Data Platform/Systems/EventLogging/Administration

This documentation is outdated. See Event Platform documentation.

The following diagram should be a companion of the excellent explanation in https://github.com/wikimedia/eventlogging

The diagram has been created with https://www.draw.io/. If you want the source code, please check https://gist.github.com/elukey/975fab2bcf2ea6398fe1

statsv is running on hafnium.eqiad,wmnet and it is a daemon responsible to aggregate performance data before sending it to Statsd. There are metrics in the Even Logging dashboard like https://grafana.wikimedia.org/d/000000505/eventlogging?viewPanel=11 that are counting on this service to work properly. If you observe datapoint loss in the metric please check the status of the statsv service on hafnium and restart it if needed.

As depicted in the picture we are monitoring:

• Lag between messages landing in Kafka topics and message consumption rate from EventLogging's processes using Burrow. The alarm will be triggered as email sent to analytics-alert@.
• Insertion rate to Mysql master from the Consumer processes using Graphite/Icinga (config file). You will see alerts in the wikimedia-analytics IRC channel.
• [IN PROGRESS] Replication lag between for MySQL slaves (https://phabricator.wikimedia.org/T124306)

Alarms for burrow report numbers like

eventlogging-valid-mixed:2 (1454622892611, 199315032, 17) -> (1454622901672, 199315032, 17)

This is

(timestamp, offset, #of messages behind (lag))

• Burrow evaluates lag in length window of 10 offsets by default. We are committing offsets every second, this frequency would make us evaluate lag every 10 secs which seems too frequent so we have changed the length of lag window window to 100 secs.
• Lag is evaluated aprox every couple minutes. (we are fine tuning this)
• docs about burrow lag - https://github.com/linkedin/Burrow/wiki/Consumer-Lag-Evaluation-Rules

An interesting alert use case is the following one:

Cluster:  eqiad
Group:    eventlogging-00
Status:   ERR
Complete: true
Errors:   1 partitions have problems
Format:   Topic:Partition (timestamp, start-offset, start-lag) -> (timestamp, end-offset, end-lag)

           eventlogging-client-side:11 (1455812030875, 188196575, 0) -> (1455813022220, 188205237, 0)

As you can see the end offset is greater than the start one (meanwhile the lag is zero) and the partition status is ERROR. This is due to the current Burrow's rule 4 in https://github.com/linkedin/Burrow/wiki/Consumer-Lag-Evaluation-Rules, that should be read in this way:

Burrow will alert you when a consumer is so slow that the time elapsed between the last offset committed and now is bigger than the time taken to commit all the offsets belonging the last window.

This can happen when a Kafka broker goes offline and it is a partition leader. EventLogging will need a bit of time to recognize the problem and request new metadata from Kafka, and hence the related consumer status according to Burrow will look like it is stalled or completely blocked even though it is only a temporary stop.

If you happen to change the topic assignment for a consumer group, burrow will continue to think that that group should consume from its previous assigned topics, and report lag if it stops doing so. To reset what topics burrow should monitor for a given consumer group, you should delete the consumer group monitoring from burrow. After deletion, consumer group monitoring will be automatically recreated for new topic partitions that get offset commits.

 curl -X DELETE localhost:8000/v2/kafka/<cluster>/consumer/<consumer_group>

e.g.

 curl -X DELETE localhost:8000/v2/kafka/eqiad/consumer/eventlogging_consumer_mysql_00

See: https://github.com/linkedin/Burrow/wiki/http-request-remove-consumer-group

We will be archiving large tables that do not need immediate data access at " /wmf/data/archive/eventlogging/Table_name" the archival is a plain sqoop dump of table, nothing else. Avro schemas for tables (autogenerated by sqoop upon import) can be found at /wmf/data/archive/eventlogging/avro-schemas.

