Official R1 documentation snapshot in https://onap.readthedocs.io/en/latest/submodules/logging-analytics.git/docs/
This document specifies logging conventions to be followed by ONAP component applications.
ONAP logging is intended to support operability, debugging and reporting on ONAP. These guidelines address:
Java and Python are supported, but conventions may be implemented by other technologies like GO.
Original AT&T ONAP Logging guidelines: https://wiki.onap.org/download/attachments/1015849/ONAP%20application%20logging%20guidelines.pdf?api=v2
The purpose of ONAP logging is to capture information needed to operate, troubleshoot and report on the performance of the ONAP platform and its constituent components. Log records may be viewed and consumed directly by users and systems, indexed and loaded into a datastore, and used to compute metrics and generate reports.
The processing of a single client request will often involve multiple ONAP components and/or subcomponents (interchangeably referred to as ‘application’ in this document). The ability to track flows across components is critical to understanding ONAP’s behavior and performance. ONAP logging uses a universally unique RequestID value in log records to track the processing of every client request through all the ONAP components involved in its processing.
A reference configuration of Elastic Stack is being deployed using ONAP Operations Manager since the amsterdam release - see usage in Logging Analytics Dashboards (Kibana)
This document proposes conventions you can follow to generate conformant, indexable logging output from your component.
ONAP prescribes conventions. The use of certain APIs and providers is recommended, but they are not mandatory. Most components log via EELF or SLF4J to a provider like Logback or Log4j.
EELF is the Event and Error Logging Framework, described at https://github.com/att/EELF.
EELF abstracts your choice of logging provider, and decorates the familiar Logger contracts with features like:
EELF is a facade, so logging output is configured in two ways:
SLF4J is a logging facade, and a humble masterpiece. It combines what's common to all major, modern Java logging providers into a single interface. This decouples the caller from the provider, and encourages the use of what's universal, familiar and proven.
EELF also logs via SLF4J's abstractions as the default provider.
Logging providers are normally enabled by their presence in the classpath. This means the decision may have been made for you, in some cases implicitly by dependencies. If you have a strong preference then you can change providers, but since the implementation is typically abstracted behind EELF or SLF4J, it may not be worth the effort.
Logback is the most commonly used provider. It is generally configured by an XML document named logback.xml. See Configuration.
Log4j 2.X is somewhat less common than Logback, but equivalent. It is generally configured by an XML document named log4j.xml. See Configuration.
Strongly discouraged from Beijing onwards, since 1.X is EOL, and since it does not support escaping, so its output may not be machine-readable. See https://logging.apache.org/log4j/1.2/.
This affects OpenDaylight-based components like SDNC and APPC, since ODL releases prior to Carbon bundled Log4j 1.X, and make it difficult to replace. The Common Controller SDK Project project targets ODL Carbon, so remaining instances of Log4j 1.X should disappear by the time of the Casablanca release.
The purpose of logging is to capture diagnostic information.
An important aspect of this is analytics, which requires tracing of requests between components. In a large, distributed and scalable system such as ONAP this is critical to understanding behavior and performance.
It isn't the aim of this document to reiterate the basics, so advice here is general:
Others have written extensively on this:
A Mapped Diagnostic Context (MDC) allows an arbitrary string-valued attribute to be attached to a Java thread via a ThreadLocal variable. The MDC's value is then emitted with each message logged by that thread. The set of MDCs associated with a log message is serialized as unordered name-value pairs (see Text Output).
A good discussion of MDCs can be found at https://logback.qos.ch/manual/mdc.html.
