Help Center/ MapReduce Service/ Component Operation Guide (Paris Region)/ Using Flume/ Encrypted Transmission/ Typical Scenario: Collecting Local Static Logs and Uploading Them to HDFS
Updated on 2022-12-14 GMT+08:00

Typical Scenario: Collecting Local Static Logs and Uploading Them to HDFS

Scenario

This section describes how to use Flume to collect static logs from a local host and save them to the /flume/test directory on HDFS.

This section applies to MRS 3.x or later clusters.

Prerequisites

  • The cluster, HDFS and Flume services, and Flume client have been installed.
  • User flume_hdfs has been created, and the HDFS directory and data used for log verification have been authorized to the user.

Procedure

  1. Generate the certificate trust lists of the server and client of the Flume role respectively.

    1. Log in to the node where the Flume server is located as user omm. Go to the ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/bin directory.

      cd ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/bin

    2. Run the following command to generate and export the server and client certificates of the Flume role:

      sh geneJKS.sh -f Password -g Password

      The generated certificate is saved in the ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf path .

      • flume_sChat.jks is the certificate library of the Flume role server. flume_sChat.crt is the exported file of the flume_sChat.jks certificate. -f indicates the password of the certificate and certificate library.
      • flume_cChat.jks is the certificate library of the Flume role client. flume_cChat.crt is the exported file of the flume_cChat.jks certificate. -g indicates the password of the certificate and certificate library.
      • flume_sChatt.jks and flume_cChatt.jks are the SSL certificate trust lists of the Flume server and client, respectively.

      All user-defined passwords involved in this section must meet the following requirements:

      • Contain at least four types of the following: uppercase letters, lowercase letters, digits, and special characters.
      • Contain at least eight characters and a maximum of 64 characters.
      • It is recommended that the user-defined passwords be changed periodically (for example, every three months), and certificates and trust lists be generated again to ensure security.

  2. On FusionInsight Manager, choose System > User and choose More > Download Authentication Credential to download the Kerberos certificate file of user flume_hdfs and save it to the local host.
  3. Configure the server parameters of the Flume role and upload the configuration file to the cluster.

    1. Log in to any node where the Flume role is located as user omm. Run the following command to go to the ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/bin directory:

      cd ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/bin

    2. Run the following command to generate and obtain Flume server keystore password, trust list password, and keystore-password encrypted private key information. Enter the password twice and confirm the password. It is the password of the flume_sChat.jks certificate library.

      ./genPwFile.sh

      cat password.property

    3. Use the Flume configuration tool on the FusionInsight Manager portal to configure the server parameters and generate the configuration file.
      1. Log in to FusionInsight Manager and choose Cluster > Name of the desired cluster > Services > Flume > Configuration Tool.
      2. Set Agent Name to server. Select the source, channel, and sink to be used, drag them to the GUI on the right, and connect them.

        For example, use SpoolDir Source, File Channel, and HDFS Sink.

      3. Double-click the source, channel, and sink. Set corresponding configuration parameters by seeing Table 1 based on the actual environment.
        • If the server parameters of the Flume role have been configured, you can choose Cluster > Name of the desired cluster > Services > Flume > Instance on FusionInsight Manager. Then select the corresponding Flume role instance and click the Download button behind the flume.config.file parameter on the Instance Configurations page to obtain the existing server parameter configuration file. Choose Cluster > Name of the desired cluster > Services > Flume > Configuration Tool > Import, import the file, and modify the configuration items related to encrypted transmission.
        • It is recommended that the numbers of Sources, Channels, and Sinks do not exceed 40 during configuration file import. Otherwise, the response time may be very long.
        • A unique checkpoint directory needs to be configured for each File Channel.
      4. Click Export to save the properties.properties configuration file to the local.
        Table 1 Parameters to be modified of the Flume role server

        Parameter

        Description

        Example Value

        Name

        The value must be unique and cannot be left blank.

        test

        bind

        Specifies the IP address to which Avro Source is bound. This parameter cannot be left blank. It must be configured as the IP address that the server configuration file will upload.

