Support bypassing Monasca Log API for control plane logs

This change allows a user to forward control plane logs directly to Elasticsearch from Fluentd, rather than via the Monasca Log API when Monasca is enabled. The Monasca Log API can continue to handle tenant logs. For many use cases this is simpler, reduces resource consumption and helps to decouple control plane logging services from tenant logging services. It may not always be desired, so is optional and off by default. Change-Id: I195e8e4b73ca8f573737355908eb30a3ef13b0d6
2021-02-09 09:00:31 +00:00 · 2021-02-09 09:00:31 +00:00 · ca1a80ab2f
commit ca1a80ab2f
parent 444097848c
7 changed files with 45 additions and 8 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -709,6 +709,11 @@ enable_destroy_images: "no"
 ####################
 monasca_enable_alerting_pipeline: True

+# Send logs from the control plane to the Monasca API. Monasca will then persist
+# them in Elasticsearch. If this is disabled, control plane logs will be sent
+# directly to Elasticsearch.
+monasca_ingest_control_plane_logs: True
+
 monasca_api_admin_base_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn  | put_address_in_context('url') }}:{{ monasca_api_port }}"
 monasca_api_internal_base_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn  | put_address_in_context('url') }}:{{ monasca_api_port }}"
 monasca_api_public_base_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn  | put_address_in_context('url') }}:{{ monasca_api_port }}"
--- a/ansible/roles/common/tasks/config.yml
+++ b/ansible/roles/common/tasks/config.yml
@ -106,7 +106,7 @@
    log_direct_to_elasticsearch: >-
      {{ ( enable_elasticsearch | bool or
           ( elasticsearch_address != kolla_internal_vip_address )) and
-         not enable_monasca | bool }}
+           ( not enable_monasca | bool or not monasca_ingest_control_plane_logs | bool ) }}
    fluentd_version: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_version | default('0.12') }}"
    # Inputs
    fluentd_input_files: "{{ default_input_files | customise_fluentd(customised_input_files) }}"
@ -143,7 +143,7 @@
      - name: "conf/output/01-es.conf.j2"
        enabled: "{{ log_direct_to_elasticsearch }}"
      - name: "conf/output/02-monasca.conf.j2"
-        enabled: "{{ enable_monasca | bool }}"
+        enabled: "{{ enable_monasca | bool and monasca_ingest_control_plane_logs | bool }}"
    customised_output_files: "{{ find_custom_fluentd_outputs.files | map(attribute='path') | list }}"
  template:
    src: "td-agent.conf.j2"
--- a/ansible/roles/common/templates/conf/filter/00-record_transformer.conf.j2
+++ b/ansible/roles/common/templates/conf/filter/00-record_transformer.conf.j2
@ -71,7 +71,7 @@
    </record>
 </filter>

-{% if enable_monasca | bool %}
+{% if enable_monasca | bool and monasca_ingest_control_plane_logs | bool %}
 # Kolla configures Fluentd to extract timestamps from OpenStack service
 # logs, however these timestamps are not saved in the event and are not
 # forwarded to Monasca. Here we save the timestamp which has been
--- a/ansible/roles/common/templates/conf/output/00-local.conf.j2
+++ b/ansible/roles/common/templates/conf/output/00-local.conf.j2
@ -36,7 +36,7 @@
       buffer_type file
       buffer_path /var/lib/fluentd/data/elasticsearch.buffer/{{ syslog_swift_facility }}.*
  </store>
-{% elif enable_monasca | bool %}
+{% elif enable_monasca | bool and monasca_ingest_control_plane_logs | bool %}
  <store>
     @type monasca
     keystone_url {{ keystone_internal_url }}
@ -98,7 +98,7 @@
       buffer_type file
       buffer_path /var/lib/fluentd/data/elasticsearch.buffer/{{ syslog_haproxy_facility }}.*
  </store>
-{% elif enable_monasca | bool %}
+{% elif enable_monasca | bool and monasca_ingest_control_plane_logs | bool %}
  <store>
     @type monasca
     keystone_url {{ keystone_internal_url }}
@ -158,7 +158,7 @@
       buffer_type file
       buffer_path /var/lib/fluentd/data/elasticsearch.buffer/{{ syslog_glance_tls_proxy_facility }}.*
  </store>
-{% elif enable_monasca | bool %}
+{% elif enable_monasca | bool and monasca_ingest_control_plane_logs | bool %}
  <store>
     @type monasca
     keystone_url {{ keystone_internal_url }}
@ -219,7 +219,7 @@
       buffer_type file
       buffer_path /var/lib/fluentd/data/elasticsearch.buffer/{{ syslog_neutron_tls_proxy_facility }}.*
  </store>
-{% elif enable_monasca | bool %}
+{% elif enable_monasca | bool and monasca_ingest_control_plane_logs | bool %}
  <store>
     @type monasca
     keystone_url {{ keystone_internal_url }}
--- a/ansible/roles/elasticsearch/defaults/main.yml
+++ b/ansible/roles/elasticsearch/defaults/main.yml
@ -59,7 +59,7 @@ elasticsearch_curator_dry_run: false

 # Index prefix pattern. Any indices matching this regex will
 # be managed by Curator.
-elasticsearch_curator_index_pattern: "^{{ 'monasca' if enable_monasca|bool else kibana_log_prefix }}-.*"
+elasticsearch_curator_index_pattern: "^{{ '(monasca|' + kibana_log_prefix + ')' if enable_monasca|bool else kibana_log_prefix }}-.*"

 # Duration after which an index is staged for deletion. This is
 # implemented by closing the index. Whilst in this state the index
--- a/doc/source/reference/logging-and-monitoring/monasca-guide.rst
+++ b/doc/source/reference/logging-and-monitoring/monasca-guide.rst
@ -49,6 +49,33 @@ resource usage you can set ``/etc/kolla/globals.yml``:

   monasca_enable_alerting_pipeline: "no"

+You can optionally bypass Monasca for control plane logs, and instead have
+them sent directly to Elasticsearch. This should be avoided if you have
+deployed Monasca as a standalone service for the purpose of storing
+logs in a protected silo for security purposes. However, if this is not
+a relevant consideration, for example you have deployed Monasca alongside the
+existing Openstack control plane, then you may free up some resources by
+setting:
+
+.. code-block:: yaml
+
+   monasca_ingest_control_plane_logs: "no"
+
+You should note that when making this change with the default
+``kibana_log_prefix`` prefix of ``flog-``, you will need to create a new
+index pattern in Kibana accordingly. If you wish to continue to search all
+logs using the same index pattern in Kibana, then you can override
+``kibana_log_prefix`` to ``monasca`` or similar in ``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   kibana_log_prefix: "monasca"
+
+If you have enabled Elasticsearch Curator, it will be configured to rotate
+logs with index patterns matching either ``^flog-.*`` or ``^monasca-.*`` by
+default. If this is undesirable then you can update the
+``elasticsearch_curator_index_pattern`` variable accordingly.
+
 Currently Monasca is only supported using the ``source`` install type Kolla
 images. If you are using the ``binary`` install type you should set the
 following override in ``/etc/kolla/globals.yml``:
--- a/releasenotes/notes/support-bypassing-monasca-for-control-plane-logs-651a47edf440808b.yaml
+++ b/releasenotes/notes/support-bypassing-monasca-for-control-plane-logs-651a47edf440808b.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Optionally support sending control plane logs directly to
+    Elasticsearch when Monasca is enabled.