous setup, and choose **Next**. + +6. Specify **Index name** in lowercase. + +7. In the **Buffer** section, choose **S3** or **Kinesis Data Streams**. If you don't want the buffer layer, choose **None**. Refer to the [Log Buffer](./index.md#log-buffer) for more information about choosing the appropriate buffer layer. + + * S3 buffer parameters + + | Parameter | Default | Description | + | ---------------------------- | ------------------------------------------------ | ------------------------------------------------------------ | + | S3 Bucket | *A log bucket will be created by the solution.* | You can also select a bucket to store the log data. | + | S3 Bucket Prefix | `AppLogs//year=%Y/month=%m/day=%d` | The log agent appends the prefix when delivering the log files to the S3 bucket. | + | Buffer size | 50 MiB | The maximum size of log data cached at the log agent side before delivering to S3. For more information, see [Data Delivery Frequency](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#frequency). | + | Buffer interval | 60 seconds | The maximum interval of the log agent to deliver logs to S3. For more information, see [Data Delivery Frequency](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#frequency). | + | Compression for data records | `Gzip` | The log agent compresses records before delivering them to the S3 bucket. | + + * Kinesis Data Streams buffer parameters + + | Parameter | Default | Description | + | -------------------- | ------------------ | ------------------------------------------------------------ | + | Shard number | `` | The number of shards of the Kinesis Data Streams. Each shard can have up to 1,000 records per second and total data write rate of 1MB per second. | + | Enable auto scaling | `No` | This solution monitors the utilization of Kinesis Data Streams every 5 minutes, and scale in/out the number of shards automatically. The solution will scale in/out for a maximum of 8 times within 24 hours. | + | Maximum Shard number | `` | Required if auto scaling is enabled. The maximum number of shards. | + + !!! important "Important" + You may observe duplicate logs in OpenSearch if threshold error occurs in Kinesis Data Streams (KDS). This is because the Fluent Bit log agent uploads logs in [chunk](https://docs.fluentbit.io/manual/administration/buffering-and-storage#chunks-memory-filesystem-and-backpressure) (contains multiple records), and will retry the chunk if upload failed. Each + KDS shard can support up to 1,000 records per second for writes, up to a maximum total data write rate of 1 MB per second. Please estimate your log volume and choose an appropriate shard number. + +8. Choose **Next**. + +9. In the **Specify OpenSearch domain** section, select an imported domain for **Amazon OpenSearch domain**. + +10. In the **Log Lifecycle** section, enter the number of days to manage the Amazon OpenSearch Service index lifecycle. The Centralized Logging with OpenSearch will create the associated [Index State Management (ISM)](https://opensearch.org/docs/latest/im-plugin/ism/index/) policy automatically for this pipeline. + +11. Choose **Next**. + +12. Enable **Alarms** if needed and select an exiting SNS topic. If you choose **Create a new SNS topic**, please provide a name and an email address for the new SNS topic. + +13. Add tags if needed. + +14. Choose **Create** to finish creating an ingestion. + +15. Wait for the application pipeline turning to "Active" state. + +16. Deploy Fluent Bit log agent following the guide generated by Centralized Logging with OpenSearch. + + 1. Select the application pipeline created in previous setup + + 2. Select the App Log Ingestion just created. + + 3. Follow **DaemonSet** or **Sidecar** Guide to deploy the log agent. + + + + +### Amazon S3 as Log Source 1. Sign in to the Centralized Logging with OpenSearch Console. 2. In the left sidebar, under **Log Analytics Pipelines**, choose **Application Log**. -3. Click the **Create a pipeline**. +3. Choose Amazon S3 as **Log Source**. + +4. Choose the S3 bucket where your logs are stored and enter **Prefix filter** (note that **Prefix filter** is optional). + +5. Choose **Ingestion mode** based on your need. If you want to ingest the log continuously, select **On-going**; If you only need to ingest the log once, select **One-time**. + +6. Specify **Compression format** if your log files are compressed. + +7. Select the log config created in the previous setup, and choose **Next**. -4. Specify **Index name** in lowercase. +8. Specify **Index name** in