Use selective logging with a script action in Azure HDInsight
Azure Monitor Logs is an Azure Monitor service that monitors your cloud and on-premises environments. The monitoring helps maintain their availability and performance.
Azure Monitor Logs collects data generated by resources in your cloud, resources in on-premises environments, and other monitoring tools. It uses the data to provide analysis across multiple sources. To get the analysis, you enable the selective logging feature by using a script action for HDInsight in the Azure portal.
About selective logging
Selective logging is a part of the overall monitoring system in Azure. After you connect your cluster to a Log Analytics workspace and enable selective logging, you can see logs and metrics like HDInsight security logs, Yarn Resource Manager, and system metrics. You can monitor workloads and see how they're affecting cluster stability.
Selective logging allows you to enable or disable all the tables, or enable selected tables, in the Log Analytics workspace. You can adjust the source type for each table.
Note
If Log Analytics is reinstalled in a cluster, you'll have to disable all the tables and log types again. Reinstallation resets all the configuration files to their original state.
Considerations for script actions
- The monitoring system uses the Metadata Server Daemon (a monitoring agent) and Fluentd for collecting logs by using a unified logging layer.
- Selective logging uses a script action to disable or enable tables and their log types. Because selective logging doesn't open any new ports or change any existing security settings, there are no security changes.
- The script action runs in parallel on all specified nodes and changes the configuration files for disabling or enabling tables and their log types.
Prerequisites
- A Log Analytics workspace. You can think of this workspace as a unique Azure Monitor Logs environment with its own data repository, data sources, and solutions. For instructions, see Create a Log Analytics workspace.
- An Azure HDInsight cluster. Currently, you can use the selective logging feature with the following HDInsight cluster types:
- Hadoop
- HBase
- Interactive Query
- Spark
For instructions on how to create an HDInsight cluster, see Get started with Azure HDInsight.
Enable or disable logs by using a script action for multiple tables and log types
Go to Script actions in your cluster and select Submit new to start the process of creating a script action.
The Submit script action pane appears.
For the script type, select Custom.
Name the script. For example: Disable two tables and two sources.
The Bash script URI must be a link to selectiveLoggingScript.sh.
Select all the node types that apply for the cluster. The options are head node, worker node, and ZooKeeper node.
Define the parameters. For example:
- Spark:
spark HDInsightSparkLogs:SparkExecutorLog --disable - Interactive Query:
interactivehive HDInsightSparkLogs:SparkExecutorLog --enable - Hadoop:
hadoop HDInsightSparkLogs:SparkExecutorLog --disable - HBase:
hbase HDInsightSparkLogs: HDInsightHBaseLogs --enable
For more information, see the Parameter syntax section.
- Spark:
Select Create.
After a few minutes, a green check mark appears next to your script action history. It means the script has successfully run.
You'll see your changes in the Log Analytics workspace.
Troubleshooting
No changes appear in the Log Analytics workspace
If you submit your script action but there are no changes in the Log Analytics workspace:
Under Dashboards, select Ambari home to check the debug information.
Select the Settings button.
Select your latest script run at the top of the list of background operations.
Verify the script run status in all the nodes individually.
Check that the parameter syntax from the parameter syntax section is correct.
Check that the Log Analytics workspace is connected to the cluster and that Log Analytics monitoring is turned on.
Check that you selected the Persist this script action to rerun when new nodes are added to the cluster checkbox for the script action that you ran.
See if a new node has been added to the cluster recently.
Note
For the script to run in the latest cluster, the script must persist.
Make sure that you selected all the node types that you wanted for the script action.
The script action failed
If the script action shows a failure status in the script action history:
- Check that the parameter syntax from the parameter syntax section is correct.
- Check that the script link is correct. It should be:
https://hdiconfigactions.blob.core.windows.net/log-analytics-patch/selectiveLoggingScripts/selectiveLoggingScript.sh.
