tag margin */
381 | }
382 | @include background-image(linear-gradient(top, darken($primary-2, 8%) 0%, $primary-2 100%));
383 | border-left: 1px solid $primary-5;
384 | border-right: 1px solid $primary-5;
385 | border-top: 1px solid $primary-5;
386 | border-top-left-radius: 8px;
387 | border-top-right-radius: 8px;
388 | text-decoration: none;
389 | font-weight: bold;
390 | }
391 | }
392 |
393 | a {
394 | color: inherit;
395 | text-decoration: underline;
396 | }
397 |
398 | } /* .article */
399 |
--------------------------------------------------------------------------------
/search.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: search
3 | title: search results
4 | ---
5 |
6 |
--------------------------------------------------------------------------------
/studies/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: landing
3 | title: log studies
4 | ---
5 |
6 | # Logs in the Wild
7 |
8 | it's like cultural anthropology, but for logs.
9 |
10 | ## [mysql](mysql)
11 |
12 | Go deep into mysql's logs. It has many to show you.
13 |
14 | ## [Your Study Here!](https://github.com/logstash/cookbook)
15 |
16 | ## [Your Study Here!](https://github.com/logstash/cookbook)
17 |
18 | ### Log Studies?
19 |
20 | In order to find common terminology, patterns, and anti-patterns, it's useful
21 | to study existing systems and note how, what, and why they log.
22 |
23 | ### Got Suggestions?
24 |
25 | Got an application you'd like studied? You can submit your own study or just
26 | recommend an application for studying! File a pull request or
27 | [ticket](https://github.com/logstash/cookbook/issues) :)
28 |
--------------------------------------------------------------------------------
/studies/mysql/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: article
3 | title: mysql logs - a study
4 | ---
5 |
6 | * Goal: Learn from mistakes and successes in mysql's log systems.
7 | * Audience: Folks interested in learning from live examples!
8 |
9 | # MySQL Log Study
10 |
11 | According to [mysql's docs][mysql-docs], there are about five different kinds of logs:
12 |
13 | [mysql-docs]: [http://dev.mysql.com/doc/refman/5.5/en/server-logs.html]
14 |
15 | * error log
16 | * general query log
17 | * binary log
18 | * relay log
19 | * slow query log
20 |
21 | Depending on storage engines used, you'll have other log files as well (innodb
22 | log file, etc).
23 |
24 | In most mysql deployments, there are 3 possible actors: the mysql server, mysql
25 | clients, and replication parters. The logs tend to cover actions between pairs
26 | of actors, or roughly the purpose of each log:
27 |
28 | * internal mysql server: error log
29 | * replication: binary and relay logs
30 | * clients: general query and slow query logs
31 |
32 | ## Error Log
33 |
34 | Relevant my.cnf settings: `log-error`, `log-warnings`.
35 |
36 | According to mysql's docs, the error log generally contains information about
37 | mysqld's status; generally start and stop messages as well as critical errors.
38 | Unfortunately, mysql also logs warnings to the error log by default.
39 |
40 | What the docs don't say is that pretty much anything not data-related is logged
41 | here. This log file is a complete mess. Most of what I see in the sample below
42 | has nothing to do with errors or warnings.
43 |
44 | 120707 0:37:09 [Note] Plugin 'FEDERATED' is disabled.
45 | 120707 0:37:09 InnoDB: The InnoDB memory heap is disabled
46 | 120707 0:37:09 InnoDB: Mutexes and rw_locks use GCC atomic builtins
47 | 120707 0:37:09 InnoDB: Compressed tables use zlib 1.2.5
48 | 120707 0:37:09 InnoDB: Using Linux native AIO
49 | 120707 0:37:09 InnoDB: Initializing buffer pool, size = 128.0M
50 | 120707 0:37:09 InnoDB: Completed initialization of buffer pool
51 | 120707 0:37:09 InnoDB: highest supported file format is Barracuda.
52 | 120707 0:37:09 InnoDB: Waiting for the background threads to start
53 | 120707 0:37:10 InnoDB: 1.1.8 started; log sequence number 1595675
54 | 120707 0:37:10 [Note] Server hostname (bind-address): '(null)'; port: 3306
55 | 120707 0:37:10 [Note] - '(null)' resolves to '0.0.0.0';
56 | 120707 0:37:10 [Note] - '(null)' resolves to '::';
57 | 120707 0:37:10 [Note] Server socket created on IP: '0.0.0.0'.
