We will start deploying our java applications using docker on AWS elasticbeanstalk, we want centralized logging and will be using ELK stack.
I would like keep one process per container, therefore avoid using filebeat, but in order to do that we would have to use a different appender like syslog or even a tcp appender.
We can't afford losing logs.
Filebeat provides retrial logic out of the box, but introducing it into the mix would increase deployment complexity, would need to make sure filebeat receives SIGTERM when containers are terminated, make sure it's pre-baked into container image or in the Dockerfile, and so on.
If we go down the path using tcp or syslog appender, retrial is up to us, and we want avoid complexity on our code too.
What are the pros and cons of each approach, in addition to what I've pointed?
Our logging library is logback.
1条答案
按热度按时间j1dl9f461#
我和你有同样的担忧。最安全的日志记录方式是本地文件(假设你有足够的空间)。因为要保证另一个进程或网络端点的可用性要难得多。
查看Logback邮件列表中的讨论:orig/ MarkLogic镜像/Nabble mirror,特别是重放:
如果您绝对希望确保日志被记录,那么日志记录失败就意味着应该重试事务,那么回写不是API的正确选择。
https://github.com/internetitem/logback-elasticsearch-appender项目为高可用性ElastichSearch集群直接提供了一个附加器,如果所有节点都关闭,它会将日志事件缓冲到内存中。
另一种方法是写一个高可用性的中间件来保证缓存和交付。比如Kafka,Redis,Fluentd,Logstash等。