Top 10 Log Analysis Tools — Making Data-Driven Decisions

We live in a time where data is recorded and logged for just about everything. Whether it is for web server uptime, JavaScript errors, database queries, CDN traffic, Nginx errors, etc. You name it, and you can probably log it. In a previous post, we discussed the importance of integrating a log management service into your DevOps workflow. Having centralized logs can be great, but you also need to be able to analyze them efficiently. So today we want to cover the top 10 log analysis tools which you can use to better parse your logs, run live tail searches, and query the specific log data you need.

Log analysis tools

As more and more companies move to the cloud, log analytics, log analysis, and log management tools and services are becoming more critical. DevOps engineers, system administrators, site reliability engineers, and web developers can all use logs to make better data-driven decisions.

There are a lot of different log analysis tools out there, below are 10 of the most popular ones. Each of them offers their own unique search features, live tail queries, etc. Some of the tools listed are more log management services, but they also offer more efficient ways to analyze your logs compared to looking at the raw data. These are in no particular order and include both free and paid tools.

Funnel all logs, metrics and machine events into a single hub. Get a clear overview of what is happening across your distributed environments, and spot the needle in the haystack in no time.

1. Loggly

Loggly is a cloud based logging management and analytics service provider founded in 2009. Their main focus is that log management needs to be much simpler and that DevOps, SysOps, and Engineers should not have to worry about log management. Some of their customers include EA, Autodesk, SendGrid, Atlassian, Sony Pictures, and Citrix.

Loggly features

Loggly has both free and paid plans. Some of loggly’s analyzing features include the ability to see a bird’s eye view of your logs with their dynamic field explorer. You can weed out the noise with a few simple clicks. They also boast powerful full-text searches, ranges, and booleans. You can also easily spot trends in your logs by using their rich views and graphs. If you see a spike, you can quickly narrow it down to that point in time in the log.

2. GoAccess

GoAccess is designed to be a fast, terminal-based log analyzer. Its core idea is to quickly analyze and view web server statistics in real time without needing to use your browser. It is open source and available on GitHub with over 2,900 stars and 200+ forks.

GoAccess features

We love GoAccess because it is open source, and because of that, it is completely free to use. This is a tool for those who love using terminal and SSH and want quick access to their data. You can easily generate reports with this tool on the fly by generating them to real-time HTML, JSON or CSV. You can view a live demo here.

Other features include the ability to process logs incrementally, picking your log format, real-time stats, and predefined custom log format strings.

3. logz.io

logz.io offers you real-time, actionable insights into your log analytics data with hosted ELK as a service. ELK is a simple but robust log analysis platform that costs a fraction of the price. Some of their customers include Netflix, Facebook, LinkedIn, Cisco, and Microsoft. logz.io is probably one of the biggest competitors to Splunk, which is mentioned further below.

logz.io features

logz.io has both free and paid plans. Troubleshooting production issues is perhaps the most common use-case of log analytics. Their interface, which is powered by Kibana, lets you search through millions of records to investigate and pinpoint potential issues. You can filter results by server, application, or any custom parameter until you reach the source of the problem. If you are looking for a Splunk alternative you might want to give logz.io a try.

4. Graylog

Graylog is an open source log management platform which allows you to search, analyze, and alert you across all your log files. Some of their customers include BCBS, eBay, SAP, Cisco, LinkedIn, and Twilio. It is available on GitHub with over 2,000 stars and 300+ forks.

Graylog features

Because it is open source, Graylog is completely free to use. They also have an enterprise version where they charge you per license on a server. Some of its features include a REST API and Graylog’s flexible processing engine which makes it easy to parse and enrich logs from any data source. You can search through terabytes of data instantly and even save search queries to be shared later with your colleagues. Their powerful drill-down analysis and charts make it easy to pinpoint issues in your logs.

5. Splunk

Splunk is a big name in the log and application management space. They have been around since 2003 are no newcomers when it comes to analyzing and monitoring data. They offer great solutions for larger enterprise customers.

Splunk features

Splunk has both free and paid plans. Their free plan, Spunk light, allows you up to log up to 500 MB data per day. There pricing for paid plans depends on the volume of data you are processing. Splunk offers a great way to collect, store, index, search, correlate, visualize, analyze and report on any machine-generated data to identify and resolve operational and security issues in a faster, repeatable, and more affordable way. They offer powerful drill-downs which allow you to easily go back in time using ad-hoc queries. Their dashboard and trend charts also provide a great way to spot and visualize possible trends.

6. Logmatic.io

Logmatic.io is a log analysis tool designed specifically to help improve software and business performance. The founders have more than 10 years experience in real-time and big data software. Their emphasis is on analyzing your «machine data.»