MDCs:
Via SLF4J:
import java.util.UUID; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.slf4j.MDC; // ... final Logger logger = LoggerFactory.getLogger(this.getClass()); MDC.put("SomeUUID", UUID.randomUUID().toString()); try { logger.info("This message will have a UUID-valued 'SomeUUID' MDC attached."); // ... } finally { MDC.clear(); } |
EELF doesn't directly support MDCs, but its default provider (where com.att.eelf.configuration.SLF4jWrapper is the configured EELF provider)normally logs via SLF4J, and SLF4J will receive any MDC that is set:
import java.util.UUID; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.slf4j.MDC; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; // ... final EELFLogger logger = EELFManager.getInstance().getLogger(this.getClass()); MDC.put("SomeUUID", UUID.randomUUID().toString()); try { logger.info("This message will have a UUID-valued 'SomeUUID' MDC attached."); // ... } finally { MDC.clear(); } |
Output of MDCs must ensure that:
Escaping in Logback configuration can be achieved with:
%replace(%replace(%mdc){'\t','\\\\t'}){'\n','\\\\n'} |
This is often referred to by other names, including "Transaction ID", and one of several (pre-standardization) REST header names including X-ECOMP-RequestID and X-ONAP-RequestID.
ONAP logging uses a universally unique "RequestID" value in log records to track the processing of each client request across all the ONAP components involved in its processing.
This value:
Receiving the X-TransactionID will vary by component according to APIs and frameworks. In general:
import javax.ws.rs.core.HttpHeaders; // ... final HttpHeaders headers = ...; // ... String txId = headers.getRequestHeaders().getFirst("X-TransactionID"); if (StringUtils.isBlank(txId)) { txId = UUID.randomUUID().toString(); } MDC.put("RequestID", txID); |
Setting the X-TransactionID likewise will vary. For example:
final String txID = MDC.get("RequestID"); HttpURLConnection cx = ...; // ... cx.setRequestProperty("X-TransactionID", txID); |
InvocationID is similar to RequestID, but where RequestID correlates records relating a single, top-level invocation of ONAP as it traverses many systems, InvocationID correlates log entries relating to a single invocation of a single component. Typically this means via REST, but in certain cases an InvocationID may be allocated without a new invocation, e.g. when a request is retried.
RequestID and InvocationID allow an execution graph to be derived. This requires that:
The proposed approach is that:
That seems onerous, but:
This field should contain the name of the client application user agent or user invoking the API.
This is often used for heuristic analysis to identify invocations between ONAP individual ONAP components. Its value has never been clearly stipulated, so a common problem has been a lack of consistency.
There is no clear consensus, but:
Real-life examples include MSO, bpmnclient, BPELClient, (all of which are reported by SO), openECOMP (SDNC), vid (VID!) etc. (See the problem?)
Usage overlaps with InvocationID, which doesn't mean PartnerName gets retired, but which might mean it serves a more descriptive purpose. (Since it hasn't proven to be a great way of generating a call graph).
For EELF Audit log records that capture API requests, this field contains the name of the API invoked at the component creating the record (e.g., Layer3ServiceActivateRequest).
For EELF Audit log records that capture processing as a result of receipt of a message, this field should contain the name of the module that processes the message.
Usage is the same for indexable logs.
Other MDCs are logged in a wide range of contexts.
Certain MDCs and their semantics may be specific to EELF log types.
