To ingest AWS Elastic Load Balancer access
logs or AWS Application Load Balancer access
+logs
(useful for visualizing questions such as “Which backend servers are taking the
longest to answer requests?” or “Which calls to our app are returning non-200
HTTP status codes?”) Honeycomb provides a tool called honeyelb/honeyalb.
The source is available on Github and instructions for getting started are provided here.
Note: To ingest Application Load Balancer (ALB) logs, substitute honeyalb
for honeyelb in the instructions here.
Please use the following instructions to install honeyelb. It is available as
part of the Honeycomb AWS Bundle or
as a standalone binary.
wget -q https://honeycomb.io/download/honeyaws/honeyaws_1.301_amd64.deb && \
echo '2be1fc468e1a13f75c8a875d5be7d17b667fdc0139fb4319aa9c9f58549c2e88 honeyaws_1.301_amd64.deb' | sha256sum -c && \
sudo dpkg -i honeyaws_1.301_amd64.debwget -q https://honeycomb.io/download/honeyaws/honeyaws-1.301-1.x86_64.rpm && \
echo '986197990689ac961ccc178571c754b8a30d1f5ed0d320547628ab09cf6cd72a honeyaws-1.301-1.x86_64.rpm' | sha256sum -c && \
sudo rpm -i honeyaws-1.301-1.x86_64.rpmwget -q -O honeyelb https://honeycomb.io/download/honeyaws/honeyelb/1.301 && \
echo '827a26e0cabeaa0cd6c6de0f386669b9d1f66e0aebf4a861c467abcf86b798e2 honeyelb' | sha256sum -c && \
chmod 755 ./honeyelbhoneyelb assumes access to an AWS access key ID and AWS secret access key with
the proper permissions. It will attempt to obtain these via the default profile
in ~/.aws/config, by the proper environment variables, or by an IAM EC2
instance profile. See the AWS guide on providing
credentials
for more details.
See the provided IAM policy
JSON in the
honeyelb repository for one example of a policy which has the proper
permissions. This can be scoped down to more specific resources if desired.
honeyelb can be used interactively (meant for beginning exploration,
debugging credential management, etc.) or as a daemon. Try running some
commands interactively at first to get a feel for using the tool and then
configure it to run as a proper system service when you’re ready to be
ingesting continuously.
To show all ELBs, you can invoke honeyelb ls:
$ honeyelb ls
frontend
internal-service
service-proxy
To ingest access logs from an ELB, use honeyelb ingest with one or more ELB
names. The --writekey flag must be set to your API key (we have included yours in the examples below).
By default the events will be sent to a dataset called aws-elb-access.
Note: If access logs are not configured for the ELB it will throw an error. Please see enable access logs for your Classic Load Balancers to enable this feature.
e.g. Ingesting logs from one ELB named frontend:
$ honeyelb --writekey=YOUR_API_KEY \
ingest frontend
...
You are currently logged in to the
team,
so we have populated the write key here to the first write key for that team.
Ingesting logs from multiple specific load balancers (named frontend,
internal-service, and service-proxy):
$ honeyelb --writekey=YOUR_API_KEY \
ingest frontend internal-service service-proxy
...
honeyelb ingest without any arguments will use all available (“described”)
load balancers in your configured AWS region. With arguments, it will ingest
logs for the specified load balancer names.
$ honeyelb --writekey=YOUR_API_KEY \
ingest
...ingesting logs from all LBs in DescribeLoadBalancers...
The agent will drop state files (to avoid sending duplicate events) in the
current working directory where it is invoked by default. To modify where these
files are kept, use the --statedir flag.
Sampling is a great way to send fewer events (thereby keeping more history and
reducing costs) while still preserving most relevant information. To set a
sample rate while using one of the Honeycomb AWS tools, use the --samplerate
flag. While the tools run, this base rate will be automatically adjusted by the
Honeycomb AWS tools using dynamic sampling to keep more interesting traffic at a
higher rate.
For instance, setting the sample flag to 20 will send 1 out of every 20 requests
processed to Honeycomb by default. Fields such as elb_status_code are used to
lower this ratio for rarer, but relevant, events such as HTTP 500-level errors.
$ honeyelb --samplerate 20 ... ingest ...
honeyelb, while supporting a interactive workflow for initial discovery and
experimentation, is meant to be invoked as a long-running process by a system
service manager.
To do this, edit the system init files (Upstart and systemd are supported) installed by the package manager to add the API key.
Once you receive data from honeyelb you will want to explore it. The
descriptions of the sent fields is available in the AWS documentation for ELB
access
logs.
There is one small difference: the client:port and backend:port keys from
that guide are represented as client_authority and backend_authority in the
Honeycomb events. The listed fields for ALB are
here.
Here are some suggestions for things to try:
BREAK DOWN by backend_authority and MAX(backend_processing_time) to see
which server(s) answered your slowest requestsBREAK DOWN by request_path and P99(backend_processing_time) to see which
endpoints (URL paths) take the longestBREAK DOWN by elb and status_code and P99(backend_processing_time) to
see which ELBs returned the most HTTP status code 200, 404, 500 etc. responsesBREAK DOWN by backend_authority and MIN() to see when backends have
timed out (timeouts are represented by -1 response time in the ELB access
logs)FILTER by trace_id contains <your-parent-trace-id>