        192.168.108.11

        port

        Specifies the IP address to which Avro Source is bound. This parameter cannot be left blank. It must be configured as an unused port.

        21154

        ssl

        Indicates whether to enable the SSL authentication. (You are advised to enable this function to ensure security.)

        Only Sources of the Avro type have this configuration item.

        • true indicates that the function is enabled.
        • false indicates that the client authentication function is not enabled.

        true

        keystore

        Indicates the server certificate.

        ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/flume_sChat.jks

        keystore-password

        Specifies the password of the key library, which is the password required to obtain the keystore information.

        Enter the value of password obtained in 3.b.

        -

        truststore

        Indicates the SSL certificate trust list of the server.

        ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/flume_sChatt.jks

        truststore-password

        Specifies the trust list password, which is the password required to obtain the truststore information.

        Enter the value of password obtained in 3.b.

        -

        dataDirs

        Specifies the directory for storing buffer data. The run directory is used by default. Configuring multiple directories on disks can improve transmission efficiency. Use commas (,) to separate multiple directories. If the directory is inside the cluster, the /srv/BigData/hadoop/dataX/flume/data directory can be used. dataX ranges from data1 to dataN. If the directory is outside the cluster, it needs to be independently planned.

        /srv/BigData/hadoop/data1/flumeserver/data

        checkpointDir

        Specifies the directory for storing the checkpoint information, which is under the run directory by default. If the directory is inside the cluster, the /srv/BigData/hadoop/dataX/flume/checkpoint directory can be used. dataX ranges from data1 to dataN. If the directory is outside the cluster, it needs to be independently planned.

        /srv/BigData/hadoop/data1/flumeserver/checkpoint

        transactionCapacity

        Specifies the transaction size, that is, the number of events in a transaction that can be processed by the current Channel. The size cannot be smaller than the batchSize of Source. Setting the same size as batchSize is recommended.

        61200

        hdfs.path

        Specifies the HDFS data write directory. This parameter cannot be left blank.

        hdfs://hacluster/flume/test

        hdfs.inUsePrefix

        Specifies the prefix of the file that is being written to HDFS.

        TMP_

        hdfs.batchSize

        Specifies the maximum number of events that can be written to HDFS once.

        61200

        hdfs.kerberosPrincipal

        Specifies the Kerberos authentication user, which is mandatory in security versions. This configuration is required only in security clusters.

        flume_hdfs

        hdfs.kerberosKeytab

        Specifies the keytab file path for Kerberos authentication, which is mandatory in security versions. This configuration is required only in security clusters.

        /opt/test/conf/user.keytab

        NOTE:

        Obtain the user.keytab file from the Kerberos certificate file of the user flume_hdfs. In addition, ensure that the user who installs and runs the Flume client has the read and write permissions on the user.keytab file.

        hdfs.useLocalTimeStamp

        Specifies whether to use the local time. Possible values are true and false.

        true

    4. Log in to FusionInsight Manager and choose Cluster > Name of the desired cluster > Services > Flume. On the displayed page, click the Flume role under Role.
    5. Select the Flume role of the node where the configuration file is to be uploaded, choose Instance Configurations > Import beside the flume.config.file, and select the properties.properties file.
      • An independent server configuration file can be uploaded to each Flume instance.
      • This step is required for updating the configuration file. Modifying the configuration file on the background is an improper operation because the modification will be overwritten after configuration synchronization.
    6. Click Save, and then click OK.
    7. Click Finish.

  4. Configure the client parameters of the Flume role.

    1. Run the following commands to copy the generated client certificate (flume_cChat.jks) and client trust list (flume_cChatt.jks) to the client directory, for example, /opt/flume-client/fusionInsight-flume-1.9.0/conf/. (The Flume client must have been installed.) 10.196.26.1 is the service plane IP address of the node where the client resides.

      scp ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/flume_cChat.jks user@10.196.26.1:/opt/flume-client/fusionInsight-flume-1.9.0/conf/

      scp ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/flume_cChatt.jks user@10.196.26.1:/opt/flume-client/fusionInsight-flume-1.9.0/conf/

      When copying the client certificate, you need to enter the password of user user of the host (for example, 10.196.26.1) where the client resides.