lowercase. -5. In the **Buffer** section, choose **S3** or **Kinesis Data Streams**. If you don't want the buffer layer, choose **None**. Refer to the [Log Buffer](./index.md#log-buffer) for more information about choosing the appropriate buffer layer. +9. In the **Buffer** section, choose **S3** or **Kinesis Data Streams**. If you don't want the buffer layer, choose **None**. Refer to the [Log Buffer](./index.md#log-buffer) for more information about choosing the appropriate buffer layer. * S3 buffer parameters @@ -26,21 +170,83 @@ | Enable auto scaling | `No` | This solution monitors the utilization of Kinesis Data Streams every 5 minutes, and scale in/out the number of shards automatically. The solution will scale in/out for a maximum of 8 times within 24 hours. | | Maximum Shard number | `` | Required if auto scaling is enabled. The maximum number of shards. | + !!! important "Important" + You may observe duplicate logs in OpenSearch if threshold error occurs in Kinesis Data Streams (KDS). This is because the Fluent Bit log agent uploads logs in [chunk](https://docs.fluentbit.io/manual/administration/buffering-and-storage#chunks-memory-filesystem-and-backpressure) (contains multiple records), and will retry the chunk if upload failed. Each + KDS shard can support up to 1,000 records per second for writes, up to a maximum total data write rate of 1 MB per second. Please estimate your log volume and choose an appropriate shard number. + +10. Choose **Next**. + +11. In the **Specify OpenSearch domain** section, select an imported domain for **Amazon OpenSearch domain**. + +12. In the **Log Lifecycle** section, enter the number of days to manage the Amazon OpenSearch Service index lifecycle. The Centralized Logging with OpenSearch will create the associated [Index State Management (ISM)](https://opensearch.org/docs/latest/im-plugin/ism/index/) policy automatically for this pipeline. + +13. Choose **Next**. + +14. Enable **Alarms** if needed and select an exiting SNS topic. If you choose **Create a new SNS topic**, please provide a name and an email address for the new SNS topic. + +15. Add tags if needed. + +16. Choose **Create**. + +17. Wait for the application pipeline turning to "Active" state. + + + +### Syslog as Log Source + +1. Sign in to the Centralized Logging with OpenSearch Console. + +2. In the left sidebar, under **Log Analytics Pipelines**, choose **Application Log**. + +3. Choose Syslog Endpoint as **Log Source**. + +4. You can use UDP or TCP with custom port number. Choose **Next**. + +5. Select the log config created in the previous setup, and choose **Next**. + +6. Specify **Index name** in lowercase. + +7. In the **Buffer** section, choose **S3** or **Kinesis Data Streams**. If you don't want the buffer layer, choose **None**. Refer to the [Log Buffer](./index.md#log-buffer) for more information about choosing the appropriate buffer layer. + + * S3 buffer parameters + + | Parameter | Default | Description | + | ---------------------------- | ------------------------------------------------ | ------------------------------------------------------------ | + | S3 Bucket | *A log bucket will be created by the solution.* | You can also select a bucket to store the log data. | + | S3 Bucket Prefix | `AppLogs//year=%Y/month=%m/day=%d` | The log agent appends the prefix when delivering the log files to the S3 bucket. | + | Buffer size | 50 MiB | The maximum size of log data cached at the log agent side before delivering to S3. For more information, see [Data Delivery Frequency](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#frequency). | + | Buffer interval | 60 seconds | The maximum interval of the log agent to deliver logs to S3. For more information, see [Data Delivery Frequency](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#frequency). | + | Compression for data records | `Gzip` | The log agent compresses records before delivering them to the S3 bucket. | + + * Kinesis Data Streams buffer parameters + + | Parameter | Default | Description | + | -------------------- | ------------------ | ------------------------------------------------------------ | + | Shard number | `` | The number of shards of the Kinesis Data Streams. Each shard can have up to 1,000 records per second and total data write rate of 1MB per second. | + | Enable auto scaling | `No` | This solution monitors the utilization of Kinesis Data Streams every 5 minutes, and scale in/out the number of shards automatically. The solution will scale in/out for a maximum of 8 times within 24 hours. | + | Maximum