58 | 120707 0:37:10 [Note] Event Scheduler: Loaded 0 events
59 | 120707 0:37:10 [Note] /usr/libexec/mysqld: ready for connections.
60 | Version: '5.5.24-log' socket: 'mysql.sock' port: 3306 MySQL Community Server (GPL)
61 |
62 | The format of this log file is a bit confusing and pretty inconsistent. I'm not
63 | sure how "highest supported file format is Barracuda." is an error or a
64 | warning, but it's in the error log anyway. ☹
65 |
66 | ### Mistakes
67 |
68 | This log format is a bit strange. The timestamp seems consistent, even if it is
69 | odd. The message seems to have no consistency, meaning 'grep' and other
70 | pattern/text tools may be your chief weapons against this beast.
71 |
72 | I wouldn't expect to achieve much in the ways of data mining from this log.
73 |
74 | ## General Query Log
75 |
76 | This log appears to contain every request sent to the mysql server. Here's what
77 | shows up when I login and run a few commands:
78 |
79 | % mysql -uroot
80 | > select * from mysql.user;
81 | ...
82 | > hello world;
83 | ... (syntax error ... )
84 |
85 | Contents of general query log:
86 |
87 | 120707 0:40:34 4 Connect root@localhost on
88 | 4 Query select @@version_comment limit 1
89 | 120707 0:40:45 4 Query select * from mysql.user
90 | 120707 0:41:18 5 Query hello world
91 |
92 | Notes:
93 |
94 | * Column-oriented visual format.
95 | * Poor timestamp: No timezone. No subsecond precision.
96 | * ANSI control codes and other oddities are not escaped. Fun and profit here.
97 |
98 | ### Hacks
99 |
100 | Because the general query log literally logs all requests sent to mysqld, you could
101 | mark major events (schema changes, upgrades, etc) by sending bad requests;
102 |
103 | mysql> NOTE: SCHEMA VERSION 12345 DEPLOYED;
104 |
105 | And in the general query log:
106 |
107 | 120707 0:49:47 5 Query NOTE: SCHEMA VERSION 12345 DEPLOYED
108 |
109 | ## Slow Query Log
110 |
111 | The slow query log contains slow queries as well as "possibly slow" queries
112 | (ones made without index hits)
113 |
114 | The default format is the long format:
115 |
116 | ```
117 | /usr/local/Cellar/mysql/5.5.27/bin/mysqld, Version: 5.5.27-log (Source distribution). started with:
118 | Tcp port: 0 Unix socket: (null)
119 | Time Id Command Argument
120 | # Time: 130912 13:14:51
121 | # User@Host: root[root] @ localhost []
122 | # Query_time: 3.003669 Lock_time: 0.000245 Rows_sent: 3 Rows_examined: 3
123 | use mysql;
124 | SET timestamp=1379006091;
125 | select sleep(1) from db limit 3;
126 | # Time: 130912 13:17:36
127 | # User@Host: root[root] @ localhost []
128 | # Query_time: 4.003400 Lock_time: 0.000076 Rows_sent: 4 Rows_examined: 4
129 | SET timestamp=1379006256;
130 | select sleep(1) from db limit 4;
131 | ```
132 |
133 | The short format looks like this:
134 |
135 | ```
136 | /usr/local/Cellar/mysql/5.5.27/bin/mysqld, Version: 5.5.27-log (Source distribution). started with:
137 | Tcp port: 0 Unix socket: (null)
138 | Time Id Command Argument
139 | # Query_time: 4.005010 Lock_time: 0.000129 Rows_sent: 4 Rows_examined: 4
140 | use mysql;
141 | SET timestamp=1379007812;
142 | select sleep(1) from db limit 4;
143 | # Query_time: 2.001827 Lock_time: 0.000066 Rows_sent: 2 Rows_examined: 2
144 | SET timestamp=1379007829;
145 | select sleep(1) from db limit 2;
146 | ```
147 |
148 | ## Binary Log
149 |
150 | ## Relay Log
151 |
152 |
--------------------------------------------------------------------------------