Note: Log message order column represents log message line order (independent of MDC's)
todo: all green then yellow then red
MDC | Description | Associated with markers | Required Y/N/C (C= context dependent) N = not required | EELF Audit | EELF Metric | EELF Error | EELF Debug |
---|---|---|---|---|---|---|---|
RequestID | See above. UUID only To Confirm TransactionID rename from RequestID before 20180419 - for now still RequestID see | Y-20180412 | |||||
InvocationID | See above. UUID only | Y-20180412 | |||||
InstanceUUID | If known, this field contains a universally unique identifier used to differentiate between multiple instances of the same (named) log writing service/application. Its value is set at instance creation time (and read by it, e.g., at start/initialization time from the environment). This value should be picked up by the component instance from its configuration file and subsequently used to enable differentiation of log records created by multiple, locally load balanced ONAP component or subcomponent instances that are otherwise identically configured. Handles parallel threads or running across a load balanced set of microservices - for identification | Y-20180412 | |||||
ServiceName | See above. The service inside the partner doing the call - includes API name | Y-20180412 | |||||
PartnerName | See above. MDC-PartnerName (the larger component doing the call) for example SDC-BE instead of just SDC for the overall pods possibly rename "subComponent" of calling entity | Y-20180412 | |||||
StatusCode | This field indicates the high level status of the request. It must have the value COMPLETE when the request is successful and ERROR when there is a failure. Discussion: status/response/severity relationship status = global, response below is app specific Ability to render severity-like line in a non-debug log | Y-20180412 | |||||
ResponseCode | This field contains application-specific error codes. For consistency, common error categorizations should be used. | Y-20180412 *Note: 1 | |||||
ResponseDescription | This field contains a human readable description of the ResponseCode. | Y-20180412 *Note: 1 | 11 | ||||
Severity | OPS specific Use/Map existing? https://www.slf4j.org/api/org/apache/commons/logging/Log.html ENUM is INFO/TRACE/DEBUG/WARN/ERROR/FATAL By default - align this severity with the reported log level (optionally a way to map actual level from reported level if required) | Y-20180412 | |||||
ServerFQDN | This field contains the Virtual Machine (VM) Fully Qualified Domain Name (FQDN) if the server is virtualized. Otherwise, it contains the host name of the logging component. (previously covered by removed "Server" field) redundancy between clientIP, server, virtualServer name is OK - and helpfull for runtime OPS/Hybrid envs superceedes virtualServerName Report what is in the http header Discussion: roll all 3 fqdn, hostname or ip into one field - do we ever need two of the 3 fields concurrently? TODO: Verify what is also available from a filebeat agent when it exists | Y-20180412/20180419 | |||||
ClientIPAddress | This field contains the requesting remote client application’s IP address if known. Otherwise this field can be empty. We don't differentiate between inside/outside ONAP for the IP - this supports hybrid environments Derived from the system redundancy between clientIP, server, virtualServer name is OK - and helpfull for runtime OPS/Hybrid envs Discussion: do we need both ip and fqdn fields? Report what is in the http header | Y-20180412 Ask question of OPS to remove this field - 20180419 | |||||
EntryTimestamp (previously BeginTimestamp) | Date-time that processing activities being logged begins. The value should be represented in UTC and formatted per ISO 8601, such as “2015-06-03T13:21:58+00:00”. The time should be shown with the maximum resolution available to the logging component (e.g., milliseconds, microseconds) by including the appropriate number of decimal digits. For example, when millisecond precision is available, the date-time value would be presented as, as “2015-06-03T13:21:58.340+00:00”. Context dependent on whether part of an ENTRY marker | C-20180419 | |||||
InvokeTimestamp (prevously EndTimestamp) | Timestamp on invocation start Context dependent on whether part of an INVOKE marker | C-20180426 | |||||
TargetEntity | It contains the name of the ONAP component or sub-component, or external entity, at which the operation activities captured in this metrics log record is invoked. Example: SDC-BE | C-20180412 | |||||
TargetServiceName | It contains the name of the API or operation activities invoked at the TargetEntity. Example: Class name of rest endpoint Discussion: on building call graph vs human readable single line - keep for human readable Used as valuable URI - to annnote invoke marker Review in terms of Marker-INVOKE - possiblly add INVOKE-return - to filter reporting TBD: Coverage by log file type (debug, trace, ...) TBD: cover off discussion on reducing log files to two (DEBUG/rest) for C* release | C-20180419 | |||||
