{"id":1980,"date":"2011-03-25T13:09:02","date_gmt":"2011-03-25T12:09:02","guid":{"rendered":"http:\/\/www.devco.net\/?p=1980"},"modified":"2011-03-25T15:15:46","modified_gmt":"2011-03-25T14:15:46","slug":"monitoring_framework_event_correlation","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2011\/03\/25\/monitoring_framework_event_correlation.php","title":{"rendered":"Monitoring Framework: Event Correlation"},"content":{"rendered":"

Since my last post I’ve spoken to a lot of people all excited to see something fresh in the monitoring space. I’ve learned a lot – primarily what I learned is that no one tool will please everyone. This is why monitoring systems are so hated – they try to impose their world view, they’re hard to hack on and hard to get data out. This served only to reinforce my believe that rather than build a new monitoring system I should build a framework that can build monitoring systems. <\/p>\n

DevOps shops who can cut code, should be able to build the monitoring they want, not the monitoring their vendor thought they want.<\/em><\/p>\n

Thus my focus has not been on how can I declare relationships between services, or how can I declare an escalation matrix. My focus has been on events and how events relate to each other.<\/p>\n

Identifying an Event<\/strong>
\nEvents can come from many places, in the recent video demo I did<\/a> you saw events from Nagios and events from MCollective. I also have event bridges for my Apache Blackbox<\/a>, SNMP Traps and it would be trivial to support events from GitHub commit hooks, Amazon SNS<\/a> and really any conceivable source.<\/p>\n

Events need to be identified then so that you can send information related to the same event from many sources. Your trap system might raise a trap about a port on a switch but your stats poller might emit regular packet counts – you need to know these 2 are for the same port. <\/p>\n

You can identify events by subject<\/em> and by name<\/em> together they make up the event identity. Subject might be a FQDN of a host and name might be load<\/em> or cpu usage<\/em>. <\/p>\n

This way if you have many ways to input information related to some event you just need to identify them correctly.<\/p>\n

Finally as each event gets stored they get given a unique ID that you can use to pull out information about just a specific instance of an event.<\/p>\n

Types Of Event<\/strong>
\nI have identified a couple of types of event in the first iteration:<\/p>\n

<\/p>\n

\n
Metric – An event like the time it took to complete a Puppet run or the amount of GET requests served by a vhost<\/li>\n
Status – An event associated with an up\/down style state transition, can optional embed a metrics event<\/li>\n
Archive – An event that you just wish to archive along with others for later correlation like a callback from GitHub saying code was comitted and by whom<\/li>\n<\/ul>\n
The event you see on the right is a metric event – it doesn’t represent one specific status and it’s a time series event which in this case got fed into Graphite.<\/p>\n
Status events get tracked automatically – a representation is built for each unique event based on its subject and name. This status representation can progress through states like OK, Warning, Critical etc. Events sent from many different sources gets condensed and summarized into a single status representing how that status looks based on most recent received data – regardless of source of the data. <\/p>\n
Each state transition and each non 0 severity event will raise an Alert and get routed to a – pluggable – notification framework or frameworks.<\/p>\n
Event Associations and Metadata<\/strong><\/p>\n
Events can have a lot of additional data past what the framework needs, this is one of the advantages of NoSQL based storage. A good example of this would be a GitHub commit hook<\/a>. You might want to store this and retain the rich data present in this event.<\/p>\n
My framework lets you store all this additional data in the event archive and later on you can pick it up based on event ID and get hold of all this rich data to build reactive alerting or correction based on call backs.<\/p>\n
Thanks to conversations with @unixdaemon<\/a> I’ve now added the ability to tag events with some additional data. If you are emitting many events from many subsystems out of a certain server you might want to embed into the events the version of software currently deployed on your machine. This way you can easily identify and correlate events before and after an upgrade.<\/p>\n
Event Routing<\/strong>
\nSo this is all well and fine, I can haz data, but where am I delivering on the promise to be promiscuous with your data routing it to your own code?<\/p>\n
\n
Metric data can be delivered to many metrics emitters. The Graphite one is about 50 lines of code, you can run many in parallel<\/li>\n
Status data is stored and state transitions result in Alert events. You can run many alert receivers that implement your own desired escalation logic<\/li>\n<\/ul>\n
For each of these you can write routing rules that tell it what data to route to your code. You might only want data in your special metrics consumer where subject =~ \/blackbox\/<\/em>. <\/p>\n
I intent to sprinkle the whole thing with a rich set of callbacks where you can register code that declares an interest in metrics, alerts, status transitions etc in addition to the big consumers. <\/p>\n
You’d use this code to correlate the amount of web requests in a metric with the ones received 7 days ago. You can then decide to raise a new status event that will alert Ops about trend changes proactively. Or maybe you want to implement your own auto-scaler where you’d provision new servers on demand.<\/p>\n
Scaling<\/strong>
\nHow does it scale? Horizontally. My tests have shown that even on a modest (virtual) hardware I am able to process and route in excess of 10 000 events a minute. If that isn’t enough you can scale out horizontally by spreading the metric, status and callback processing over multiple physical systems. Each of the metric, status and callback handlers can also scale horizontally over clusters of servers.<\/p>\n
Bringing It All Together<\/strong>
\nSo to show that this isn’t all just talk, here are 2 graphs.<\/p>\n
<\/center><\/p>\n
This graph shows web requests for a vhost and the times when Puppet ran. <\/p>\n
<\/center><\/p>\n
This graph shows Load Average for the server hosting the site and times when Puppet ran.<\/p>\n
What you’re seeing here is a correlation of events from:<\/p>\n
\n
Metric events from Apache Blackbox<\/li>\n
Status and Metric events for Load Averages from Nagios<\/li>\n
Metric events from Puppet pre and post commands, these are actually metrics of how long each Puppet run was but I am showing it as a vertical line<\/li>\n<\/ul>\n
This is a seemless blend of time series data, status data and randomly occurring events like when Puppet runs, all correlated and presented in a simple manner. <\/p>\n","protected":false},"excerpt":{"rendered":"
Since my last post I’ve spoken to a lot of people all excited to see something fresh in the monitoring space. I’ve learned a lot – primarily what I learned is that no one tool will please everyone. This is why monitoring systems are so hated – they try to impose their world view, they’re […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[7],"tags":[121,85,64,96],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1980"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=1980"}],"version-history":[{"count":17,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1980\/revisions"}],"predecessor-version":[{"id":1997,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1980\/revisions\/1997"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=1980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=1980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=1980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}