Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@hadoop.apache.org
Received-SPF: pass (athena.apache.org: domain of faithlessfriend@gmail.com
 designates 209.85.217.173 as permitted sender)
MIME-Version: 1.0
In-Reply-To: 
 <CAAR2Ka0O7Ay9MTavhMTV771G+QG79K7C-EcXdQmwRpFqTdS7iw@mail.gmail.com>
References: 
 <CAPwWofG0VuciM6Nopq4JJKuuQQ+GVrFh2ATKCEYFTkU=UDHigw@mail.gmail.com>
	<CAAR2Ka0O7Ay9MTavhMTV771G+QG79K7C-EcXdQmwRpFqTdS7iw@mail.gmail.com>
Date: Tue, 6 Aug 2013 09:11:01 +0300
Message-ID: 
 <CAPS2vjqJ0yOxAr8i3N-kLUSRk8BVQ_LQiO-siKrQ=HtK21h0sg@mail.gmail.com>
Subject: Re: Large-scale collection of logs from multiple Hadoop nodes
From: Andrei <faithlessfriend@gmail.com>
To: user@hadoop.apache.org
Content-Type: multipart/alternative; boundary=001a11c2a4a811ecfe04e3414a13

--001a11c2a4a811ecfe04e3414a13
Content-Type: text/plain; charset=ISO-8859-1

We have similar requirements and build our log collection system around
RSyslog and Flume. It is not in production yet, but tests so far look
pretty well. We rejected idea of using AMQP since it introduces large
overhead for log events.

Probably you can use Flume interceptors to do real-time processing on your
events, though I haven't tried anything like that earlier. Alternatively,
you can use Twitter Storm to handle your logs. Anyway, I wouldn't recommend
using Hadoop MapReduce for real-time processing of logs, and there's at
least one important reason for this.

As you probably know, Flume sources obtains new event and put it into
channel, where sink then pulls it from. If we are talking about HDFS Sink,
it has pull interval (normally time, but you can also use total size of
events in channel). If this interval is large, you won't get real-time
processing. And if it is small, Flume will produce large number of small
files in HDFS, say, of size 10-100KB. However, HDFS cannot store multiple
files in a single block, and minimal block size is 64M, so each of your
10-100KB of logs will become 64M (multiplied by # of replicas!).

Of course, you can use some ad-hoc solution like deleting small files from
time to time or combining them into a larger file, but monitoring of such a
system becomes much harder and may lead to unexpected results. So,
processing log events before they get to HDFS seems to be better idea.


On Tue, Aug 6, 2013 at 7:54 AM, Inder Pall <inder.pall@gmail.com> wrote:

> We have been using a flume like system for such usecases at significantly
> large scale and it has been working quite well.
>
> Would like to hear thoughts/challenges around using zeromq alike systems
> at good enough scale.
>
> inder
> "you are the average of 5 people you spend the most time with"
> On Aug 5, 2013 11:29 PM, "Public Network Services" <
> publicnetworkservices@gmail.com> wrote:
>
>> Hi...
>>
>> I am facing a large-scale usage scenario of log collection from a Hadoop
>> cluster and examining ways as to how it should be implemented.
>>
>> More specifically, imagine a cluster that has hundreds of nodes, each of
>> which constantly produces Syslog events that need to be gathered an
>> analyzed at another point. The total amount of logs could be tens of
>> gigabytes per day, if not more, and the reception rate in the order of
>> thousands of events per second, if not more.
>>
>> One solution is to send those events over the network (e.g., using using
>> flume) and collect them in one or more (less than 5) nodes in the cluster,
>> or in another location, whereby the logs will be processed by a either
>> constantly MapReduce job, or by non-Hadoop servers running some log
>> processing application.
>>
>> Another approach could be to deposit all these events into a queuing
>> system like ActiveMQ or RabbitMQ, or whatever.
>>
>> In all cases, the main objective is to be able to do real-time log
>> analysis.
>>
>> What would be the best way of implementing the above scenario?
>>
>> Thanks!
>>
>> PNS
>>
>>