Shard number | `` | Required if auto scaling is enabled. The maximum number of shards. | !!! important "Important" You may observe duplicate logs in OpenSearch if threshold error occurs in Kinesis Data Streams (KDS). This is because the Fluent Bit log agent uploads logs in [chunk](https://docs.fluentbit.io/manual/administration/buffering-and-storage#chunks-memory-filesystem-and-backpressure) (contains multiple records), and will retry the chunk if upload failed. Each KDS shard can support up to 1,000 records per second for writes, up to a maximum total data write rate of 1 MB per second. Please estimate your log volume and choose an appropriate shard number. -6. Choose **Next**. +8. Choose **Next**. + +9. In the **Specify OpenSearch domain** section, select an imported domain for **Amazon OpenSearch domain**. + +10. In the **Log Lifecycle** section, enter the number of days to manage the Amazon OpenSearch Service index lifecycle. The Centralized Logging with OpenSearch will create the associated [Index State Management (ISM)](https://opensearch.org/docs/latest/im-plugin/ism/index/) policy automatically for this pipeline. + +11. Choose **Next**. -7. In the **Specify OpenSearch domain** section, select an imported domain for **Amazon OpenSearch domain**. +12. Enable **Alarms** if needed and select an exiting SNS topic. If you choose **Create a new SNS topic**, please provide a name and an email address for the new SNS topic. -8. In the **Log Lifecycle** section, enter the number of days to manage the Amazon OpenSearch Service index lifecycle. The Centralized Logging with OpenSearch will create the associated [Index State Management (ISM)](https://opensearch.org/docs/latest/im-plugin/ism/index/) policy automatically for this pipeline. +13. Add tags if needed. -9. Choose **Next**. +14. Choose **Create**. -10. Add tags if needed. +15. Wait for the application pipeline turning to "Active" state. -11. Choose **Create**. + -12. Wait for the application pipeline turning to "Active" state. \ No newline at end of file +[launch-template]: https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html#advanced-settings-for-your-launch-template +[launch-configuration]: https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html \ No newline at end of file diff --git a/docs/en/implementation-guide/applications/create-log-ingestion.md b/docs/en/implementation-guide/applications/create-log-ingestion.md index 8d6dd444..9bddfded 100644 --- a/docs/en/implementation-guide/applications/create-log-ingestion.md +++ b/docs/en/implementation-guide/applications/create-log-ingestion.md @@ -1,23 +1,33 @@ - ### Instance Group as Log Source 1. Sign in to the Centralized Logging with OpenSearch Console. + 2. In the left sidebar, under **Log Analytics Pipelines**, choose **Application Log**. + 3. Choose the application pipeline that has been created during the **Prerequisites**. -4. Go to **Permission** tab and copy the provided JSON policy. -5. Go to **AWS Console > IAM > Policies** on the left column, and + +4. Choose the **Permission grant method**. If you choose **I will manually add the below required permissions after pipeline creation**, you have to click **Expand to view required permissions** and copy the provided JSON policy. + +5. Go to **AWS Console > IAM > Policies** on the left column, and 1. Choose **Create Policy**, choose **JSON** and replace all the content inside the text block. Remember to substitute `` with your account id. + 2. Choose **Next**, **Next**, then enter the name for this policy. + 3. Attach the policy to your EC2 instance profile to grant the log agent permissions to send logs to the application log pipeline. If you are using Auto Scaling group, you need to update the IAM instance profile associated with the Auto Scaling Group. If needed, you can follow the documentation to update your [launch template][launch-template] or [launch configuration][launch-configuration]. 