Logmatic features

Logmatic.io has paid plans starting at $49 per month. Some of their features include the ability to create your own custom parsing rules which allows the software to automatically recognize patterns. This is supported in Apache, Nginx, syslogs, JSON events, etc. You have faceted and full-text granular searches down to the log level as well as real-time logs and real-time searches. You can use complex queries such as AND, OR, wildcards. etc. They provide you with all sorts of graphs to spot trends, everything from geo maps, flow charts, and pivot tables!

7. Logstash

Logstash is a free open source tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use. This tool goes hand in hand with both Elasticsearch and Kibana. Using these together can be a powerful combination for a log analysis tool. They are all three available on GitHub.

Logstash features

Because it is open source, Logstash is completely free to use. They also have a paid license though available for those needing additional features. You can use elasticsearch, kibana, and logstash together. Kibana allows you to more easily explore and visualize the log data you bring in with logstash, and elasticsearch gives you the powerful real-time search and analytics capabilities.

8. Sumo Logic

Sumo Logic focuses on machine learning for unified logs and metrics to uncover real-time insights into application needs and new customer opportunities. They were founded in 2010 and their cloud-native service analyzes more than 100 petabytes of data per day.

Sumo Logic features

Sumo Logic has both free and paid plans starting at $90 per month. They offer a unique feature that they call machine learning. This allows you to analyze petabytes of data and learn from this to uncover patterns more quickly. Their tool uses advanced analytics which helps make sense of large amounts of data using indexing and filtering. Their intuitive dashboard allows you to spot anomalies by setting up customer predefined metric filters.

9. Papertrail

Papertrail is more of a log management service, but they also offer some great features which make analyzing your logs fast! Some of their customers include GitHub, Instacart, Product Hunt, and DNSimple.

Papertrail features

Papertrail has both free and paid plans starting at $7 per month. Some of their features include an intuitive web-based log viewer and powerful command-line tools. They have a REST API and long-term archives with S3. If you are a developer, you will probably like what Papertrail is doing! You can run live tail searches, seek by time, content, elegant searches, save your searches, and even colorize your logs differently. They even have an OS X dashboard widget and integrations with your favorite tools such as Slack and Zendesk.

10. Fluentd

Fluentd is another open source data analysis tool that allows you to unify logs from multiple sources in order to better and more easily analyze them. A few of Fluentd’s most notable users include Microsoft, Amazon AWS, and Atlassian.

Fluentd features

Fluentd allows you to decouple multiple data sources such as your access logs, app logs, system logs, etc and unify them into one logging layer. You can then filter, buffer, and route those logs to the to appropriate systems (e.g. Hadoop, Elasticsearch, AWS, etc). Fluentd users also have 300+ plugins at their disposable to connect to a multitude of data sources. It can do so all while keeping a small memory footprint of only 30-40 MB.

Summary

There are plenty of log analysis tools to help you better understand your log data and parse it in a more efficient manner. This can help streamline your DevOps workflow and save you time the next time a problem pops up. The last thing you want to do is spend hours digging through unorganized log data trying to find what you need.

Did we miss any really important log analysis tools? If so, feel free to comment below. We especially love new open source tools!

Файлы журнала Log files

Относится к: Applies to

Это тема уровня 400 (расширенный). This is a 400 level topic (advanced).
Полный список тем в этой статье см. в разделе Устранение ошибок при обновлении до Windows 10. See Resolve Windows 10 upgrade errors for a full list of topics in this article.

Во время каждого этапа процесса обновления создаются несколько файлов журнала. Several log files are created during each phase of the upgrade process. Эти файлы журнала необходимы для устранения неполадок при обновлении. These log files are essential for troubleshooting upgrade problems. По умолчанию папки, содержащие эти файлы журнала, скрыты на компьютере, где выполняется обновление. By default, the folders that contain these log files are hidden on the upgrade target computer. Для просмотра файлов журнала включите отображение скрытых элементов в проводнике Windows или используйте средство, чтобы автоматически собирать эти журналы. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. Самый полезный журнал — setupact.log. The most useful log is setupact.log. Файлы журнала находятся в разных папках в зависимости от этапа установки Windows. The log files are located in a different folder depending on the Windows Setup phase. Как мы уже знаем, вы можете определить этап из кода расширения. Recall that you can determine the phase from the extend code.

Кроме того, в этом документе см. раздел Отчет об ошибках Windows, чтобы помочь найти коды ошибок и файлы журналов. Also see the Windows Error Reporting section in this document for help locating error codes and log files.

