Product: Scribe - Facebook's Scalable Logging System

In Log Everything All the Time I advocate applications shouldn't bother logging at all. Why waste all that time and code? No, wait, that's not right. I preach logging everything all the time. Doh. Facebook obviously feels similarly which is why they opened sourced Scribe, their internal logging system, capable of logging 10s of billions of messages per day. These messages include access logs, performance statistics, actions that went to News Feed, and many others.
Imagine hundreds of thousands of machines across many geographical dispersed datacenters just aching to send their precious log payload to the central repository off all knowledge. Because really, when you combine all the meta data with all the events you pretty much have a complete picture of your operations. Once in the central repository logs can be scanned, indexed, summarized, aggregated, refactored, diced, data cubed, and mined for every scrap of potentially useful information.
Just imagine the log stream from all of Facebook's Apache servers alone. Brutal. My guess is these are not real-time feeds so there are no streaming query issues, but the task is still daunting. Let's say they log 10 billion messages a day. That's over 1 million messages per second!
When no off the shelf products worked for them they built their own. Scribe can be downloaded from Sourceforge. But the real action is on their wiki. It's here you'll find some decent documentation and their support forums. Not much activity on the site so you haven't missed your chance to be a charter member of the Scribe guild.
A logging system has three broad components:
I browsed around the source and it's a well crafted, straightforward socket server that forwards messages to other servers and can write messages to disk. Nothing fancy which is why it probably works for them. It's basic function is:
It some ways it could be fancier. For example, there's no throttle on incoming connections so a server can chew up memory. And there is a max_msg_per_second throttle on message processing, but this is really to simple. Throttling needs to be adaptive based on local conditions and the conditions of down stream servers. Under load you want to push flow control back to the client so the data stays there until resources become available. Simple configuration file settings rarely work when the world starts getting weird.
Scribe is a server for aggregating streaming log data. It is designed to scale to a very large number of nodes and be robust to network and node failures. There is a scribe server running on every node in the system, configured to aggregate messages and send them to a central scribe server (or servers) in larger groups. If the central scribe server isn't available the local scribe server writes the messages to a file on local disk and sends them when the central server recovers. The central scribe server(s) can write the messages to the files that are their final destination, typically on an nfs filer or a distributed file system, or send them to another layer of scribe servers.
Client Code Interface
Here's what the Thrift interface looks like:I know, I thought the same thing. Thank God there's another IDL syntax. We simply did not have enough of them. Thrift translates this IDL into the glue code necessary for making cross-language calls (marshalling arguments and responses over the wire). The Thrift library also has templates for servers and clients.
enum ResultCode
struct LogEntry
1: string category,
2: string message
service scribe extends fb303.FacebookService
ResultCode Log(1: list messages);
Here's what a call looks like in PHP:
$messages = array();
$entry = new LogEntry;
$entry->category = "buckettest";
$entry->message = "something very interesting happened";
$messages []= $entry;
$result = $conn->Log($messages);
Pretty simple. Usually in C++, for example, there's an elaborate set of macros for logging that provide sophisticated control of log generation. It might look something like:
MSG(msg) - a simple message. It only prints out msg. None of the other information is printed out.
NOTE(const char* name, const char* reason, const char* what, Module* module, msg) - something to take note of.
WARN(const char* name, const char* reason, const char* what, Module* module, msg) - a warning.
ERR(const char* name, const char* reason, const char* what, Module* module, msg) - an error occured.
CRIT(const char* name, const char* reason, const char* what, Module* module, msg) - a critical error occurred.
EMERG(const char* name, const char* reason, const char* what, Module* module, msg) - an emergency occurred.
There's lots more to handle streams and behind the scenes things like time stamps, thread ids, function names, and line numbers. Scribe has wisely not done any of that. It has a RPC like interface to send a list of messages and that's it. It's up to you to write the wrappers.
You'll no doubt have noticed Scribe only logs a category and message, both strings:
Scribe is unique in that clients log entries consisting of two strings, a category and a message. The category is a high level description of the intended destination of the message and can have a specific configuration in the scribe server, which allows data stores to be moved by changing the scribe configuration instead of client code. The server also allows for configurations based on category prefix, and a default configuration that can insert the category name in the file path. Flexibility and extensibility is provided through the "store" abstraction. Stores are loaded dynamically based on a configuration file, and can be changed at runtime without stopping the server. Stores are implemented as a class hierarchy, and stores can contain other stores. This allows a user to chain features together in different orders and combinations by changing only the configuration.