Hive tables on top of data are generated on archive database;

Of interest: https://sqoop.apache.org/docs/1.4.6/SqoopUserGuide.html#_example_invocations

Try that you can connect via scoop using a command with no side effects, for example list tables:

sudo -u hdfs sqoop list-tables  --password-file '/user/hdfs/mysql-analytics-research-client-pw.txt' --username research --driver org.mariadb.jdbc.Driver --connect jdbc:mysql://analytics-store.eqiad.wmnet/log

If you cannot sudo as hdfs this should work:

sqoop list-tables  --password-file '/user/nuria/mysql-analytics-research-client-pw.txt' --username research --driver org.mariadb.jdbc.Driver --connect jdbc:mysql://dbstore1004.eqiad.wmnet:3313/etwiki

A sample import (to /tmp/PageContentSaveCompleteAvro) to avro file format

time sudo -u hdfs sqoop import  --as-avrodatafile  --password-file '/user/hdfs/mysql-analytics-research-client-pw.txt' --username research --driver org.mariadb.jdbc.Driver --connect jdbc:mysql://analytics-store.eqiad.wmnet/log --table PageContentSaveComplete_5588433 --columns id,uuid,timestamp,webHost,wiki,event_isAPI,event_isMobile,event_revisionId  --target-dir /tmp/PageContentSaveCompleteAvro

Another example (note column names with "." need to be quoted):

time sudo -u hdfs sqoop import --as-avrodatafile --username research --password-file '/user/hdfs/mysql-analytics-research-client-pw.txt' --driver org.mariadb.jdbc.Driver --connect jdbc:mysql://analytics-store.eqiad.wmnet/log --query 'select convert(uuid using utf8) uuid,convert(timestamp using utf8) timestamp, convert(wiki using utf8) wiki, convert(webHost using utf8) webHost, convert(event_action using utf8) event_action,conve rt(`event_action.abort.mechanism` using utf8) `event_action.abort.mechanism`, convert(`event_action.abort.timing` using utf8) `event_action.abort.timing`, convert(`event_action.abort.type` using utf8) `event_action.abort.type`, convert(`event_action.init.mechanism` using utf8) `event_action.init.mechanism`, convert(`event_action.init.timing` using utf8) `event_action.init.timing` , convert(`event_ action.init.type` using utf8) `event_action.init.type`, convert(`event_action.ready.timing` using utf8) `event_action.ready.timing`, convert(`event_action.saveAttempt.timing` using utf8) `event_action. saveAttempt.timing`, convert(`event_action.saveFailure.message` using utf8) `event_action.saveFailure.message`, convert(`event_action.saveFailure.timing` using utf8) `event_action.saveFailure.timing` , convert(`event_action.saveFailure.type` using utf8) `event_action.saveFailure.type` , convert(`event_action.saveIntent.timing` using utf8) `event_action.saveIntent.timing`, convert(`event_action.sa veSuccess.timing` using utf8) `event_action.saveSuccess.timing`, convert(`event_editingSessionId` using utf8) `event_editingSessionId`, convert(event_editor using utf8) event_editor, convert(event_int egration using utf8) event_integration, convert(`event_mediawiki.version` using utf8) `event_mediawiki.version`, convert(`event_page.id` using utf8) `event_page.id`, convert(`event_page.ns` using utf8) `event_page.ns`, convert(`event_page.revid` using utf8) `event_page.revid`, convert(`event_page.title` using utf8) `event_page.title`, convert(event_platform using utf8) event_platform, convert(`event _user.class` using utf8) `event_user.class`, convert(`event_user.editCount` using utf8) `event_user.editCount`, convert(`event_user.id` using utf8) `event_user.id`, convert(event_version using utf8) event_version from Edit_13457736_15423246 where $CONDITIONS ' --target-dir /wmf/data/archive/eventlogging/Edit_13457736_15423246 --split-by uuid