6. Click the **Create an Ingestion** dropdown menu, and select **From Instance Group**. + 7. Select **Choose exists** and choose **Next**. + 8. Select the instance group you have created during the **Prerequisites** and choose **Next**. + 9. (Auto Scaling Group only) If your instance group is created based on an Auto Scaling Group, after ingestion status become "Created", then you can find the generated Shell Script in the instance group's detail page. Copy the shell script and update the User Data of the Auto Scaling [Launch configurations](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-configurations.html) or [Launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html). + 10. Select **Choose exists** and select the log config created in previous setup. -11. Choose **Next**, then choose **Create**. + +11. Choose **Create** to finish creating an ingestion. [launch-template]: https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html#advanced-settings-for-your-launch-template [launch-configuration]: https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html @@ -25,31 +35,69 @@ -### EKS Cluster as Log Source +### Amazon EKS Cluster as Log Source 1. Sign in to the Centralized Logging with OpenSearch Console. + 2. In the left sidebar, under **Log Source**, choose **EKS Clusters**. + 3. Choose the EKS Cluster that has been imported as Log Source during the **Prerequisites**. + 4. Go to **App Log Ingestion** tab and choose **Create an Ingestion**. + 1. Select **Choose exists** and choose the application pipeline created during the **Prerequisites**. Choose **Next**. - 2. Select the log config created in previous setup, and choose **Next**. - 3. Add tags as needed, then choose **Create** to finish creating an ingestion. -5. Deploy Fluent-bit log agent following the guide generated by Centralized Logging with OpenSearch. + + 2. Select the log config created in previous setup. + + 3. Choose **Create** to finish creating an ingestion. + +5. Deploy Fluent-bit log agent following the guide generated by Centralized Logging with OpenSearch. + 1. Select the App Log Ingestion just created. + 2. Follow **DaemonSet** or **Sidecar** Guide to deploy the log agent. + +### Amazon S3 as Log Source + +1. Sign in to the Centralized Logging with OpenSearch Console. + +2. In the left sidebar, under **Log Analytics Pipelines**, choose **Application Log**. + +3. Choose the application pipeline that has been created during the **Prerequisites**. + +4. Choose the **Create an Ingestion** dropdown menu, and select **From S3 bucket**. + +5. Choose the S3 bucket where your logs are stored and enter **Prefix filter** + +6. Choose **Ingestion mode** based on your need. If you want to ingest the log continuously, select **On-going**; If you only need to ingest the log once, select **One-time**. + +7. Specify **Compression format** if your log files are compressed. + +8. Select the log config created in the previous setup. + +9. Choose **Create** to finish creating an ingestion. + + + ### Syslog as Log Source 1. Sign in to the Centralized Logging with OpenSearch Console. + 2. In the left sidebar, under **Log Analytics Pipelines**, choose **Application Log**. + 3. Choose the application pipeline that has been created during the **Prerequisites**. + 4. Choose the **Create an Ingestion** dropdown menu, and select **From Syslog**. -5. Fill in all the form fields to specify Syslog Source. You can use UDP or TCP with custom port number. Choose **Next**. -6. Select the log config created in the previous setup, and choose **Next**. -7. Add tags as needed, then choose **Create** to finish creating an ingestion. + +5. You can use UDP or TCP with custom port number. Choose **Next**. + +6. Select the log config created in the previous setup. + +7. Choose **Create** to finish creating an ingestion. diff --git a/docs/en/implementation-guide/applications/create-log-source.md b/docs/en/implementation-guide/applications/create-log-source.md index 1b77f13f..e05e656a 100644 --- a/docs/en/implementation-guide/applications/create-log-source.md +++ b/docs/en/implementation-guide/applications/create-log-source.md @@ -2,13 +2,14 @@ You need to create a log source first before collecting application logs. Centra * [Amazon EC2 instance group](#amazon-ec2-instance-group) * [Amazon EKS cluster](#amazon-eks-cluster) +* [Amazon S3](#amazon-s3) * [Syslog](#syslog) For more information, see [concepts](./index.md#concepts). ## Amazon EC2 Instance Group -An instance group represents a group of EC2 Linux instances, which enables the solution to associate a [Log Config](./index.md#log-config) with multiple EC2 instances quickly. Centralized Logging with OpenSearch uses [Systems Manager Agent(SSM Agent)][ssm-agent]{target="_blank"} to install/configure Fluent Bit agent, and sends log data to [Kinesis Data Streams][kds]{target="_blank"}. +An instance group represents a group of EC2 Linux instances, which enables the solution to associate a [Log Config](./index.md#log-config) with multiple EC2 instances quickly. Centralized Logging with OpenSearch uses [Systems Manager Agent(SSM Agent)][ssm-agent]{target="_blank"} to install/configure Fluent Bit agent, and sends log data to [Kinesis Data Streams][kds]{target="_blank"}. ### Prerequisites @@ -40,19 +41,19 @@ Make sure the instances meet the following requirements: ### (Option 2) Select an Auto Scaling group to create an Instance Group When creating an Instance Group with Amazon EC2 Auto Scaling group, the solution will generate a shell script which you -should include in the [EC2 User Data][ec2-user-data]. +should include in the [EC2 User Data][ec2-user-data]. 