В следующей таблице описаны некоторые файлы журнала и способы их использования для устранения неполадок. The following table describes some log files and how to use them for troubleshooting purposes:

Файл журнала Log file	Этап: расположение Phase: Location	Описание Description	Варианты использования When to use
setupact.log setupact.log	Нижний уровень: Down-Level: $Windows. BT\Sources\Panther	Содержит сведения о действиях программы установки на низкоуровневом этапе. Contains information about setup actions during the downlevel phase.	Все ошибки нижнего уровня и отправная точка для анализа отката. All down-level failures and starting point for rollback investigations. Это самый важный журнал для диагностики проблем с установкой. This is the most important log for diagnosing setup issues.
	Запуск при первом включении: OOBE: $Windows. BT\Sources\Panther\UnattendGC	Содержит сведения о действиях на этапе запуска при первом включении. Contains information about actions during the OOBE phase.	Исследование откатов, сбой которых произошел на этапе первого включения компьютера: 0x4001C, 0x4001D, 0x4001E и 0x4001F. Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
	Откат: Rollback: $Windows. BT\Sources\Rollback	Содержит сведения о действиях во время отката. Contains information about actions during rollback.	Исследование откатов общего характера: 0xC1900101. Investigating generic rollbacks — 0xC1900101.
	Предварительная инициализация (до низкоуровневого этапа): Pre-initialization (prior to downlevel): Windows Windows	Содержит сведения об инициализации установки. Contains information about initializing setup.	Если не удается запустить программу установки. If setup fails to launch.
	После обновления (после первого запуска компьютера): Post-upgrade (after OOBE): Windows\Panther Windows\Panther	Содержит сведения о действиях программы установки во время установки. Contains information about setup actions during the installation.	Исследование проблем, связанных с процессами после обновления. Investigate post-upgrade related issues.
setuperr.log setuperr.log	Аналогично setupact.log Same as setupact.log	Содержит сведения об ошибках программы установки во время установки. Contains information about setup errors during the installation.	Просмотрите все ошибки, возникающие на этапе установки. Review all errors encountered during the installation phase.
miglog.xml miglog.xml	После обновления (после первого запуска компьютера): Post-upgrade (after OOBE): Windows\Panther Windows\Panther	Содержит сведения о том, что было перенесено во время установки. Contains information about what was migrated during the installation.	Определение проблем, возникающих после переноса данных обновления. Identify post upgrade data migration issues.
BlueBox.log BlueBox.log	Нижний уровень: Down-Level: Windows\Logs\Mosetup Windows\Logs\Mosetup	Содержит сведения о взаимодействии setup.exe и Центра обновления Windows. Contains information communication between setup.exe and Windows Update.	Используйте при возникновении ошибок WSUS и WU нижнего уровня, а также для 0xC1900107. Use during WSUS and WU down-level failures or for 0xC1900107.
Вспомогательные журналы отката: Supplemental rollback logs: Setupmem.dmp Setupmem.dmp setupapi.dev.log setupapi.dev.log Журналы событий (\*.evtx) Event logs (\*.evtx)	$Windows. BT\Sources\Rollback	Дополнительные журналы, собранные во время отката. Additional logs collected during rollback.	Setupmem.dmp. Если ошибка ОС проверяется во время обновления, настройка попытается извлечь мини-свалку. Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump. Setupapi: проблемы с установкой устройства — 0x30018 Setupapi: Device install issues — 0x30018 Журналы событий: откаты общего характера (0xC1900101) или неожиданные перезагрузки. Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.

Структура записи журнала Log entry structure

Запись setupact.log или setuperr.log (файлы расположены в C:\Windows) содержит следующие элементы: A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:

1. Дата и время — 08-09-2016 09:20:05. The date and time — 2016-09-08 09:20:05.
2. Уровень журнала — сведения, предупреждение, ошибка, неустранимая ошибка. The log level — Info, Warning, Error, Fatal Error.
3. Компонент ведения журнала — CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS. The logging component — CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
   • Компоненты ведения журнала SP (платформы установки), MIG (модуль миграции) и CONX (сведения о совместимости) будут особенно полезны для устранения неполадок программы установки Windows. The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.

4. Сообщение — Операция успешно завершена. The message — Operation completed successfully.

См. перечисленные ниже примеры. See the following example:

Дата и время Date/Time	Уровень журнала Log level	Компонент Component	Сообщение Message
2016-09-08 09:23:50, 2016-09-08 09:23:50,	Предупреждение Warning	MIG MIG	Не удалось заменить объект C:\Users\name\Cookies. Could not replace object C:\Users\name\Cookies. Целевой объект не может быть удален. Target Object cannot be removed.

