constellation/dev-docs/workflows/logcollection.md

# Logcollection

One can deploy [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/index.html) and [Logstash](https://www.elastic.co/guide/en/logstash/current/index.html) to enable collection of logs to [OpenSearch](https://search-e2e-logs-y46renozy42lcojbvrt3qq7csm.eu-central-1.es.amazonaws.com/_dashboards/app/home#/), which allows for agreggation and easy inspection of said logs.
The logcollection functionality can be deployed to both [debug](./debug-cluster.md) and non-debug clusters.

## Deployment in Debug Clusters

In debug clusters, logcollection functionality should be deployed automatically through the debug daemon `debugd`, which runs *before* the bootstrapper
and can therefore, contrary to non-debug clusters, also collect logs of the bootstrapper.

## Deployment in Non-Debug Clusters

In non-debug clusters, logcollection functionality needs to be explicitly deployed as a Kubernetes Deployment through Helm. To do that, a few steps need to be followed:

1. Template the deployment configuration through the `loco` CLI.

    ```bash
    bazel run //hack/logcollector template -- \
        --dir $(realpath .) \
        --username <OPENSEARCH_USERNAME> \
        --password <OPENSEARCH_PW> \
        --info deployment-type={k8s, debugd}
        ...
    ```

    This will place the templated configuration in the current directory. OpenSearch user credentials can be created by any admin in OpenSearch.
    Logging in with your company CSP accounts should grant you sufficient permissions to [create a user](https://opensearch.org/docs/latest/security/access-control/users-roles/#create-users)
    and [grant him the required `all_access` role](https://opensearch.org/docs/latest/security/access-control/users-roles/#map-users-to-roles).
    One can add additional key-value pairs to the configuration by appending `--info key=value` to the command.
    These key-value pairs will be attached to the log entries and can be used to filter them in OpenSearch.
    For example, it might be helpful to add a `test=<xyz>` tag to be able to filter out logs from a specific test run.
2. Deploy Logstash

    ```bash
    cd logstash
    make add
    make install
    cd ..
    ```

    This will add the required Logstash Helm charts and deploy them to your cluster.
3. Deploy Filebeat

    ```bash
    cd filebeat
    make add
    make install
    cd ..
    ```

    This will add the required Filebeat Helm charts and deploy them to your cluster.

To remove Logstash or Filebeat, `cd` into the corresponding directory and run `make remove`.

## Inspecting Logs in OpenSearch

To search through logs in OpenSearch, head to the [discover page](https://search-e2e-logs-y46renozy42lcojbvrt3qq7csm.eu-central-1.es.amazonaws.com/_dashboards/app/discover) in the
OpenSearch dashboard and configure the timeframe selector in the top right accordingly.
Click `Refresh`. You can now see all logs recorded in the specified timeframe. To get a less cluttered view, select the fields you want to inspect in the left sidebar.
ci: logcollection to OpenSearch in non-debug clusters (#2080) * refactor `debugd` file structure * create `hack`-tool to deploy logcollection to non-debug clusters * integrate changes into CI * update fields * update workflow input names * use `working-directory` * add opensearch creds to upgrade workflow * make template func generic * make templating func generic * linebreaks * remove magic defaults * move `os.Exit` to main package * make logging index configurable * make templating generic * remove excess brace * update fields * copy fields * fix flag name * fix linter warnings Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> * remove unused workflow inputs * remove makefiles * fix command * bazel: fix output paths of container This fixes the output paths of builds within the container by mounting directories to paths that exist on the host. We also explicitly set the output path in a .bazelrc to the user specific path. The rc file is mounted into the container and overrides the host rc. Also adding automatic stop in case start is called and a containers is already running. Sym links like bazel-out and paths bazel outputs should generally work with this change. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> * tabs -> spaces --------- Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-21 06:01:33 +00:00			`# Logcollection`

			`One can deploy [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/index.html) and [Logstash](https://www.elastic.co/guide/en/logstash/current/index.html) to enable collection of logs to [OpenSearch](https://search-e2e-logs-y46renozy42lcojbvrt3qq7csm.eu-central-1.es.amazonaws.com/_dashboards/app/home#/), which allows for agreggation and easy inspection of said logs.`
			`The logcollection functionality can be deployed to both [debug](./debug-cluster.md) and non-debug clusters.`

			`## Deployment in Debug Clusters`

			In debug clusters, logcollection functionality should be deployed automatically through the debug daemon `debugd`, which runs before the bootstrapper
			`and can therefore, contrary to non-debug clusters, also collect logs of the bootstrapper.`

			`## Deployment in Non-Debug Clusters`

			`In non-debug clusters, logcollection functionality needs to be explicitly deployed as a Kubernetes Deployment through Helm. To do that, a few steps need to be followed:`

			1. Template the deployment configuration through the `loco` CLI.

			```bash
			`bazel run //hack/logcollector template -- \`
			`--dir $(realpath .) \`
			`--username <OPENSEARCH_USERNAME> \`
			`--password <OPENSEARCH_PW> \`
			`--info deployment-type={k8s, debugd}`
			`...`
			```

			`This will place the templated configuration in the current directory. OpenSearch user credentials can be created by any admin in OpenSearch.`
			`Logging in with your company CSP accounts should grant you sufficient permissions to [create a user](https://opensearch.org/docs/latest/security/access-control/users-roles/#create-users)`
			and [grant him the required `all_access` role](https://opensearch.org/docs/latest/security/access-control/users-roles/#map-users-to-roles).
			One can add additional key-value pairs to the configuration by appending `--info key=value` to the command.
			`These key-value pairs will be attached to the log entries and can be used to filter them in OpenSearch.`
			For example, it might be helpful to add a `test=<xyz>` tag to be able to filter out logs from a specific test run.
			`2. Deploy Logstash`

			```bash
			`cd logstash`
			`make add`
			`make install`
			`cd ..`
			```

			`This will add the required Logstash Helm charts and deploy them to your cluster.`
			`3. Deploy Filebeat`

			```bash
			`cd filebeat`
			`make add`
			`make install`
			`cd ..`
			```

			`This will add the required Filebeat Helm charts and deploy them to your cluster.`

			To remove Logstash or Filebeat, `cd` into the corresponding directory and run `make remove`.

			`## Inspecting Logs in OpenSearch`

			`To search through logs in OpenSearch, head to the [discover page](https://search-e2e-logs-y46renozy42lcojbvrt3qq7csm.eu-central-1.es.amazonaws.com/_dashboards/app/discover) in the`
			`OpenSearch dashboard and configure the timeframe selector in the top right accordingly.`
			Click `Refresh`. You can now see all logs recorded in the specified timeframe. To get a less cluttered view, select the fields you want to inspect in the left sidebar.