Feature Setup
The ESF Log Analytics feature is available but not enabled by default in ESF 6.2.0.
For ESF powered gateways, the feature can be enabled in two ways:
- using a Playbook provided by Eurotech - preferred
- updating the gateway configuration to enable and configure the services.
For ESF on Docker, please follow the Docker Configuration Setup guide.
The feature is available only in systemd Linux environments.
Even if systemd enabled, the Raspberry Pi is still running a sysV ESF: for this reason the Log Analytics feature is not available is this platform.
Playbook Setup
The Log Analytics enabler playbook is an Ansible Playbook that can be applied on all installations with ESF 6 to add support for Log Analytics and to enable the feature.
On gateways with ESF 6.2.0, that already provide the Log Analytics bundles, the playbook will just make the configuration changes to enable the feature and redirect the ESF logs to the system journal.
On gateways with ESF 6.0.0, 6.1.0, 6.1.1 and 6.1.2, the playbook will adapt the framework installing the needed Log Analytics bundles and configuring it. In case of a system in production mode, it will also update the default security policy to allow the execution of these new bundles that are signed with a different key.
The playbook is capable to manage installations with the watchdog enabled.
The playbook can be executed locally but also deployed from cloud.
To launch the playbook, the following command needs to be executed from the playbook folder:
ETH_JOB_ID=1234 ansible-playbook site.yml
Where ETH_JOB_ID is an identifier of the execution that needs to be provided to the playbook.
Configuration Setup
In order to manually enable the Log Analytics feature in an ESF installation that already has the Log Analytics bundles, the following steps need to be performed.
Depending on your target setup, please refer to the following guides:
Gateway Configuration Setup
This section will provide information on how to setup the Log Analytics feature in ESF 6.2.0. If your systems are running a previous version of ESF, please refer to the Playbook Setup section.
The needed steps are:
- Enable the Log Analytics Feature
- Update the log4j.xml file
Enable the Log Analytics Feature
As stated previously, the ESF Log Analytics feature is available in ESF 6.2.0 distributions but it is not running by default.
To enable it, the following snapshot can be uploaded via the local ESF Web UI or via Cloud deployment:
<?xml version="1.0" encoding="UTF-8"?><esf:configurations xmlns:esf="http://eurotech.com/esf/2.0" xmlns:ocd="http://www.osgi.org/xmlns/metatype/v1.2.0">
<esf:configuration pid="default.log.publisher">
<esf:properties>
<esf:property array="false" encrypted="false" name="app.topic" type="String">
<esf:value>$SYSLOG_FACILITY/$PRIORITY/$SYSLOG_IDENTIFIER</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="message.type" type="String">
<esf:value>data</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="qos" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="appId" type="String">
<esf:value>LOG</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="retain" type="Boolean">
<esf:value>false</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="priority" type="Integer">
<esf:value>7</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>org.eclipse.kura.cloud.publisher.CloudPublisher</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="cloud.endpoint.service.pid" type="String">
<esf:value>org.eclipse.kura.cloud.CloudService</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>default.log.publisher</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>org.eclipse.kura.cloud.publisher.CloudPublisher-1595248184277-7</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogManagerDefault">
<esf:properties>
<esf:property array="false" encrypted="false" name="LogReader.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="CloudPublisher.target" type="String">
<esf:value>(kura.service.pid=default.log.publisher)</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="context.cache.size" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="value.regex" type="String">
<esf:value>([0-3])</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="key.regex" type="String">
<esf:value>PRIORITY</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogManagerDefault</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager-1595248324406-9</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="duplicate.filter.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.average" type="Long">
<esf:value>10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.time.unit" type="String">
<esf:value>MINUTES</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.burst.size" type="Integer">
<esf:value>200</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogManagerAuth">
<esf:properties>
<esf:property array="false" encrypted="false" name="LogReader.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="CloudPublisher.target" type="String">
<esf:value>(kura.service.pid=default.log.publisher)</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="context.cache.size" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="value.regex" type="String">
<esf:value>^4</esf:value>
<esf:value>USER_LOGIN</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="key.regex" type="String">
<esf:value>SYSLOG_FACILITY</esf:value>
<esf:value>_AUDIT_TYPE_NAME</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogManagerAuth</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager-1596034540863-11</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="duplicate.filter.enabled" type="Boolean">
<esf:value>false</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.average" type="Long">
<esf:value>10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.time.unit" type="String">
<esf:value>MINUTES</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.burst.size" type="Integer">
<esf:value>200</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogManagerActivity">
<esf:properties>
<esf:property array="false" encrypted="false" name="LogReader.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="CloudPublisher.target" type="String">
<esf:value>(kura.service.pid=default.log.publisher)</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="context.cache.size" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="value.regex" type="String">
<esf:value>.*</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="key.regex" type="String">
<esf:value>ETH_JOB_ID</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogManagerActivity</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager-1596026234124-10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="duplicate.filter.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.average" type="Long">
<esf:value>10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.time.unit" type="String">
<esf:value>MINUTES</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.burst.size" type="Integer">
<esf:value>200</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogReaderJournald">
<esf:properties>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.journald.JournaldLogReader</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="waitTime" type="Long">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.journald.JournaldLogReader-1595248248583-8</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
</esf:configurations>
Update the log4j.xml file
The ESF logging service should be instructed to log into the Systemd journal instead of the usual kura.log file.