1. Sign in to the Centralized Logging with OpenSearch Console. 2. In the left sidebar, under **Log Source**, choose **Instance Group**. 3. Click the **Create an instance group** button. 4. In the **Settings** section, specify a group name. 5. In the **Configuration** section, select **Auto Scaling Groups**. -6. In the **Auto Scaling groups** section, select the auto scaling group from which you want to collect logs. +6. In the **Auto Scaling groups** section, select the autoscaling group from which you want to collect logs. 7. (Optional) If you want to ingest logs from another account, select a [linked account](../link-account/index.md) in the **Account Settings** section to create an instance group log source from another account. 8. Choose **Create**. After you created a Log Ingestion using the Instance Group, you can find the generated Shell Script in the details page. 9. Copy the shell script and update the User Data of the Auto Scaling Group's [launch configurations](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-configurations.html) or [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html). -The shell script will automatically install Fluent Bit, SSM agent if needed, and download Fluent Bit configurations. -10. Once you have updated the launch configurations or launch template, you need to start an [instance refresh][instance-refresh] to update the instances within the Auto Scaling group. +The shell script will automatically install Fluent Bit, SSM agent if needed, and download Fluent Bit configurations. +10. Once you have updated the launch configurations or launch template, you need to start an [instance refresh][instance-refresh] to update the instances within the Auto Scaling group. The newly launched instances will ingest logs to the OpenSearch cluster or the [Log Buffer](./index.md#log-buffer) layer. ## Amazon EKS cluster @@ -67,9 +68,9 @@ The [EKS Cluster][eks] in Centralized Logging with OpenSearch refers to the Amaz 1. Sign in to the Centralized Logging with OpenSearch Console. 2. In the left sidebar, under **Log Source**, choose **EKS Cluster**. 3. Click the **Import a Cluster** button. -4. Choose the **EKS Cluster** where Centralized Logging with OpenSearch collects logs from. +4. Choose the **EKS Cluster** where Centralized Logging with OpenSearch collects logs from. (Optional) If you want to ingest logs from another account, select a [linked account](../link-account/index.md) from the **Account** dropdown to import an EKS log source from another account. -5. Select **DaemonSet** or **Sidecar** as log agent's deployment pattern. +5. Select **DaemonSet** or **Sidecar** as log agent's deployment pattern. 6. Choose **Next**. 7. Specify the **Amazon OpenSearch** where Centralized Logging with OpenSearch sends the logs to. 8. Follow the guidance to establish a VPC peering connection between EKS's VPC and OpenSearch's VPC. @@ -80,19 +81,29 @@ The [EKS Cluster][eks] in Centralized Logging with OpenSearch refers to the Amaz 10. Add tags if needed. 11. Choose **Create**. +## Amazon S3 + +The [S3][s3] in Centralized Logging with OpenSearch refers to the Amazon S3 from which you want to collect application logs stored in your bucket. You can choose **On-going** or **One-time** to create your ingestion job. + +!!! important "Important" + + * On-going means that the ingestion job will run when a new file is delivered to the specified S3 location. + * One-time means that the ingestion job will run at creation and only will run once to load all files in the specified location. ## Syslog + !!! important "Important" To ingest logs, make sure your Syslog generator/sender’s subnet is connected to Centralized Logging with OpenSearch’s **two** private subnets. Refer to [VPC Connectivity][vpc-connectivity] for more details about how to connect VPCs. - You can use UDP or TCP custom port number to collect syslog in Centralized Logging with OpenSearch. Syslog refers to logs generated by Linux instance, routers or network equipment. For more information, see [Syslog][syslog] in Wikipedia. + You can