Table names
Spark cluster
The following table names are for different log types (sources) inside Spark tables.
| Source number | Table name | Log types | Description |
|---|---|---|---|
| 1. | HDInsightAmbariCluster Alerts | No log types | This table contains Ambari cluster alerts from each node in the cluster (except for edge nodes). Each alert is a record in this table. |
| 2. | HDInsightAmbariSystem Metrics | No log types | This table contains system metrics collected from Ambari. The metrics now come from each node in the cluster (except for edge nodes) instead of just the two head nodes. Each metric is now a column, and each metric is reported once per record. |
| 3. | HDInsightHadoopAnd YarnLogs | Head node: MRJobSummary, Resource Manager, TimelineServer Worker node: NodeManager | This table contains all logs generated from the Hadoop and YARN frameworks. |
| 4. | HDInsightSecurityLogs | AmbariAuditLog, AuthLog | This table contains records from the Ambari audit and authentication logs. |
| 5. | HDInsightSparkLogs | Head node: JupyterLog, LivyLog, SparkThriftDriverLog Worker node: SparkExecutorLog, SparkDriverLog | This table contains all logs related to Spark and its related components: Livy and Jupyter. |
| 6. | HDInsightHadoopAnd YarnMetrics | No log types | This table contains JMX metrics from the Hadoop and YARN frameworks. It contains all the same JMX metrics as the old Custom Logs tables, plus more metrics that we considered important. We added Timeline Server, Node Manager, and Job History Server metrics. It contains one metric per record. |
| 7. | HDInsightOozieLogs | Oozie | This table contains all logs generated from the Oozie framework. |
Interactive Query cluster
The following table names are for different log types (sources) inside Interactive Query tables.
| Source number | Table name | Log types | Description |
|---|---|---|---|
| 1. | HDInsightAmbariClusterAlerts | No log types | This table contains Ambari cluster alerts from each node in the cluster (except for edge nodes). Each alert is a record in this table. |
| 2. | HDInsightAmbariSystem Metrics | No log types | This table contains system metrics collected from Ambari. The metrics now come from each node in the cluster (except for edge nodes) instead of just the two head nodes. Each metric is now a column, and each metric is reported once per record. |
| 3. | HDInsightHadoopAndYarnLogs | Head node: MRJobSummary, Resource Manager, TimelineServer Worker node: NodeManager | This table contains all logs generated from the Hadoop and YARN frameworks. |
| 4. | HDInsightHadoopAndYarnMetrics | No log types | This table contains JMX metrics from the Hadoop and YARN frameworks. It contains all the same JMX metrics as the old Custom Logs tables, plus more metrics that we considered important. We added Timeline Server, Node Manager, and Job History Server metrics. It contains one metric per record. |
| 5. | HDInsightHiveAndLLAPLogs | Head node: InteractiveHiveHSILog, InteractiveHiveMetastoreLog, ZeppelinLog | This table contains logs generated from Hive, LLAP, and their related components: WebHCat and Zeppelin. |
| 6. | HDInsightHiveAndLLAPmetrics | No log types | This table contains JMX metrics from the Hive and LLAP frameworks. It contains all the same JMX metrics as the old Custom Logs tables. It contains one metric per record. |
| 7. | HDInsightHiveTezAppStats | No log types | |
| 8. | HDInsightSecurityLogs | Head node: AmbariAuditLog, AuthLog ZooKeeper node, worker node: AuthLog | This table contains records from the Ambari audit and authentication logs. |
HBase cluster
The following table names are for different log types (sources) inside HBase tables.
| Source number | Table name | Log types | Description |
|---|---|---|---|
| 1. | HDInsightAmbariClusterAlerts | No other log types | This table contains Ambari cluster alerts from each node in the cluster (except for edge nodes). Each alert is a record in this table. |
| 2. | HDInsightAmbariSystem Metrics | No other log types | This table contains system metrics collected from Ambari. The metrics now come from each node in the cluster (except for edge nodes) instead of just the two head nodes. Each metric is now a column, and each metric is reported once per record. |
| 3. | HDInsightHadoopAndYarnLogs | Head node: MRJobSummary, Resource Manager, TimelineServer Worker node: NodeManager | This table contains all logs generated from the Hadoop and YARN frameworks. |
| 4. | HDInsightSecurityLogs | Head node: AmbariAuditLog, AuthLog Worker node: AuthLog ZooKeeper node: AuthLog | This table contains records from the Ambari audit and authentication logs. |
| 5. | HDInsightHBaseLogs | Head node: HDFSGarbageCollectorLog, HDFSNameNodeLog Worker node: PhoenixServerLog, HBaseRegionServerLog, HBaseRestServerLog ZooKeeper node: HBaseMasterLog | This table contains logs from HBase and its related components: Phoenix and HDFS. |
| 6. | HDInsightHBaseMetrics | No log types | This table contains JMX metrics from HBase. It contains all the same JMX metrics from the tables listed in the Old Schema column. In contrast from the old tables, each row contains one metric. |
| 7. | HDInsightHadoopAndYarn Metrics | No log types | This table contains JMX metrics from the Hadoop and YARN frameworks. It contains all the same JMX metrics as the old Custom Logs tables, plus more metrics that we considered important. We added Timeline Server, Node Manager, and Job History Server metrics. It contains one metric per record. |
Hadoop cluster
The following table names are for different log types (sources) inside Hadoop tables.