TargetElement | VNF/PNF context dependent - on CRUD operations of VNF/PNFs | C-20180426 | |||||
fields below are not required | |||||||
ElapsedTime | This field contains the elapsed time to complete processing of an API call or transaction request (e.g., processing of a message that was received). This value should be the difference between. EndTimestamp and BeginTimestamp fields and must be expressed in milliseconds. How: exit record records either the diff or both the entry/exit times field will be empty for entry records otherwise we will need to rely on the elk stack to derive the duration see entry/exit markers - Marker-EXIT How to correlate TX retry to exit logs - either timestamp or invocationID or both | N-20180419 | |||||
ServiceInstanceID | This field is optional and should only be included if the information is readily available to the logging component. Transaction requests that create or operate on a particular instance of a service/resource can
NOTE: AAI won’t have a serviceInstanceUUID for every service instance. For example, no serviceInstanceUUID is available when the request is coming from an application that may import inventory data. | N-20180412 If the component supplies it (The fields specific to certain components should be clearly identified. For example, ServiceInstanceID does not apply to SDC) | |||||
VirtualServerName | Physical/virtual server/K8S-container name. Optional: empty if determined that its value can be added by the agent that collects the log files collecting. Upgrade for kubernetes namespace, host affinity supports hybrid environments redundancy between clientIP, server, virtualServer name is OK - and helpfull for runtime OPS/Hybrid envs | N-20180419 replaced by serverFQDN | |||||
ProcessKey | This field can be used to capture the flow of a transaction through the system by indicating the components and operations involved in processing. If present, it can be denoted by a comma separated list of components and applications. Discussion: should be redundant because of the invocationID | N-20180419 Review 1 more more time on Tue. |
Indexing makes many of the remaining attributes redundant. So for example:
Some of that is contentious, but it's just talking points at this stage. We've tiptoed around the issue of extant conventions, and the ongoing result is a lot of attributes that nobody's really sure how to use, and which don't result in better logs. In Casablanca it's time to be less conservative.
Markers differ from MDCs in two important ways:
(Markers are attached to individual messages. They don't propagate. A code example will help, but note that EELF's implementation can be modified to emit Markers, but its public APIs do not allow them to be passed in by callers.)
Via SLF4J:
import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.slf4j.Marker; import org.slf4j.MarkerFactory; // ... final Logger logger = LoggerFactory.getLogger(this.getClass()); final Marker marker = MarkerFactory.getMarker("MY_MARKER"); logger.warn(marker, "This warning has a 'MY_MARKER' annotation."); |
EELF does not allow Markers to be set directly. See notes on the InvocationID MDC.
Marker names also need to be escaped, though they're much less likely to contain problematic characters than MDC values.
Escaping in Logback configuration can be achieved with:
%replace(%replace(%marker){'\t','\\\\t'}){'\n','\\\\n'} |
This should be reported as early in invocation as possible, immediately after setting the RequestID and InvocationID MDCs.
It can be automatically set by EELF, and written to the AUDIT log.
It must be manually set otherwise. Candidate for framework
EELF:
final EELFLogger logger = EELFManager.getAuditLogger(); logger.auditEvent("Entering."); |
SLF4J:
public static final Marker ENTRY = MarkerFactory.getMarker("ENTRY"); // ... final Logger logger = LoggerFactory.getLogger(this.getClass()); logger.debug(ENTRY, "Entering."); |
This should be reported as late in invocation as possible, immediately before unsetting the RequestID and InvocationID MDCs.
It can be automatically reported by EELF, and written to the METRIC log.
It must be manually set otherwise.
EELF:
final EELFLogger logger = EELFManager.getMetricsLogger(); logger.metricsEvent("Exiting."); |
SLF4J:
public static final Marker EXIT = MarkerFactory.getMarker("EXIT"); // ... final Logger logger = LoggerFactory.getLogger(this.getClass()); logger.debug(EXIT, "Exiting."); |
This should be reported by the caller of another ONAP component via REST, including a newly allocated InvocationID, which will be passed to the caller.
SLF4J:
public static final Marker INVOKE = MarkerFactory.getMarker("INVOKE"); // ... // Generate and report invocation ID. final String invocationID = UUID.randomUUID().toString(); MDC.put(MDC_INVOCATION_ID, invocationID); try { logger.debug(INVOKE_SYNCHRONOUS, "Invoking synchronously ... "); } finally { MDC.remove(MDC_INVOCATION_ID); } // Pass invocationID as HTTP X-InvocationID header. callDownstreamSystem(invocationID, ... ); |
EELF examples of INVOCATION_ID reporting, without changing published APIs.