--001a11c2a4a811ecfe04e3414a13
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">We have similar requirements and build our log collection =
system around RSyslog and Flume. It is not in production yet, but tests so =
far look pretty well. We rejected idea of using AMQP since it introduces la=
rge overhead for log events.=A0<div>
<br></div><div style>Probably you can use Flume interceptors to do real-tim=
e processing on your events, though I haven&#39;t tried anything like that =
earlier. Alternatively, you can use Twitter Storm to handle your logs. Anyw=
ay, I wouldn&#39;t recommend using Hadoop MapReduce for real-time processin=
g of logs, and there&#39;s at least one important reason for this.=A0</div>
<div style><br></div><div style>As you probably know, Flume sources obtains=
 new event and put it into channel, where sink then pulls it from. If we ar=
e talking about HDFS Sink, it has pull interval (normally time, but you can=
 also use total size of events in channel). If this interval is large, you =
won&#39;t get real-time processing. And if it is small, Flume will produce =
large number of small files in HDFS, say, of size 10-100KB. However, HDFS c=
annot store multiple files in a single block, and minimal block size is 64M=
, so each of your 10-100KB of logs will become 64M (multiplied by # of repl=
icas!).=A0</div>
<div style><br></div><div style>Of course, you can use some ad-hoc solution=
 like deleting small files from time to time or combining them into a large=
r file, but monitoring of such a system becomes much harder and may lead to=
 unexpected results. So, processing log events before they get to HDFS seem=
s to be better idea.</div>
<div style><br></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Tue, Aug 6, 2013 at 7:54 AM, Inder Pall <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:inder.pall@gmail.com" target=3D"_blank">inder.pall@gmail.co=
m</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><p dir=3D"ltr">We have been using a flume li=
ke system for such usecases at significantly large scale and it has been wo=
rking quite well.</p>

<p dir=3D"ltr">Would like to hear thoughts/challenges around using zeromq a=
like systems at good enough scale.</p>
<p dir=3D"ltr">inder<br>
&quot;you are the average of 5 people you spend the most time with&quot;</p=
><div class=3D"HOEnZb"><div class=3D"h5">
<div class=3D"gmail_quote">On Aug 5, 2013 11:29 PM, &quot;Public Network Se=
rvices&quot; &lt;<a href=3D"mailto:publicnetworkservices@gmail.com" target=
=3D"_blank">publicnetworkservices@gmail.com</a>&gt; wrote:<br type=3D"attri=
bution">
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<div dir=3D"ltr"><div><div><div><div><div><div><div><div>Hi...<br><br></div=
>I am facing a large-scale usage scenario of log collection from a Hadoop c=
luster and examining ways as to how it should be implemented.<br><br></div>


More specifically, imagine a cluster that has hundreds of nodes, each of wh=
ich constantly produces Syslog events that need to be gathered an analyzed =
at another point. The total amount of logs could be tens of gigabytes per d=
ay, if not more, and the reception rate in the order of thousands of events=
 per second, if not more.<br>


<br></div>One solution is to send those events over the network (e.g., usin=
g using flume) and collect them in one or more (less than 5) nodes in the c=
luster, or in another location, whereby the logs will be processed by a eit=
her constantly MapReduce job, or by non-Hadoop servers running some log pro=
cessing application.<br>


<br></div>Another approach could be to deposit all these events into a queu=
ing system like ActiveMQ or RabbitMQ, or whatever.<br><br></div>In all case=
s, the main objective is to be able to do real-time log analysis.<br><br>


</div>What would be the best way of implementing the above scenario?<br></d=
iv><div><br></div>Thanks!<br><br></div>PNS<br><br></div>
</blockquote></div>
</div></div></blockquote></div><br></div></div>

--001a11c2a4a811ecfe04e3414a13--