Remapping columns and using a custom query:

time sudo -u hdfs sqoop import  --as-avrodatafile  --password-file '/user/hdfs/mysql-analytics-research-client-pw.txt' --username research --driver org.mariadb.jdbc.Driver --connect jdbc:mysql://analytics-store.eqiad.wmnet/log  --query 'select id,uuid,convert(timestamp using utf8) timestamp,convert(webHost using utf8) webhost,wiki,cast(event_isAPI as Integer) event_isAPI,cast(event_isMobile as Integer) event_isMobile,cast(event_revisionId as Integer) event_revisionId from PageContentSaveComplete_5588433 where $CONDITIONS'   --map-column-java event_isAPI=Integer,event_isMobile=Integer,event_revisionId=Integer  --target-dir /tmp/PageContentSaveCompleteAvro --split-by id

An example of how to set up a table on top of avro files can be found here: https://github.com/wikimedia/analytics-refinery/blob/master/hive/mediawiki/history/create_mediawiki_page_table.hql

I (Nuria) could not get the direct mapping on hive to work, rather I had to use a syntax that included the schema to create the table: https://gist.github.com/nuria/acd67dc1d237c59a2dda9799e82da4c3#file-create-avro-table-with-schema-hql

See also: https://phabricator.wikimedia.org/diffusion/AWCM/browse/master/WDCM_Sqoop_Clients.R

• Check grafana for problems with raw vs. validated events, or other apparent problems

• Check errors on logstash: https://logstash.wikimedia.org

• Check storage for any gaps if you think there might be an issue: A few different scripts exist, Milimetric's gist for example.

• Decide on whether we need to deploy on that week, avoid Friday deployments

• Remember to log all actions to SAL log (!log <something> on ops channel)

• Report outages as part of wikimedia's incident reports so there is a reference

• Follow up on any alarms that might be raised

Check:

sudo eventloggingctl status

Run:

 sudo eventloggingctl restart

Stop completely:

 sudo eventloggingctl stop

The config applied to create logs and such is at:

/etc/eventlogging.d/*/*

EventLogging processes are managed by systemd. Each config file in /etc/eventlogging.d/*/* corresponds to a single eventlogging process. Let's call the pieces of this hierarchy /etc/eventlogging.d/$service/$name.

To stop one of them, you can do something like:

systemctl stop eventlogging-$service@$name

For example:

elukey@eventlog1002:~$ sudo systemctl status eventlogging-consumer@mysql-m4-master-00.service
● eventlogging-consumer@mysql-m4-master-00.service - Eventlogging Consumer mysql-m4-master-00
   Loaded: loaded (/lib/systemd/system/eventlogging-consumer@mysql-m4-master-00.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-03-08 13:32:20 UTC; 5 days ago
 Main PID: 7882 (python)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/system-eventlogging\x2dconsumer.slice/eventlogging-consumer@mysql-m4-master-00.service
           └─7882 python /srv/deployment/eventlogging/analytics/bin/eventlogging-consumer @/etc/eventlogging.d/consumers/mysql-m4-master-00
           
elukey@eventlog1002:~$ sudo systemctl restart eventlogging-consumer@mysql-m4-master-00.service

You can stop, start, and restart any individual EventLogging process using variations of this command.

Analytics/EventLogging/Backfilling

Raw logs are at:

/srv/log/eventlogging

Process logs are at:

/srv/log/eventlogging/systemd

While errors appear on logs is almost easier to check those by consuming from kafka error topic:

> kafkacat -C  -b kafka-jumbo1001.eqiad.wmnet -t eventlogging_EventError

Using the above with some sed/sort/unique you can easily grasp schema in error distribution (change the -o 10000 to the last number of kafka messages you want to analyze):

> kafkacat -C  -b kafka-jumbo1001.eqiad.wmnet -t eventlogging_EventError -o -10000 -e | sed -n 's/^.*"schema": "\([^"]*\)"}.*$/\1/p' | sort | uniq -c

• Incoming events counts are logged to graphite, both the count of validating and non validating events per schema are available

using those users can get a sense of change, graphite is populated real-time and if all of a sudden events for an schema do not validate it is clearly visible.