    2. Log in to the node where the Flume client is decompressed as user user. Run the following command to go to the client directory /opt/flume-client/fusionInsight-flume-1.9.0/bin.

      cd opt/flume-client/fusionInsight-flume-1.9.0/bin

    3. Run the following command to generate and obtain Flume client keystore password, trust list password, and keystore-password encrypted private key information. Enter the password twice and confirm the password. The password is the same as the password of the certificate whose alias is flumechatclient and the password of the flume_cChat.jks certificate library.

      ./genPwFile.sh

      cat password.property

      If the following error message is displayed, run the export JAVA_HOME=JDKpath command.

      JAVA_HOME is null in current user,please install the JDK and set the JAVA_HOME
    4. Run the echo $SCC_PROFILE_DIR command to check whether the SCC_PROFILE_DIR environment variable is empty.
      • If yes, run the source .sccfile command.
      • If no, go to 4.e.
    5. Use the Flume configuration tool on FusionInsight Manager to configure the Flume role client parameters and generate a configuration file.
      1. Log in to FusionInsight Manager and choose Cluster > Name of the desired cluster > Services > Flume > Configuration Tool.
      2. Set Agent Name to client. Select the source, channel, and sink to be used, drag them to the GUI on the right, and connect them.

        Use SpoolDir Source, File Channel, and HDFS Sink.

      3. Double-click the source, channel, and sink. Set corresponding configuration parameters by seeing Table 2 based on the actual environment.
        • If the client parameters of the Flume role have been configured, you can obtain the existing client parameter configuration file from client installation directory/fusioninsight-flume-1.9.0/conf/properties.properties to ensure that the configuration is in concordance with the previous. Log in to FusionInsight Manager, choose Cluster > Name of the desired cluster > Services > Flume > Configuration Tool > Import, import the file, and modify the configuration items related to encrypted transmission.
        • It is recommended that the numbers of Sources, Channels, and Sinks do not exceed 40 during configuration file import. Otherwise, the response time may be very long.
      4. Click Export to save the properties.properties configuration file to the local.
        Table 2 Parameters to be modified of the Flume role client

        Parameter

        Description

        Example Value

        Name

        The value must be unique and cannot be left blank.

        test

        spoolDir

        Specifies the directory where the file to be collected resides. This parameter cannot be left blank. The directory needs to exist and have the write, read, and execute permissions on the flume running user.

        /srv/BigData/hadoop/data1/zb

        trackerDir

        Specifies the path for storing the metadata of files collected by Flume.

        /srv/BigData/hadoop/data1/tracker

        batch-size

        Specifies the number of events that Flume sends in a batch.

        61200

        dataDirs

        Specifies the directory for storing buffer data. The run directory is used by default. Configuring multiple directories on disks can improve transmission efficiency. Use commas (,) to separate multiple directories. If the directory is inside the cluster, the /srv/BigData/hadoop/dataX/flume/data directory can be used. dataX ranges from data1 to dataN. If the directory is outside the cluster, it needs to be independently planned.

        /srv/BigData/hadoop/data1/flume/data

        checkpointDir

        Specifies the directory for storing the checkpoint information, which is under the run directory by default. If the directory is inside the cluster, the /srv/BigData/hadoop/dataX/flume/checkpoint directory can be used. dataX ranges from data1 to dataN. If the directory is outside the cluster, it needs to be independently planned.

        /srv/BigData/hadoop/data1/flume/checkpoint

        transactionCapacity

        Specifies the transaction size, that is, the number of events in a transaction that can be processed by the current Channel. The size cannot be smaller than the batchSize of Source. Setting the same size as batchSize is recommended.