Анализ файлов журнала Analyze log files

Следующие инструкции предназначены для специалистов по ИТ. The following instructions are meant for IT professionals. См. также раздел Коды ошибок обновления данного руководства, чтобы ознакомиться с кодами результатов и кодами расширения. Also see the Upgrade error codes section in this guide to familiarize yourself with result codes and extend codes.

Анализ файлов журнала установки Windows To analyze Windows Setup log files:

1. Определите код ошибки программы установки Windows. Determine the Windows Setup error code. Этот код должен быть возвращен программой установки Windows в случае сбоя в процессе обновления. This code should be returned by Windows Setup if it is not successful with the upgrade process.
2. На основе кода расширения в коде ошибки определите тип и расположение файлов журналов для изучения. Based on the extend code portion of the error code, determine the type and location of a log files to investigate.
3. Откройте файл журнала в текстовом редакторе, например в «Блокноте». Open the log file in a text editor, such as notepad.
4. Найдите код результата из кода ошибки программы установки Windows, выполните поиск кода результата в файле и найдите последний экземпляр кода. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Кроме того, ищите прервать и отказаться от текстовых строк, » » » описанных на шаге 7 ниже. Alternatively search for the «abort» and abandoning» text strings described in step 7 below.
5. Поиск последнего экземпляра кода результата To find the last occurrence of the result code:
   1. Прокрутите до конца файла и щелкните после последнего символа. Scroll to the bottom of the file and click after the last character.
   2. Нажмите кнопку Изменить . Click Edit .
   3. Нажмите кнопку Найти . Click Find .
   4. Введите код результата. Type the result code.
   5. В разделе Направление выберите Вверх. Under Direction select Up.
   6. Нажмите кнопку Найти далее. Click Find Next.

6. После нахождения последнего экземпляра кода результата прокрутите файл на несколько строк вверх и просмотрите процессы, которые вызвали ошибку перед созданием кода результата. When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
7. Найдите следующие важные текстовые строки: Search for the following important text strings:
   • «Приложение оболочки запросило отмену»; Shell application requested abort
   • «Отмена применения из-за ошибки объекта». Abandoning apply due to error for object

8. Декодируйте ошибки Win32, которые отображаются в этом разделе. Decode Win32 errors that appear in this section.
9. Запишите метку времени наблюдаемых ошибок в этом разделе. Write down the timestamp for the observed errors in this section.
10. Выполните поиск дополнительных сведений, соответствующих этим меткам времени или ошибкам, в других файлах журналов. Search other log files for additional information matching these timestamps or errors.

Например, предположим, что код ошибки — 0x8007042B — 0x2000D. For example, assume that the error code for an error is 0x8007042B — 0x2000D. Если выполнить поиск «8007042B», мы обнаружим следующее содержимое из файла setuperr.log: Searching for «8007042B» reveals the following content from the setuperr.log file:

Некоторые строки в тексте ниже сокращены для удобства. Some lines in the text below are shortened to enhance readability. Дата и время в начале каждой строки (например, 2016-10-05 15:27:08) сокращены до минут и секунд, а имя файла сертификата, которое задано как длинная текстовая строка, сокращено до «CN». The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just «CN.»

Содержимое файла setuperr.log : setuperr.log content:

В первой строке указано, что произошла ошибка 0x00000570 с файлом C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN] (как показано ниже): The first line indicates there was an error 0x00000570 with the file C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN] (shown below):

0x00000570 — это код ошибки Win32, соответствующий ошибке «ERROR_FILE_CORRUPT. Файл или папка повреждены. Чтение невозможно». The error 0x00000570 is a Win32 error code corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.

Поэтому программе установки Windows не удалось перенести поврежденный файл C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\ [CN]. Therefore, Windows Setup failed because it was not able to migrate the corrupt file C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18[CN]. Этот файл — локальный сертификат системы, и его можно удалить. This file is a local system certificate and can be safely deleted. После поиска в файле setupact.log дополнительных сведений найдена фраза «Приложение оболочки запросило отмену» в расположении с такой же меткой времени, как у строк в файле setuperr.log. Searching the setupact.log file for additional details, the phrase «Shell application requested abort» is found in a location with the same timestamp as the lines in setuperr.log. Это подтверждает наши подозрение, что этот файл — причина сбоя обновления: This confirms our suspicion that this file is the cause of the upgrade failure:

Содержимое файла setupact.log : setupact.log content:

setupapi.dev.log content: setupapi.dev.log content:

Этот анализ показывает, что ошибку обновления Windows можно устранить, удалив файл C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\ [CN]. This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18[CN] file. Примечание. В этом примере полное имя файла — C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f.