Centralized Logging Night Class22 Sep 2017
This week my colleague Joanna and I were running a night class on centralized logging at the elastic meetup Singapore for the first time. We had lots of help of the organizer Alberto who also managed to get a room at his employer Pivotal Labs. Pizza was sponsored by my employer Zenika.
Our intention was to have people get in touch with centralized logging and the elastic stack for the first time by conduction a 2 hour workshop. The reception was very good, besides the 60 people registered there were also 60 on the waiting list. In the end around 30 people turned up which is the expected amount - like in many other cities in Singapore more people sign up for events than actually show up.
We started off with an introduction to the topic where all of the components and how they play together were introduced in a talk. We covered Filebeat, Logstash, Kibana and the different scaling mechanisms. Conveniently we could take slides that we normally use for trainings. Some elastic guys were present as well and helped with questions on newer features.
After that we had a Pizza break before diving into the exercises. We chose a very simple setup of parsing and indexing access logs generated by a script. We provided the participants with instructions as well as the slides in a Github repo. Joanna and me and some of the elastic folks tried to help the people when struggling.
Some of the questions I can remember:
- Deciding when to use Logstash or when to send data to elasticsearch directly.
- How to secure the system. How to do alerting. Those questions will surely be appreciated by elastic.
- How long does it take to get an intital system up and running.
- Which kind of logs can be parsed automatically.
Some of the problems people had:
- Finding the right artifact to download from the elastic website (Linux tar.gz downloaded for mac, finding the way around the website, ...)
- Startup problems due to user rights: Starting the system as root (which elasticsearch will not allow), start with a user that has no rights to read the configuration
- Finding the right script to start elasticsearch (no .sh extension)
The most common issue I noticed during trainings, whitespace in yaml files, didn't play a role at all. Maybe we didn't do enough configuration changes yet.
There are a few things I would do differently for the next event.
- Have a shorter break. People enjoy socializing but we didn't have enough time left for the exercises.
- Ease the setup: Maybe provide a container instead of letting the user set up all of the components.
- Introduce elasticsearch. That is something we just didn't do.
- Show people how to use the console in Kibana to do simple queries to elasticsearch.
Most of the people seemed to be happy about the event and for us as the speakers it's a great way to get to know many different people. There's a lot more interaction than when just doing an upfront talk. We are planning to do more events like this in the future.