use UDP or TCP custom port number to collect syslog in Centralized Logging with OpenSearch. Syslog refers to logs generated by Linux instance, routers or network equipment. For more information, see [Syslog][syslog] in Wikipedia. [kds]: https://aws.amazon.com/kinesis/data-streams/ [ssm-agent]: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html [open-ssl]: https://www.openssl.org/source/ [eks]: https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html +[s3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html [daemonset]: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ [sidecar]: https://kubernetes.io/docs/concepts/workloads/pods/#workload-resources-for-managing-pods [syslog]: https://en.wikipedia.org/wiki/Syslog diff --git a/docs/en/implementation-guide/applications/index.md b/docs/en/implementation-guide/applications/index.md index b05ec99e..53ab5d6d 100644 --- a/docs/en/implementation-guide/applications/index.md +++ b/docs/en/implementation-guide/applications/index.md @@ -24,7 +24,7 @@ Before creating log ingestion, you need to: - [Create a log source](./create-log-source.md) (not applicable for Syslog) - [Create an application log pipeline](./create-applog-pipeline.md) - + ## Concepts The following introduce concepts that help you to understand how the application log ingestion works. @@ -37,7 +37,7 @@ A log ingestion configures the Log Source, Log Type and the Application Log Anal After that, Centralized Logging with OpenSearch will start collecting certain type of logs from the log source and sending them to Amazon OpenSearch. ### Log Agent -A log agent is a program that reads logs from one location and sends them to another location (for example, OpenSearch). +A log agent is a program that reads logs from one location and sends them to another location (for example, OpenSearch). Currently, Centralized Logging with OpenSearch only supports [Fluent Bit 1.9][fluent-bit] log agent which is installed automatically. The Fluent Bit agent has a dependency of [OpenSSL 1.1][open-ssl]. To learn how to install OpenSSL on Linux instances, refer to [OpenSSL installation](../resources/open-ssl.md). To find the supported platforms by Fluent Bit, refer to this [link][supported-platforms]. ### Log Buffer @@ -45,37 +45,39 @@ Log Buffer is a buffer layer between the Log Agent and OpenSearch clusters. The layer before being processed and delivered into the OpenSearch clusters. A buffer layer is a way to protect OpenSearch clusters from overwhelming. This solution provides the following types of buffer layers. -- **Amazon S3**. Use this option if you can bear minutes-level latency for log ingestion. The log agent periodically uploads logs to an Amazon S3 bucket. The frequency of data delivery to -Amazon S3 is determined by *Buffer size* (default value is 50 MiB) and *Buffer interval* (default value is 60 seconds) value -that you configured when creating the application log analytics pipelines. The condition satisfied first triggers data delivery to Amazon S3. +- **Amazon S3**. Use this option if you can bear minutes-level latency for log ingestion. The log agent periodically uploads logs to an Amazon S3 bucket. The frequency of data delivery to +Amazon S3 is determined by *Buffer size* (default value is 50 MiB) and *Buffer interval* (default value is 60 seconds) value +that you configured when creating the application log analytics pipelines. The condition satisfied first triggers data delivery to Amazon S3. -- **Amazon Kinesis Data Streams**. Use this option if you need real-time log ingestion. The log agent uploads logs to Amazon Kinesis Data Stream in seconds. The frequency -of data delivery to Kinesis Data Streams is determined by *Buffer size* (10 MiB) and *Buffer interval* (5 seconds). The -condition satisfied first triggers data delivery to Kinesis Data Streams. +- **Amazon Kinesis Data Streams**. Use this option if you need real-time log ingestion. The log agent uploads logs to Amazon Kinesis Data Stream in seconds. The frequency +of data delivery to Kinesis Data Streams is determined by *Buffer size* (10 MiB) and *Buffer interval* (5 seconds). The +condition satisfied first triggers data delivery to Kinesis Data Streams. -Log Buffer is optional when creating an application log analytics pipeline. For all types of application logs, this +Log Buffer is optional when creating an application log analytics pipeline. For all types of application logs, this solution allows you to ingest logs without any buffer layers. However, we only recommend this option when you have