The Internet of Things (or, IoT) is an umbrella term for multiple connected devices sharing real-time data, and IoT logging is an important part of this….
You probably have heard of logging agents, such as Logstash or Fluent Bit, if you’ve been investigating log analysis, monitoring, and observability. If so, and you’re wondering what logging agents are and why you might need them, you’ve come to the right place.
This article will look at what logging agents are for, their advantages, and what you can use instead of a logging agent.
In computing, logging is writing details of an activity or process to a file. Each log statement is a timestamped entry that records several details about what the system, service, or application was doing at a particular point in time.
Collectively, these logs can provide insights into the current health of your system, enable root-cause investigation of errors and failures, and provide an audit log of the data accessed, the users that have logged in, and the requests made.
By aggregating log data from multiple sources, you can identify standard behavior patterns and use this information to identify any deviations from the norm which may indicate a problem, such as an error or security breach.
While it’s theoretically possible to collect logs manually for analysis, this can only work on a tiny scale. Each user action, application request, database call, or network packet sent or received, not to mention every system error or warning, can generate a log entry.
With software hosted in multiple locations, be that physical hardware running on-premises, virtual machines running in the cloud, or a hybrid mixture of the two, the workforce involved in connecting to each server manually and collecting logs from each source makes manual log collection impractical if not impossible.
The situation only becomes more complex once you start using containers or functions-as-a-service, where the temporary nature of the infrastructure can result in logs being lost if they’re not immediately shipped to another location for storage.
This is where logging agents come in. A logging agent is software that reads logs from one location and sends them to another. As part of this process, logging agents often enrich the log messages with additional metadata and parse them into a structured format.
Logging agents make it possible to aggregate logs from different sources in a central location, from where you can analyze the data, identify trends and anomalies, and troubleshoot errors.
Popular logging agents include Fluent Bit, Logstash, and Fluentd. While the exact design varies, the general premise is that an instance of the relevant agent is installed on each server, virtual machine, or container on which applications or services are running and generating logs.
The agent is configured to collect logs from one or more sources, such as stdout, stderr, or a specified file path. The agent parses and enriches the log entries and then forwards them to a central location.
Although logging agents are not an essential part of a centralized logging solution (there are alternative approaches, as discussed below), they are often used because of the added benefits they can provide.
Using a logging agent means using the same software to collate logs from multiple sources. You only require a single instance per server or container, and you can use the same agent on different machines, regardless of the platform.
You have fewer moving parts to become familiar with and manage as an IT team. Furthermore, if you’re retrofitting log aggregation to an existing system, using a logging agent means you don’t need to modify or redeploy the existing application or service logic.
Before sending the logs to a central location for storage and analysis, logging agents parse log messages into a standard format. In some cases, logging agents can also enrich the data with additional details (for example, by adding the geolocation for IP addresses) and mask sensitive data (such as personally identifiable information) to avoid it being transmitted and stored in breach of privacy regulations.
Being a separate service, logging agents do not require any modification or redeployment of the software generating the logs before they can start forwarding them to a central location. Likewise, when it’s time to upgrade a logging agent, the update process does not affect the source systems or applications.
A logging agent’s task is to ensure logs ship to the specified destination. If a log file transmission fails, such as network issues or the destination server being down – the logging agent will handle retries automatically. Logging agents are also designed to compress logs to minimize the bandwidth used when shipping logs. All of this is handled without impacting the source application or service, which continues operating as expected.
While logging agents are justifiably popular, alternative options can be used to send logs to a central location for analysis.
Logging frameworks (or libraries) exist for many programming languages and provide APIs for creating, formatting, and consistently sending logs. These form part of your application or service code.
While this tight coupling means you have to re-deploy the code whenever you make changes, it also means that wherever you run your software, the logs are generated and sent to a given destination without installing a dedicated agent.
A disadvantage of relying purely on a logging library to ship logs to a central server is that if the application crashes, the error logs you need to investigate the issue will not be sent as the software is no longer running.
Another alternative is to use a cron job or similar to forward logs from the local output to a central location. While this can work on a small scale, the scripts have to handle more details as the applications and services evolve. At the same time, issues with file sizes, network bandwidth, and the destination server create demand for greater resilience and scalability.
As the logic becomes more complex, more bugs emerge, requiring more developer time to fix them, raising the question of whether an off-the-shelf product can perform the task more efficiently.