CTO @ HungryHub.com

Tips on storing logs to OpenSearch using Fluentbit

Effectively storing logs in OpenSearch using Fluent Bit involves addressing challenges such as chunk flushing failures, buffer overflow, data backpressure, and optimizing index and shard configurations. By fine-tuning Fluent Bit settings, enabling verbose logging for debugging, implementing Index State Management policies, and leveraging performance monitoring tools like Grafana, these strategies ensure efficient log delivery, robust data retention, and improved cluster performance.

Buffer Overflow Management

Buffer size limitations in Fluent Bit can significantly impact log processing efficiency and data retention. The mem_buf_limit parameter controls the maximum memory buffer size for input plugins, typically set in megabytes 1. When this limit is reached, Fluent Bit pauses the input plugin, potentially leading to data loss 2. To mitigate this issue, consider the following strategies:

  • Enable filesystem buffering by setting storage.type to filesystem, which allows Fluent Bit to write excess data to disk when memory limits are reached 1 2.
  • Adjust storage.max_chunks_up to control the number of chunks kept in memory, with each chunk typically around 2MB 1.
  • Implement storage.total_limit_size for output plugins to manage disk space usage for buffered chunks 1.

These configurations help balance memory usage, prevent data loss, and maintain service stability during high-volume log ingestion scenarios.

Sources:
  1. Buffering & Storage | Fluent Bit: Official Manual
  2. Avoiding data loss and backpressure problems with Fluent Bit

Handling Data Backpressure

Backpressure in Fluent Bit occurs when data is ingested faster than it can be flushed to destinations, leading to high memory consumption and potential service disruptions 1 2. To mitigate this issue, Fluent Bit implements a mechanism that restricts data ingestion using the Mem_Buf_Limit parameter 3. When this limit is reached, the input plugin pauses, emitting a warning message, and resumes once buffer memory becomes available 3.

To address backpressure:

  • Enable filesystem buffering by setting storage.type to filesystem, allowing Fluent Bit to write excess data to disk 3 4.
  • Implement rate limiting or throttling to match the system’s processing capacity 5.
  • Use monitoring tools to track buffer sizes, errors, and set up alerts for potential backpressure scenarios 5 4.
  • Consider scaling or partitioning to distribute data processing across multiple units 5.

These strategies help maintain data flow, prevent data loss, and ensure system stability during high-volume log ingestion 4.

Sources:
  1. Backpressure | Fluent Bit: Official Manual
  2. Buffering - Fluent Bit: Official Manual
  3. Backpressure | Fluent Bit: Official Manual
  4. Avoiding data loss and backpressure problems with Fluent Bit
  5. How do you handle backpressure in streaming? - LinkedIn

Chunk Flushing Failures.

Chunk flushing failures in Fluent Bit are often indicative of underlying issues with buffer management and data transmission. These failures can occur when the system struggles to send log data to the designated output, such as OpenSearch. To diagnose the root cause, enabling Trace_Error On in the Fluent Bit configuration provides detailed error messages and stack traces [1].

Common reasons for chunk flushing failures include:

  • Buffer size limitations: If the Buffer_Chunk_Size is too small for the volume of logs being processed, it can lead to frequent flushing attempts and failures 2 3.
  • Network connectivity issues: Intermittent network problems can cause failures when attempting to send data to the output destination 4.
  • Output endpoint capacity: The receiving end (e.g., OpenSearch) may be overwhelmed, causing it to reject incoming data 2.
  • Configuration mismatches: Incorrect settings for authentication, SSL/TLS, or endpoint URLs can prevent successful data transmission 5.

To mitigate these issues, consider increasing buffer sizes, implementing backpressure handling, and ensuring proper network connectivity between Fluent Bit and the output service 6. Additionally, monitoring Fluent Bit’s performance metrics and setting up alerts can help proactively identify and address potential problems before they escalate 7.

Sources:
  1. - (1) paste.txt
  2. Try the understand the error Failed to write the request of size ...
  3. Buffering & Storage | Fluent Bit: Official Manual
  4. Why I get the failed to flush chunk error in fluent-bit? - Stack Overflow
  5. Fluent Bit does not forward some pod logs due to warn http\_client ...
  6. Avoiding data loss and backpressure problems with Fluent Bit
  7. Use Fluent Bit logs to monitor your pipeline and send alerts to Slack

Optimizing Index Management Strategies

Index State Management (ISM) policies are crucial for efficient index management in OpenSearch and Elasticsearch clusters. These policies automate routine tasks based on index age, size, or document count, helping to optimize cluster performance 1 2. For high-volume indices exceeding 500MB per day, daily rotations are recommended, while medium and low-volume indices benefit from weekly and monthly rotations respectively 3.