The log4j.xml file is usually located at /opt/eurotech/esf/user/log4j.xml
The content of the file has to be updated as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2020 Eurotech and/or its affiliates
All rights reserved.
-->
<Configuration status="warn" strict="true" name="KuraConfig" monitorInterval="30" packages="de.bwaldvogel.log4j">
<Filter type="ThresholdFilter" level="trace"/>
<Appenders>
<SystemdJournal name="journal" logStacktrace="true" logSource="false" syslogIdentifier="ESF" syslogFacility="20" logLoggerAppName="ESF"/>
</Appenders>
<Loggers>
<Logger name="org.eclipse" level="info" additivity="false">
<AppenderRef ref="journal" />
</Logger>
<Root level="info">
<AppenderRef ref="journal"/>
</Root>
</Loggers>
</Configuration>
Once applied the changes, reboot the system.
After the reboot, ESF will start to log into the system journal.
Docker Configuration Setup
This section will describe how to update an ESF on docker in order to activate the Log Analytics feature.
The Log Analytics feature can only be activated on ESF on Docker version 6.2.0.
It cannot be enabled in previous versions of the Docker distribution
The feature is only available if the docker container can run on a systemd Linux host machine.
The following steps need to be performed:
- Expose the host journal file
- Enable the Log Analytics feature
- (optional) Grant to ESF write capabilities to the host machine journal
Expose the host journal file
In order to be able to read the host journal file, ESF needs access to the location where the journal file is available.
This can be done only in Linux hosts where systemd is enabled.
sudo docker run -d -p 8080:80 --volume="/var/log/journal:/var/log/journal" -t <esf-container>
The previous command will start the ESF docker container, mounting the host /var/log/journal folder into the /var/log/journal location of the container. In this way, the ESF Log Analytics feature will be able to access and process the host machine journal file.
In order to be able to process not only the host machine journal logs but also the logs generated by the ESF instance itself, the previous command can be changes as follows:
sudo docker run -d -p 8080:80 --log-driver=journald --volume="/var/log/journal:/var/log/journal" -t <esf-container>
This will instruct Docker to redirect the ESF container logs into the host machine journal file.
Enable the Log Analytics Feature
As stated previously, the ESF Log Analytics feature is available in ESF 6.2.0 distributions but it is not running by default.
