Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logs should be prefixed with pipeline name when using multiple pipelines. #8290

Closed
robcowart opened this issue Sep 17, 2017 · 2 comments
Closed

Logs should be prefixed with pipeline name when using multiple pipelines. #8290

robcowart opened this issue Sep 17, 2017 · 2 comments

Comments

@robcowart
Copy link

I have two pipelines loaded at the same time, both of which are using the netflow codec. A log messages are received such as...

[2017-09-17T09:35:00,928][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 1024 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.

The question is... which of the two pipelines logged this message? This question applies regardless of which plugin is logging the message.

Logstash should prefix all log messages with the pipeline name of the pipeline from which the message was generated.
@jordansissel
Copy link
Contributor

@robcowart focusing on your specific example for a moment, if we can improve this log message to be actionable, what action would a user take? Nothing?

My sense is that adding the pipeline to the log message (in this specific case) will do nothing to making this log message actionable. In fact, the log message tells you to "just wait" as the action ("this message will usually go away ...").

I'm not against adding the pipeline to log messages, but in this case I am having difficulty finding how this would improve the usefuless of the specific flowset warning.

Specific to the missing flowset problem:

  1. Maybe we should move this warning to be a debug message instead of a warning, since there is no action the user can take to improve the problem.
  2. Maybe we add a metric for the netflow codec that counts how many payloads were lost because a template is missing

And separately, we can work on adding the pipeline name to the logs messages

@robcowart
Copy link
Author

This was only an example. Another would be the DNS filter... if I misconfigure the nameserver attribute (wrong IP address) in one of the pipelines I will get a lot of lookup timeout messages. Without knowing which pipeline is throwing the error I have to check each one individually until I find it.

Specific to this message from the Netflow codec, that message will only go away if the codec can understand the template. That isn't always the case (lookup the issue where MPLS values weren't properly decided) and this message will continue forever. In such cases the device may be able to reconfigured to send a less problematic flow record. If I have different devices sending events to different pipelines, the number of devices I would have to verify would be reduced.

Again, these are just examples.

@robbavey robbavey mentioned this issue Aug 23, 2019
Closed
8 tasks
@andsel andsel closed this as completed in cda592f Aug 28, 2019
andsel added a commit to andsel/logstash that referenced this issue Aug 28, 2019
@andsel
Add pipeline.id to log lines
79a33b3 
fixes elastic#8290, elastic#10521
@andsel andsel mentioned this issue Aug 28, 2019
Closed
elasticsearch-bot pushed a commit that referenced this issue Aug 29, 2019
@andsel @jsvd
Add pipeline.id to log lines fixes #8290, #10521
a3ac21d 
Fixes #11075
elasticsearch-bot pushed a commit that referenced this issue Aug 29, 2019
@andsel @jsvd
Add pipeline.id to log lines fixes #8290, #10521
056c3e3 
Fixes #11075
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jordansissel @robcowart