To improve index management:

  • Implement ISM policies to automate index lifecycle management, including transitions between states like read_only and eventual deletion 1 2.
  • Consolidate small indices to reduce cluster state overhead and improve search performance 4.
  • Adjust shard configurations based on data volume, aiming for optimal shard sizes around 50GB 5.
  • Use max_primary_shard_size instead of max_age for rollovers to avoid creating empty or small shards 3.
  • Consider longer time periods for index creation to reduce overall shard count and improve cluster health 5 3.
Sources:
  1. Index State Management - OpenSearch Documentation
  2. Index State Management in Amazon OpenSearch Service
  3. Size your shards | Elasticsearch Guide 7.17 | Elastic
  4. Elasticsearch shard allocation for small indices - Stack Overflow
  5. Size your shards | Elasticsearch Guide 8.17 | Elastic

Enabling Verbose Logging

To enable verbose mode in Fluent Bit for debugging purposes, configure the following settings in your Fluent Bit configuration file:

  • In the [SERVICE] section: 
    [SERVICE]
Log_Level       debug
  • In the [OUTPUT] section: 
    [OUTPUT]
Trace_Error     On
Trace_Output    On

The Log_Level debug setting increases the verbosity of Fluent Bit’s general logging, providing more detailed information about its operations 1 2. This level is cumulative, meaning it includes all less verbose levels (error, warn, and info) in addition to debug messages 3.

Trace_Error On enables detailed error tracing, providing stack traces and more comprehensive error messages when issues occur during data processing or output 4. Trace_Output On allows for verbose logging of output plugin operations, which can be crucial for identifying issues with data transmission to your chosen output destination 2.

These settings will significantly increase the amount of log data generated, so it’s recommended to use them temporarily for troubleshooting purposes and revert to normal logging levels in production environments to avoid performance impacts 5.

Sources:
  1. Configuration File | Fluent Bit: Official Manual
  2. Configuration File | Fluent Bit: Official Manual
  3. Fluent Bit Multiple Log\_Level Values - amazon eks - Stack Overflow
  4. config: Log\_Level setting does not take env variable · Issue #920
  5. How to enable the fluent-bit debug logging in the Terraform Enterprise

Optimizing Shard Configuration

To optimize OpenSearch cluster performance, adhere to these guidelines for shard management and resource allocation:

  • Limit total shards to 10,000 per cluster, with 25 shards or fewer per GB of JVM heap memory 1.
  • Configure JVM heap size to 50% of the instance’s RAM, up to 32 GiB 2.
  • Aim for 1.5 vCPUs per active shard as an initial scale point 3.
  • Keep shard sizes between 10-30 GiB for search-heavy workloads and 30-50 GiB for write-heavy workloads 1.

Exceeding these limits can lead to cluster instability and performance degradation. To reduce shard count, consider consolidating small indices, adjusting index templates, or implementing data streams for time-series data 4 5.

Sources:
  1. Choosing the number of shards - Amazon OpenSearch Service
  2. Auto-Tune for Amazon OpenSearch Service
  3. Best practices for configuring your Amazon OpenSearch Service ...
  4. How to Reduce the Number of Shards in an OpenSearch Cluster
  5. Unleashing OpenSearch: Best Practices for 1 Billion Documents on ...

OpenSearch Performance Monitoring

Grafana provides powerful visualization capabilities for monitoring OpenSearch/Elasticsearch clusters. To effectively track cluster performance and resource usage, configure dashboards to display these key metrics:

  • Cluster health status (green, yellow, red) to quickly assess overall stability 1
  • Node status, including active nodes and data nodes 1
  • Indexing rate and search query performance 2
  • JVM memory usage and garbage collection metrics 2
  • CPU utilization per node 2
  • Disk space usage and I/O statistics 2
  • Network traffic, including bytes sent/received 2
  • Query latency and response times 3
  • Error rates, including indexing and search errors 3

Utilize Grafana’s templating feature to create dynamic dashboards that allow filtering by cluster, node, or index 3. This enables drill-down capabilities for more detailed analysis. Set up alerts based on thresholds for critical metrics to proactively identify and address potential issues before they impact cluster performance 4.

Sources:
  1. Elasticsearch Cluster Health: Interpreting & Boosting ... - Opster
  2. Top 10 Elasticsearch Metrics to Monitor Performance - Sematext
  3. Elasticsearch Monitoring based on X-Pack stats | Grafana Labs
  4. Assess dashboard usage | Grafana documentation

Wrapping Up

Effectively managing Fluent Bit in Kubernetes environments requires ongoing monitoring and optimization. Regularly review and adjust configurations to ensure optimal performance and reliability. Implement a robust logging strategy that includes:

  • Periodic audits of Fluent Bit configurations to align with changing cluster needs 1
  • Utilizing debug versions of Fluent Bit containers for in-depth troubleshooting when necessary 2
  • Implementing filesystem buffering to handle backpressure and prevent data loss during high-volume scenarios 3
  • Leveraging Fluent Bit’s tap feature to generate detailed event records for message flow analysis 4

By combining these practices with the previously discussed strategies for OpenSearch optimization and performance monitoring, you can create a resilient and efficient logging pipeline that scales with your Kubernetes infrastructure while maintaining data integrity and system stability.

Sources:
  1. Fluent-bit service fails to shutdown with open TCP connection #2868
  2. Troubleshooting Fluent Bit - Logging operator
  3. Avoiding data loss and backpressure problems with Fluent Bit
  4. Troubleshooting | Fluent Bit: Official Manual

Leave a comment

You may also enjoy

Reducing Large Git Repository Size

Managing large Git repositories is crucial for maintaining performance, storage efficiency, and collaboration ease, especially when dealing with substantial ...

Importing Huge MySQL Database

Importing large MySQL database dumps can be challenging, especially when dealing with AWS RDS snapshots and potential errors during the process. This guide e...