• EvenLogging slave database (for users with access to 'research' user) is also populated real-time.

Lastly, Event Logging events coming on real time are written to files that are sync-ed to stat1007 and stat1006 once a day, these files can be found here:

~@stat1006:/srv/log/eventlogging/archive$

If you detect an issue or suspicious change , please notify analytics@ and escalate with analytics devs.

"error: insufficient permission for adding an object to repository database .git/objects"

List > groups to see if you are on wikidev group, if so likely some files on .git directory are not writable by "wikidev" group. Make them so.

EventLogging is deployed using scap3. The scap deployment configuration for various EventLogging deployments can be found in specific scap repos in gerrit: eventlogging/scap/<deployment-name>. The EventLogging Analytics deployment scap configs are at at eventlogging/scap/analytics. Deployment on deployment.eqiad.wmnet using

# ssh to production deploy server
ssh deployment.eqiad.wmnet

# cd to the EventLogging Analytics instance deploy source
cd /srv/deployment/eventlogging/analytics

# Checkout the revision you want to deploy
git pull

# Update the submodules
git submodule update --init 

# Run scap3 deployment
deploy

ssh eventlog1002.eqiad.wmnet (or wherever eventlogging is deployed.)

Go to /srv/deployment/eventlogging/analytics

See that checkout is there from what you just pulled in from tin (via git log).

Restart EL on target host (eventlog1002.eqiad.wmnet)

eventloggingctl stop
eventloggingctl start

Check various logs in /srv/log/eventlogging/systemd/eventlogging_* to see that things are running as they should.

Check that /srv/log/eventlogging/all-events.log has data flowing in.

Hop in the Ops IRC channel and !log that you upgraded & restarted EventLogging and add the commit hash that you deployed.

!log Redeployed eventlogging with revert to batch/queue size change - https://gerrit.wikimedia.org/r/#/c/258384/

Now please deploy latest code to Beta Cluster to keep things in sync: EventLogging/Testing/BetaLabs#How_to_deploy_code

Push a change to Puppet like this:

https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/516644/

If replication is lagging we should open a ticket with the info we have and tag it with phabricator DBA task so DBA gets ping-ed. An example of a prior problem: [1]

Have in mind that while monitoring for database is here: [2], lag reported does not apply as replication on EL doesn't go through regular channels.

Ad hoc replication script is here:

https://github.com/wikimedia/operations-software/blob/master/dbtools/eventlogging_sync.sh

Sometimes while investigating an outage it is handy to raise log's verbosity to DEBUG to have more information about what it is happening. There are three main kind of logs:

• Eventlogging ones (i.e. the ones logged from EL itself)
• Kafka Python ones (library used to consume events from Kafka)
• Confluent Kafka Python ones (library used to produce events to Kafka via librdkafka)

For the first two it is sufficient to do the following (requires root permissions):

• Identify the Eventlogging daemon that you want to debug (processor 01 for example) and get its systemd unit path via systemctl cat eventlogging-processor@client-side-01.service (it will be the first line reported by the command).
• Open the file with an editor and add a line with Environment=LOG_LEVEL=DEBUG
• Restart the daemon via systemctl restart eventlogging-processor@client-side-01.service

For Confluent Kafka Python you'll need to add a specific parameter to the Eventlogging configuration files, since the library needs to configure librdkafka accordingly (where all the useful logs will come from). The procedure is the following:

• Identify the Eventlogging daemon that you want to debug (processor 01 for example)
• Open its configuration file with an editor (in this case /etc/eventlogging.d/processors/client-side-01)
• Identify lines starting with kafka-confluent:/// and append to the end of the line debug=something (with something picked from librdkafka's configuration guidelines - currently suggested ones are: detailed Producer debugging: broker,topic,msg. Consumer: consumer,cgrp,topic,fetch)
• Restart the daemon via systemctl restart eventlogging-processor@client-side-01.service