To enable it, the following snapshot can be uploaded via the local ESF Web UI or via Cloud deployment:
<?xml version="1.0" encoding="UTF-8"?><esf:configurations xmlns:esf="http://eurotech.com/esf/2.0" xmlns:ocd="http://www.osgi.org/xmlns/metatype/v1.2.0">
<esf:configuration pid="default.log.publisher">
<esf:properties>
<esf:property array="false" encrypted="false" name="app.topic" type="String">
<esf:value>$SYSLOG_FACILITY/$PRIORITY/$SYSLOG_IDENTIFIER</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="message.type" type="String">
<esf:value>data</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="qos" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="appId" type="String">
<esf:value>LOG</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="retain" type="Boolean">
<esf:value>false</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="priority" type="Integer">
<esf:value>7</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>org.eclipse.kura.cloud.publisher.CloudPublisher</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="cloud.endpoint.service.pid" type="String">
<esf:value>org.eclipse.kura.cloud.CloudService</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>default.log.publisher</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>org.eclipse.kura.cloud.publisher.CloudPublisher-1595248184277-7</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogManagerDefault">
<esf:properties>
<esf:property array="false" encrypted="false" name="LogReader.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="CloudPublisher.target" type="String">
<esf:value>(kura.service.pid=default.log.publisher)</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="context.cache.size" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="value.regex" type="String">
<esf:value>([0-3])</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="key.regex" type="String">
<esf:value>PRIORITY</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogManagerDefault</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager-1595248324406-9</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="duplicate.filter.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.average" type="Long">
<esf:value>10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.time.unit" type="String">
<esf:value>MINUTES</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.burst.size" type="Integer">
<esf:value>200</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogManagerAuth">
<esf:properties>
<esf:property array="false" encrypted="false" name="LogReader.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="CloudPublisher.target" type="String">
<esf:value>(kura.service.pid=default.log.publisher)</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="context.cache.size" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="value.regex" type="String">
<esf:value>^4</esf:value>
<esf:value>USER_LOGIN</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="key.regex" type="String">
<esf:value>SYSLOG_FACILITY</esf:value>
<esf:value>_AUDIT_TYPE_NAME</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogManagerAuth</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager-1596034540863-11</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="duplicate.filter.enabled" type="Boolean">
<esf:value>false</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.average" type="Long">
<esf:value>10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.time.unit" type="String">
<esf:value>MINUTES</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.burst.size" type="Integer">
<esf:value>200</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogManagerActivity">
<esf:properties>
<esf:property array="false" encrypted="false" name="LogReader.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="CloudPublisher.target" type="String">
<esf:value>(kura.service.pid=default.log.publisher)</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="context.cache.size" type="Integer">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="value.regex" type="String">
<esf:value>.*</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager</esf:value>
</esf:property>
<esf:property array="true" encrypted="false" name="key.regex" type="String">
<esf:value>ETH_JOB_ID</esf:value>
<esf:value/>
<esf:value/>
<esf:value/>
<esf:value/>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogManagerActivity</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.manager.LogManager-1596026234124-10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="duplicate.filter.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.enabled" type="Boolean">
<esf:value>true</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.average" type="Long">
<esf:value>10</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.time.unit" type="String">
<esf:value>MINUTES</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="rate.limit.burst.size" type="Integer">
<esf:value>200</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
<esf:configuration pid="LogReaderJournald">
<esf:properties>
<esf:property array="false" encrypted="false" name="service.factoryPid" type="String">
<esf:value>com.eurotech.framework.log.journald.JournaldLogReader</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="waitTime" type="Long">
<esf:value>0</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>LogReaderJournald</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>com.eurotech.framework.log.journald.JournaldLogReader-1595248248583-8</esf:value>
</esf:property>
</esf:properties>
</esf:configuration>
</esf:configurations>
The previous snapshot will enable a default configuration with a journald Log Reader instance, will create few default Log Manager instances all tied to the defined journald Log Reader and, finally, will create a new log publisher that will be used to publish the filtered logs to the specified cloud platform.
Grant to ESF write capabilities to the host machine journal
This optional step allows the ESF container to be able to write directly to the host journal without the Docker mediation.
In order to do so, the ESF docker container needs to be started with the ENV_LOG_JOURNALDoption set to true and mounting the host journald socket location:
sudo docker run -d -p 8080:80 -e ENV_LOG_JOURNALD='true' --log-driver=journald --volume="/var/log/journal:/var/log/journal" --volume="/run/systemd/journal:/run/systemd/journal" -t <esf-container>
In case of multiple ESF instances writing to the same journal of the host machine, the ESF_LOGGER_NAMEproperty can be set in the container starting command, in order to redefine the name in the SYSLOG_IDENTIFIER to ease the log messages identification.
sudo docker run -d -p 8080:80 -e ENV_LOG_JOURNALD='true' -e ESF_LOGGER_NAME="foo" --log-driver=journald --volume="/var/log/journal:/var/log/journal" --volume="/run/systemd/journal:/run/systemd/journal" -t <esf-container>
When applied, the previous command line will start a new container that will be able to write to the journald socket and read from the journal file of the host machine.
In the logs, the container will write with a SYSLOG_IDENTIFIER value set to "foo".
Updated about 4 years ago