        61200

        hostname

        Specifies the name or IP address of the host whose data is to be sent. This parameter cannot be left blank. Name or IP address must be configured to be the name or IP address that the Avro source associated with it.

        192.168.108.11

        port

        Specifies the IP address to which Avro Sink is bound. This parameter cannot be left blank. It must be consistent with the port that is monitored by the connected Avro Source.

        21154

        ssl

        Specifies whether to enable the SSL authentication. (You are advised to enable this function to ensure security.)

        Only Sources of the Avro type have this configuration item.

        • true indicates that the function is enabled.
        • false indicates that the client authentication function is not enabled.

        true

        keystore

        Specifies the flume_cChat.jks certificate generated on the server.

        /opt/flume-client/fusionInsight-flume-1.9.0/conf/flume_cChat.jks

        keystore-password

        Specifies the password of the key library, which is the password required to obtain the keystore information.

        Enter the value of password obtained in 4.c.

        -

        truststore

        Indicates the SSL certificate trust list of the server.

        /opt/flume-client/fusionInsight-flume-1.9.0/conf/flume_cChatt.jks

        truststore-password

        Specifies the trust list password, which is the password required to obtain the truststore information.

        Enter the value of password obtained in 4.c.

        -

    6. Upload the properties.properties file to flume/conf/ under the installation directory of the Flume client.

  5. Generate the certificate and trust list of the server and client of the MonitorServer role respectively.

    1. Log in to the host with the MonitorServer role assigned as user omm.

      Go to the ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/bin directory.

      cd ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/bin

    2. Run the following command to generate and export the server and client certificates of the MonitorServer role:

      sh geneJKS.sh -m Password -n Password

      The generated certificate is saved in the ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf path. Where:

      • ms_sChat.jks is the certificate library of the MonitorServer role server. ms_sChat.crt is the exported file of the ms_sChat.jks certificate. -m indicates the password of the certificate and certificate library.
      • ms_cChat.jks is the certificate library of the MonitorServer role client. ms_cChat.crt is the exported file of the ms_cChat.jks certificate. -n indicates the password of the certificate and certificate library.
      • ms_sChatt.jks and ms_cChatt.jks are the SSL certificate trust lists of the MonitorServer server and client, respectively.

  6. Set the server parameters of the MonitorServer role.

    1. Run the following command to generate and obtain MonitorServer server keystore password, trust list password, and keystore-password encrypted private key information. Enter the password twice and confirm the password. The password is the same as the password of the certificate whose alias is mschatserver and the password of the ms_sChat.jks certificate library.

      ./genPwFile.sh

      cat password.property

    2. Run the following command to open the ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/service/application.properties file: Modify related parameters based on the description in Table 3, save the modification, and exit.

      vi ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/service/application.properties

      Table 3 Parameters to be modified of the MonitorServer role server

      Parameter

      Description

      Example Value

      ssl_need_kspasswd_decrypt_key

      Indicates whether to enable the user-defined key encryption and decryption function. (You are advised to enable this function to ensure security.)

      • true indicates that the function is enabled.
      • false indicates that the client authentication function is not enabled.

      true

      ssl_server_enable

      Indicates whether to enable the SSL authentication. (You are advised to enable this function to ensure security.)

      • true indicates that the function is enabled.
      • false indicates that the client authentication function is not enabled.

      true

      ssl_server_key_store

      Set this parameter based on the specific storage location.

      ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/ms_sChat.jks

      ssl_server_trust_key_store

      Set this parameter based on the specific storage location.

      ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/ms_sChatt.jks

      ssl_server_key_store_password

      Indicates the client certificate password. Set this parameter based on the actual situation of certificate creation (the plaintext key used to generate the certificate).

      Enter the value of password obtained in 6.a.

      -

      ssl_server_trust_key_store_password

      Indicates the client trust list password. Set this parameter based on the actual situation of certificate creation (the plaintext key used to generate the trust list).

      Enter the value of password obtained in 6.a.

