lumberjack

o/~ I'm a lumberjack and I'm ok! I sleep when idle, then I ship logs all day! I parse your logs, I eat the JVM agent for lunch! o/~

Collect logs locally in preparation for processing elsewhere!

Problem: logstash jar releases are too fat for constrained systems.

Solution: lumberjack

Building it

compile: make
rpm package: make rpm
deb package: make deb

Packages install to /opt/lumberjack. Lumberjack builds all necessary dependencies itself, so there should be no run-time dependencies you need.

Running it

Generally: lumberjack.sh --host somehost --port 12345 /var/log/messages

See lumberjack.sh --help

Goals

minimize resource usage where possible (cpu, memory, network)
secure transmission of logs
configurable event data
easy to deploy with minimal moving parts.

Simple inputs only:

follow files, respect rename/truncation conditions
stdin, useful for things like 'varnishlog | lumberjack ...'

Implementation details

Below is valid as of 2012/09/19

Minimize resource usage

sets small resource limits (memory, open files) on start up based on the number of files being watched
cpu: sleeps when there is nothing to do
network/cpu: sleeps if there is a network failure
network: uses zlib for compression

secure transmission

uses openssl to transport logs. Currently supports verifying the server certificate only (so you know who you are sending to).

configurable event data

the protocol lumberjack uses supports sending a string:string map
the lumberjack tool lets you specify arbitrary extra data with --field name=value

easy deployment

all dependencies are built at compile-time (openssl, jemalloc, etc)
'make deb' (or make rpm) will package everything into a single deb (or rpm)
bin/lumberjack.sh makes sure the dependencies are found

future

I would love to not have a custom protocol, but nothing I've found implements what I need, which is: encrypted, trusted, compressed, latency-resilient, and reliable transport of events.

redis development refuses to accept encryption support, would likely reject compression as well.
zeromq lacks authentication, encryption, and compression.
thrift also lacks authentication, encryption, and compression, and also is an RPC framework, not a streaming system.
websockets don't do authentication or compression, but support encrypted channels with SSL. Websockets also require XORing the entire payload of all messages - wasted energy.
SPDY is still changing too frequently and is also RPC. Streaming requires custom framing.
HTTP is RPC and very high over head for small events (uncompressable headers, etc). Streaming requires custom framing.

Name		Name	Last commit message	Last commit date
Latest commit History 295 Commits
go		go
lib/lumberjack		lib/lumberjack
spec		spec
test		test
vendor		vendor
.gitignore		.gitignore
.travis.yml		.travis.yml
Gemfile		Gemfile
Gemfile.lock		Gemfile.lock
Makefile		Makefile
Makefile.ext		Makefile.ext
PROTOCOL.md		PROTOCOL.md
README.md		README.md
Vagrantfile		Vagrantfile
backoff.c		backoff.c
backoff.h		backoff.h
clock_gettime.h		clock_gettime.h
emitter.c		emitter.c
emitter.h		emitter.h
fetch.sh		fetch.sh
harvester.c		harvester.c
harvester.h		harvester.h
jls-lumberjack.gemspec		jls-lumberjack.gemspec
lumberjack.c		lumberjack.c
lumberjack.sh		lumberjack.sh
proto.c		proto.c
proto.h		proto.h
ring.c		ring.c
ring.h		ring.h
sleepdefs.h		sleepdefs.h
str.c		str.c
str.h		str.h
strlist.c		strlist.c
strlist.h		strlist.h
test_ring.c		test_ring.c
unixsock.c		unixsock.c

blt/lumberjack

Folders and files

Latest commit

History

Repository files navigation

lumberjack

Building it

Running it

Goals

Implementation details

Minimize resource usage

secure transmission

configurable event data

easy deployment

future

About

Resources

Stars

Watchers

Forks