| Source number | Table name | Log types | Description |
|---|---|---|---|
| 1. | HDInsightAmbariClusterAlerts | No log types | This table contains Ambari cluster alerts from each node in the cluster (except for edge nodes). Each alert is a record in this table. |
| 2. | HDInsightAmbariSystem Metrics | No log types | This table contains system metrics collected from Ambari. The metrics now come from each node in the cluster (except for edge nodes) instead of just the two head nodes. Each metric is now a column, and each metric is reported once per record. |
| 3. | HDInsightHadoopAndYarnLogs | Head node: MRJobSummary, Resource Manager, TimelineServer Worker node: NodeManager | This table contains all logs generated from the Hadoop and YARN frameworks. |
| 4. | HDInsightHadoopAndYarnMetrics | No log types | This table contains JMX metrics from the Hadoop and YARN frameworks. It contains all the same JMX metrics as the old Custom Logs tables, plus more metrics that we considered important. We added Timeline Server, Node Manager, and Job History Server metrics. It contains one metric per record. |
| 5. | HDInsightHiveAndLLAPLogs | Head node: HiveMetastoreLog, HiveServer2Log, WebHcatLog | This table contains logs generated from Hive, LLAP, and their related components: WebHCat and Zeppelin. |
| 6. | HDInsight Hive And LLAP Metrics | No log types | This table contains JMX metrics from the Hive and LLAP frameworks. It contains all the same JMX metrics as the old Custom Logs tables. It contains one metric per record. |
| 7. | HDInsight Security Logs | Head node: AmbariAuditLog, AuthLog ZooKeeper node: AuthLog | This table contains records from the Ambari audit and authentication logs. |
Parameter syntax
Parameters define the cluster type, table names, source names, and action.
A parameter contains three parts:
- Cluster type
- Tables and log types
- Action (either
--disableor--enable)
Syntax for multiple tables
When you have multiple tables, they're separated with a comma. For example:
spark HDInsightSecurityLogs, HDInsightAmbariSystemMetrics --disable
hbase HDInsightSecurityLogs, HDInsightAmbariSystemMetrics --enable
Syntax for multiple source types or log types
When you have multiple source types or log types, they're separated with a space.
To disable a source, write the table name that contains the log types, followed by a colon and then the real log type name:
TableName : LogTypeName
For example, assume that spark HDInsightSecurityLogs is a table that has two log types: AmbariAuditLog and AuthLog. To disable both the log types, the correct syntax would be:
spark HDInsightSecurityLogs: AmbariAuditLog AuthLog --disable
Syntax for multiple tables and source types
If you need to disable two tables and two source types, use the following syntax:
- Spark:
InteractiveHiveMetastoreLoglog type in theHDInsightHiveAndLLAPLogstable - Hbase:
InteractiveHiveHSILoglog type in theHDInsightHiveAndLLAPLogstable - Hadoop:
HDInsightHiveAndLLAPMetricstable - Hadoop:
HDInsightHiveTezAppStatstable
Separate the tables with a comma. Denote sources by using a colon after the table name in which they reside.
The correct parameter syntax for these cases would be:
interactivehive HDInsightHiveAndLLAPLogs: InteractiveHiveMetastoreLog, HDInsightHiveAndLLAPMetrics, HDInsightHiveTezAppStats, HDInsightHiveAndLLAPLogs: InteractiveHiveHSILog --enable
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for