small log volume, and you are confident that the logs will not exceed the thresholds at the OpenSearch side. ### Log Source A Log Source refers to a location where you want Centralized Logging with OpenSearch to collect application logs from. Supported log sources includes: -* [Instance Group](#instances-group) +* [Instance Group](#instance-group) * [EKS Cluster](#eks-cluster) * [Syslog](#syslog) #### Instance Group -An instance group is a collection of EC2 instances from which you want to collect application logs. +An instance group is a collection of EC2 instances from which you want to collect application logs. Centralized Logging with OpenSearch can help you install the log agent in each instance within a group. You can select arbitrary instances through the user interface, or choose an [EC2 Auto Scaling Group][asg]. + #### EKS Cluster -The EKS Cluster in Centralized Logging with OpenSearch refers to the Amazon EKS from which you want to collect pod logs. Centralized Logging with OpenSearch +The EKS Cluster in Centralized Logging with OpenSearch refers to the Amazon EKS from which you want to collect pod logs. Centralized Logging with OpenSearch will guide you to deploy the log agent as a DaemonSet or Sidecar in the EKS Cluster. + #### Syslog Centralized Logging with OpenSearch supports collecting syslog logs through UDP or TCP protocol. ### Log Config -A Log Config is a configuration that is telling Centralized Logging with OpenSearch where the logs had been stored on Log Source, which types of logs you want to collect, what fields a line of log contains, and types of each field. +A Log Config is a configuration that is telling Centralized Logging with OpenSearch where the logs had been stored on Log Source, which types of logs you want to collect, what fields a line of log contains, and types of each field. [fluent-bit]: https://docs.fluentbit.io/manual/ diff --git a/docs/en/implementation-guide/applications/json.md b/docs/en/implementation-guide/applications/json.md index 05d574fb..f4ee7ed8 100644 --- a/docs/en/implementation-guide/applications/json.md +++ b/docs/en/implementation-guide/applications/json.md @@ -19,9 +19,9 @@ include-markdown "include-prerequisites.md" For example: ```json - {"host":"81.95.250.9", "user-identifier":"-", "time":"08/Mar/2022:06:28:03 +0000", "method": "PATCH", "request": "/clicks-and-mortar/24%2f7", "protocol":"HTTP/2.0", "status":502, "bytes":24337, "referer": "http://www.investorturn-key.net/functionalities/innovative/integrated"} + {"host":"81.95.250.9", "user-identifier":"-", "time":"08/Mar/2022:06:28:03 +0000", "method": "PATCH", "request": "/clicks-and-mortar/24%2f7", "protocol":"HTTP/2.0", "status":502, "bytes":24337, "referer": "https://www.investorturn-key.net/functionalities/innovative/integrated"} ``` - + 8. Check if each fields type mapping is correct. You can change the type by selecting the dropdown menu in the second column. For all supported types, see [Data Types](https://opensearch.org/docs/latest/search-plugins/sql/datatypes/). !!! Note "Note" @@ -36,7 +36,7 @@ include-markdown "include-prerequisites.md" ## Step 2: Create an application log ingestion -The steps are similar to creating an application log ingestion for single-line text. Refer to [Single-line Text](./single-line-text.md) for details. +The steps are similar to creating an application log ingestion for single-line text. Refer to [Single-line Text](./single-line-text.md#step-2-create-an-application-log-ingestion) for details. ## Step 3: View your logs in OpenSearch diff --git a/docs/en/implementation-guide/applications/multi-line-text.md b/docs/en/implementation-guide/applications/multi-line-text.md index 1170a588..32ee5e2d 100644 --- a/docs/en/implementation-guide/applications/multi-line-text.md +++ b/docs/en/implementation-guide/applications/multi-line-text.md @@ -1,6 +1,6 @@ -# Multi-line Text +# Multi-line text -You can configure Centralized Logging with OpenSearch to ingest multi-line text logs. Currently, Centralized Logging with OpenSearch supports [Spring Boot](https://spring.io/projects/spring-boot) +You can configure Centralized Logging with OpenSearch to ingest multi-line text logs. Currently, Centralized Logging with OpenSearch supports [Spring Boot](https://spring.io/projects/spring-boot) style logs or customize the log format using [Regular Expression](https://rubular.com/). ## Prerequisites @@ -53,17 +53,27 @@ include-markdown "include-prerequisites.md" 1. For other kinds of logs, you could specify the first line regex pattern. For example: ``` - (?