This should be reported by the caller of another ONAP component via REST on return.
InvokeTimestamp context dependent MDC will be reported here.
SLF4J:
TBD |
This should accompany INVOKE when the invocation is synchronous.
SLF4J:
public static final Marker INVOKE_SYNCHRONOUS; static { INVOKE_SYNCHRONOUS = MarkerFactory.getMarker("INVOKE"); INVOKE_SYNCHRONOUS.add(MarkerFactory.getMarker("SYNCHRONOUS")); } // ... // Generate and report invocation ID. final String invocationID = UUID.randomUUID().toString(); MDC.put(MDC_INVOCATION_ID, invocationID); try { logger.debug(INVOKE_SYNCHRONOUS, "Invoking synchronously ... "); } finally { MDC.remove(MDC_INVOCATION_ID); } // Pass invocationID as HTTP X-InvocationID header. callDownstreamSystem(invocationID, ... ); |
EELF example of SYNCHRONOUS reporting, without changing published APIs.
Errorcodes are reported as MDCs.
TODO: add to table
Exceptions should be accompanied by an errrorcode. Typically this is achieved by incorporating errorcodes into your exception hierarchy and error handling. ONAP components generally do not share this kind of code, though EELF defines a marker interface (meaning it has no methods) EELFResolvableErrorEnum.
A common convention is for errorcodes to have two components:
Suffixes may be numeric or text. They may also be common to more than one component.
For example:
COMPONENT_X.STORAGE_ERROR |
Several considerations:
ONAP needs to strike a balance between human-readable and machine-readable logs. This means:
In logback, this looks like:
<property name="defaultPattern" value="%nopexception%logger |%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX,UTC} |%level |%replace(%replace(%replace(%message){'\t','\\\\t'}){'\n','\\\\n'}){'|','\\\\|'} |%replace(%replace(%replace(%mdc){'\t','\\\\t'}){'\n','\\\\n'}){'|','\\\\|'} |%replace(%replace(%replace(%rootException){'\t','\\\\t'}){'\n','\\\\n'}){'|','\\\\|'} |%replace(%replace(%replace(%marker){'\t','\\\\t'}){'\n','\\\\n'}){'|','\\\\|'} |%thread |%n"/> |
The output of which, with MDCs, a Marker and a nested exception, with newlines added for readability, looks like:
org.onap.example.component1.subcomponent1.LogbackTest |2017-08-06T16:09:03.594Z |ERROR |Here's an error, that's usually bad |key1=value1, key2=value2 with space, key5=value5"with"quotes, key3=value3\nwith\nnewlines, key4=value4\twith\ttabs |java.lang.RuntimeException: Here's Johnny \n\tat org.onap.example.component1.subcomponent1.LogbackTest.main(LogbackTest.java:24) \nWrapped by: java.lang.RuntimeException: Little pigs, little pigs, let me come in \n\tat org.onap.example.component1.subcomponent1.LogbackTest.main(LogbackTest.java:27) |AMarker1 |main |
Default Logstash indexing rules understand output in this format.
For Log4j 1.X output, since escaping is not supported, the best alternative is to emit logs in XML format, we will expand on JSON support
There may be other instances where XML (or JSON) output may be desirable. Default indexing rules support
Default Logstash indexing rules understand the XML output of Log4J's XMLLayout.
Note that we're hoping that support for indexing of XML output can be deprecated during Beijing. This relies on the adoption of ODL Carbon, which should eliminate any remnant of Log4J1.X.
Standardization of output locations makes logs easier to locate and ship for indexing.
