Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Log Forwarding & Ingestion Patterns using MiNiFi and NiFi

Labels (2)
avatar
author-rank sunile_manjee author-rank
Master Guru

Created on ‎09-07-2018 09:44 PM - edited ‎08-17-2019 06:28 AM

Log Forwarding/Ingestion Patterns

87617-2018-09-07-16-33-48.jpg

Log forwarding & ingestion is a key starting point for many logging initiatives such as log analytics, cyber security, anomaly & bot detection, etc etc. This article will focus few (not comprehensive) patterns for log forwarding/ingestion using NiFi.

Commonly rsyslog is used to capture and ship log messages.“Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IPnetwork. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds features such as using TCP for transport.”

More on how to configure rsyslog: here

NiFi is able to ingest messages from rsyslog over TCP or UDP via ListenSysLog processor. This allows for little to no coding.

Patterns

Pattern A

A minimalist design. Rsyslog is configured to simply forward log messages to a NiFi cluster. Rsyslog /etc/rsyslog.conf file needs to be configured to forward messages to a NiFi port identified in ListenSysLog processor.

87619-2018-09-07-16-16-42.jpg

Pattern B

A MiNiFi listen socket design. MiNiFi is installed on the server(s) leveraging ListenSysLog processor. This pattern offers end to end data linage along with more rich operational capabilities compared to Pattern A. MiNiFi via ListenSysLog will capture rsyslog messages and ship them to NiFi via S2S (site 2 site). Rsyslog is configured to simply forward log messages to a locally installed MiNiFi instance (localhost:port). Rsyslog /etc/rsyslog.conf file needs to be configured to forward messages to a the local MiNiFi port identified in ListenSysLog processor. This design will provide at least once message delivery guarantee.

87620-2018-09-07-16-23-16.jpg

Pattern C

A MiNiFi tail file design. MiNiFi is installed on the server(s) leveraging TailFile processor unlike Pattern B using ListenSyslog. Both pattern A and B offer end to end data linage and rich operational capabilities. MiNiFi will capture log messages by tailing a directory of files or a file and ship them to NiFi via S2S (site 2 site). Identify a log file to tail (ie /var/log/messages) or a directory for files, start MiNiFi and the log messages will start flow from the server(s) to NiFi. This design will provide at least once message delivery guarantee.

87621-2018-09-07-16-24-00.jpg

These are a few but common pattens I have developed & implemented in the field with success. Happy log capturing!

4,661 Views
Comments

Re: Log Forwarding & Ingestion Patterns using MiNiFi and NiFi

avatar
author-rank Ankur_1999
New Contributor

Created on ‎04-09-2024 11:33 PM

Hi @sunile_manjee,

Thank you for sharing the ingestion patterns. Can you please also tell whether Nifi can be considered as a worthy alternative to logstash? as logstash log processing pipeline is very easy to configure. I am trying to find an alternative to logstash.

Any advice would be helpful.

Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements
Version history
Last update:
‎08-17-2019 06:28 AM
Updated by:
Master Guru Master Guru
Contributors