cd idr-log-analysis
mkdir -p volumes/{es,fluentd}
chown 1000 volumes/es
chown 100 volumes/fluentd
echo '<NGINX-BASIC-AUTH>' > nginx/passwd
docker-compose up -d
docker-compose logs -f
- Connect to http://localhost:12381 and login with Nginx basic auth.
- In the Kibana Management go to
Saved Objectsand importkibana-export.json. This should import saved index patterns, visualisations and dashboards. If the visualisations are disconnected from the indices associate them as follows:- IDR visualisations should be associated with index pattern
fluentd.nginx.access.*. - IDR-analysis visualisations should be associated with index pattern
fluentd.haproxy.http.*.
- IDR visualisations should be associated with index pattern
- If you don't have a default index pattern Under
Index Patternsmakefluentd.nginx.access.*the default.
If you need to create the index patterns yourself:
- Create index pattern with pattern
fluentd.haproxy.http.*. - Select
@timestampas theTime Filter field name. - Check that the field
hosthas typeipandgeoiphas typegeo_point. If these types are incorrect it means the Elasticsearch index mapping wasn't created. - Repeat for index pattern
fluentd.nginx.access.*.
- Create a directory
/uod/idr/versions/nginx-logs-combined/prodNNwhereprodNNis the release that is being archived - Untar the
nginxarchive copied to/uod/idr/versions/prodNNunder this directory - Delete all
error.log*as well as allaccess.log*files that are not in the required timerange, i.e. those from pre-release or post-release work. - For convenience if you have any files that do not follow the
access.log-YYYYMMDD.gzrename and gzip them. - Aggregate all these logs into a single uncompressed file,
zcat access.log*.gz > access.log-prodNN. - Move
access.log-prodNNto/uod/idr/versions/nginx-logs-combined/prod-merged-agg/ - Fluentd should automatically start to process this file
Although the log ingest process can handle individual access.log* files it will continually tail each file, so aggregating them massively reduces the number of open file handles.