Distribution System
The payload has whatever structure you give it. Scribe is policy neutral and doesn't push a logging model on you.The configuration file looks something like this:
The types of stores currently available are:
Certainly a flexible and useful set of logging capabilities. You can build a hierarchy of log servers to do pretty much anything you want. You could imagine have a log server on each server that has file store to handle upstream server failures. This log server forwards messages onto a centralized server for a datacenter. And all the datacenter servers forward their logs on to the centralized data warehouse. To scale adjust fan-in and fan-out as necessary.
Do Something Usefullizer
You may not have over 1 million log messages a second to process, but you are likely to have your own tanker trunk full of log messages. How do you do something useful with them?If you want to ask, for example, how many of your users are from Asia, log files won't work. It's likely your data warehouse can't handle it. HADOOP/HDFS is a practical option.
If that's the direction you are going what does it imply about your log system? I would say it makes even the simple category-payload system of Scribe overkill. The with a scalable backend is to move log payloads from applications to the centralized store as quickly as possible. By definition the central store can handle the load, so there's no reason to use intermediate servers to scale. From an application write directly to the central store, even from multiple datacenters. The payload structure is unimportant until it hits the central store. If the application can't hit the central store then it queues into the file system until it can. Ideally log messages never hit the file system until HDFS is writing them to their final destination. This makes for a low latency and high throughput logging and is even simpler than Scribe.
If you don't have a scalable central store then Scribe is a good option. It gives you all the flexibility you need to compose your logging system in a way that is mostly reliabile and scalable.
Reader Comments (13)
"Log messages stored in log files are next to useless. Grep'ing on a terabyte of logs to answer simple questions about your data just doesn't work."
One nice thing about identifying log messages with a category is that they can be logged to separate files based on that category. This way it's easy to grep out of a relatively small log file when you want to do an ad-hoc query.
Actually I didn't remove anything. Something weird happened to the comments. Many are just gone and the time shifted a week on others. Investigating. As long as it's not spam I let everything through.
When you have terabytes of logging data you use Facebook's Hive
> Hive was developed iteratively by a 2 or 3 person team (I think Jeff Hammerbacher was also involved) making it easy for business analysts to ask ad hoc questions of terabytes worth of logfile data by abstracting MapReduce into a SQL like dialect.
Fair enough. But since there's no longer any comment pointing out the error (including the comment you replied to):
10 Billion a day is *NOT* 1 million per second. The article should be corrected.
1 Billion per day = (10000000000/(24*60*60))=115 740 per second
*NOT* 1 million per second!
Well, he said 10's of billions, so let's assume 10 billion, multiply by 10 and you have roughly 1M (1 157 400 since you're so precise) per second, *NOT* 115 740 per second.
P.S. have a nice day.
The parent comment actually calculated with 10 billion.
PLEASE do the VERY simple math yourself before correcting anyone.
The fact that this article has STILL not been corrected, and that there was just a whole batch of "oh my god I love Sun" articles today I'm considering unsubscribing the RSS.
10*10^9/(60*60*24) = 115740
Why another logging software? Why not an already existing solution, like
rsyslog, or syslog-ng? Or an appliance, like SSB? Why should we always reinvent the wheel?
Nice post, thanks. This bit kills me:
"Thank God there's another IDL syntax. We simply did not have enough of them."
Ha, ha, ha, my thoughts exactly... :-D
But I disagree with your assessment of scribe's usability. We are investigating using scribe in our system. You can only write big files to HDFS. To us each of the messages from multiple nodes is very important so we need to aggregate them somewhere safely (distributed) and upload them to HDFS in batches. From what I understand Scribe is ideal for this.
Sure, you can make your own system that is distributed, memory-only, scalable, uploads in batches, does backups and everything, but - do you really think you can do better than scribe?
Application for which i am using scribe logs around 20-30K messages in a
minute. Can you propose configuration setting for these many messages.
1 message is of around 1000-1500 bytes size.
Very badly written article. Does not even present anything concretely and just all over the place. I was asked to look at Scribe so I stumbled here. Please do not waste time on it.
So log files are great and everything, especially for our privacy, how long does Facebook store / save these log files for though? I mean it's impossible to find out anything about actual time data with them. Any info on this?
We use flume + Hbase build a better logging system. No need to use thrift we just read the logs which generated by applications. So we wouldn't meet the 3 problems with "Distribution System".