      -

      ssl_need_client_auth

      Indicates whether to enable the client authentication. (You are advised to enable this function to ensure security.)

      • true indicates that the function is enabled.
      • false indicates that the client authentication function is not enabled.

      true

    3. Restart the MonitorServer instance. Choose Cluster > Name of the desired cluster > Services > Flume > Instance > MonitorServer, select the configured MonitorServer instance, and choose More > Restart Instance. Enter the cluster administrator password and click OK. After the restart is complete, click Finish.

  7. Set the client parameters of the MonitorServer role.

    1. Run the following commands to copy the generated client certificate (ms_cChat.jks) and client trust list (ms_cChatt.jks) to the /opt/flume-client/fusionInsight-flume-1.9.0/conf/ client directory. 10.196.26.1 is the service plane IP address of the node where the client resides.

      scp ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/ms_cChat.jks user@10.196.26.1:/opt/flume-client/fusionInsight-flume-1.9.0/conf/

      scp ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/ms_cChatt.jks user@10.196.26.1:/opt/flume-client/fusionInsight-flume-1.9.0/conf/

    2. Log in to the node where the Flume client is located as user user. Run the following command to go to the client directory /opt/flume-client/fusionInsight-flume-1.9.0/bin.

      cd /opt/flume-client/fusionInsight-flume-1.9.0/bin

    3. Run the following command to generate and obtain MonitorServer client keystore password, trust list password, and keystore-password encrypted private key information. Enter the password twice and confirm the password. The password is the same as the password of the certificate whose alias is mschatclient and the password of the ms_cChat.jks certificate library.

      ./genPwFile.sh

      cat password.property

    4. Run the following command to open the /opt/flume-client/fusionInsight-flume-1.9.0/conf/service/application.properties file. (/opt/flume-client/fusionInsight-flume-1.9.0 is the directory where the client is installed.) Modify related parameters based on the description in Table 4, save the modification, and exit.

      vi /opt/flume-client/fusionInsight-flume-1.9.0/conf/service/application.properties

      Table 4 Parameters to be modified of the MonitorServer role client

      Parameter

      Description

      Example Value

      ssl_need_kspasswd_decrypt_key

      Indicates whether to enable the user-defined key encryption and decryption function. (You are advised to enable this function to ensure security.)

      • true indicates that the function is enabled.
      • false indicates that the client authentication function is not enabled.

      true

      ssl_client_enable

      Indicates whether to enable the SSL authentication. (You are advised to enable this function to ensure security.)

      • true indicates that the function is enabled.
      • false indicates that the client authentication function is not enabled.

      true

      ssl_client_key_store

      Set this parameter based on the specific storage location.

      ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/ms_cChat.jks

      ssl_client_trust_key_store

      Set this parameter based on the specific storage location.

      ${BIGDATA_HOME}/FusionInsight_Porter_8.1.0.1/install/FusionInsight-Flume-1.9.0/flume/conf/ms_cChatt.jks

      ssl_client_key_store_password

      Specifies the keystore password. Set this parameter based on the actual situation of certificate creation (the plaintext key used to generate the certificate).

      Enter the value of password obtained in 7.c.

      -

      ssl_client_trust_key_store_password

      Specifies the trustkeystore password. Set this parameter based on the actual situation of certificate creation (the plaintext key used to generate the trust list).

      Enter the value of password obtained in 7.c.

      -

      ssl_need_client_auth

      Indicates whether to enable the client authentication. (You are advised to enable this function to ensure security.)

      • true indicates that the function is enabled.
      • false indicates that the client authentication function is not enabled.

      true

  1. Verify log transmission.

    1. Log in to FusionInsight Manager as a user who has the management permission on HDFS. For details, see Accessing FusionInsight Manager (MRS 3.x or Later). Choose Cluster > Name of the desired cluster > Services > HDFS, click the HDFS WebUI link to go to the HDFS WebUI, and choose Utilities > Browse the file system.
    2. Check whether the data is generated in the /flume/test directory on the HDFS.