Expand on out-of-container locations off /dockerdata-nfs
Logfiles should default to beneath /var/log, and beneath /var/log/ONAP in the case of core ONAP components:
/var/log/ONAP/<component>[/<subcomponent>]/*.log |
For the duration of Beijing, logs will be written to a separate directory, /var/log/ONAP_EELF:
expand on Casablanca differences, and adding as a config setting in OOM
/var/log/ONAP_EELF/<component>[/<subcomponent>]/*.log |
Logging providers should be configured by file. Files should be at a predictable, static location, so that they can be written by deployment automation. Ideally this should be under /etc/ONAP, but compliance is low.
All logger provider configuration document locations namespaced by component and (if applicable) subcomponent by default:
/etc/ONAP/<component>[/<subcomponent>]/<provider>.xml |
Where <provider>.xml, will typically be one of:
Logger providers should reconfigure themselves automatically when their configuration file is rewritten. All major providers should support this.
The default interval is 10s.
The location of the configuration file MAY be overrideable, for example by an environment variable, but this is left for individual components to decide.
Configuration archetypes can be found in the ONAP codebase https://git.onap.org/logging-analytics/tree/. Choose according to your provider, and whether you're logging via EELF. Efforts to standardize them are underway so the ones you should be looking for are where pipe (|) is used as a separator. (Previously it was "|").
Logfiles are often large. Logging providers allow retention policies to be configured.
Retention has to balance:
Defaults are subject to change. Currently they are:
In Logback configuration XML:
<appender name="file" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${outputDirectory}/${outputFilename}.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> <fileNamePattern>${outputDirectory}/${outputFilename}.%d{yyyy-MM-dd}.%i.log.zip</fileNamePattern> <maxFileSize>50MB</maxFileSize> <maxHistory>30</maxHistory> <totalSizeCap>10GB</totalSizeCap> </rollingPolicy> <encoder> <!-- ... --> </encoder> </appender> |
EELF guidelines stipulate that an application should output log records to four separate files:
This applies only to EELF logging. Components which log directly to a provider may choose to emit the same set of logs, but most do not.
An audit log is required for EELF-enabled components, and provides a summary view of the processing of a (e.g., transaction) request within an application. It captures activity requests that are received by an ONAP component, and includes such information as the time the activity is initiated, then it finishes, and the API that is invoked at the component.
Audit log records are intended to capture the high level view of activity within an ONAP component. Specifically, an API request handled by an ONAP component is reflected in a single Audit log record that captures the time the request was received, the time that processing was completed, as well as other information about the API request (e.g., API name, on whose behalf it was invoked, etc).
A metrics log is required for EELF-enabled components, and provides a more detailed view into the processing of a transaction within an application. It captures the beginning and ending of activities needed to complete it. These can include calls to or interactions with other ONAP or non-ONAP entities.
Suboperations invoked as part of the processing of the API request are logged in the Metrics log. For example, when a call is made to another ONAP component or external (i.e., non-ONAP) entity, a Metrics log record captures that call. In such a case, the Metrics log record indicates (among other things) the time the call is made, when it returns, the entity that is called, and the API invoked on that entity. The Metrics log record contain the same RequestID as the Audit log record so the two can be correlated.
Note that a single request may result in multiple Audit log records at an ONAP component and may result in multiple Metrics log records generated by the component when multiple suboperations are required to satisfy the API request captured in the Audit log record.
An error log is required for EELF-enabled components, and is intended to capture info, warn, error and fatal conditions sensed (“exception handled”) by the software components.
A debug log is optional for EELF-enabled components, and is intended to capture whatever data may be needed to debug and correct abnormal conditions of the application.
Console logging may also be present, and is intended to capture “system/infrastructure” records. That is stdout and stderr assigned to a single “engine.out” file in a directory configurable (e.g. as an environment/shell variable) by operations personnel.
Add this procedure to the Project Proposal Template
By following a few simple rules:
Obligations fall into two categories:
You must:
They are unordered.
(Including what WILL be new in v1.2 / R2).
In addition, we expect to provide (as a Beijing deliverable) a minimal, synthetic component as an example of best-practices, and this will provide all code examples for this guide. (Does that mean the example will log via EELF, or will we end up with two variants?)