{"id":569,"date":"2025-12-18T12:25:43","date_gmt":"2025-12-18T12:25:43","guid":{"rendered":"https:\/\/guillaumesblog.net\/?p=569"},"modified":"2025-12-18T12:52:01","modified_gmt":"2025-12-18T12:52:01","slug":"analysing-vm-logs-at-scale-with-ai-big-data-toolset-like-aidp","status":"publish","type":"post","link":"https:\/\/guillaumesblog.net\/index.php\/analysing-vm-logs-at-scale-with-ai-big-data-toolset-like-aidp\/","title":{"rendered":"Analysing VM logs at scale with AI-big data toolset like AIDP"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">One way to get your logs back into OCI is to use the out of the box Custom Log Monitoring agent. The other way is to install Fluentd manually, and that is what we are going to do so we can keep control of the output my way and get it onto Object Storage for further analysis.<\/p>\n\n\n\n<!--more-->\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"866\" height=\"650\" src=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/fluentd-logo.jpg\" alt=\"\" class=\"wp-image-583\" style=\"width:244px;height:auto\" srcset=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/fluentd-logo.jpg 866w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/fluentd-logo-300x225.jpg 300w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/fluentd-logo-768x576.jpg 768w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">First is to follow the instructions located <a href=\"https:\/\/docs.fluentd.org\/installation\/install-fluent-package\">here<\/a> and install fluentd, then activate and enable the service with systemctl. Second step is to navigate to \/etc\/systemd\/system\/td-agent.service and edit the file, just change fluentd user to root user like so below, the service now run as root. (which is not great for security but let&#8217;s leave that aside for a moment.)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Service]\nUser=root\nGroup=root<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">and restart the systemctl to reload the configuration with systemctl daemon-reload<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Third, navigate to the configuration file and enter this configuration, we are monitoring the httpd access log in our case, check the &lt;source&gt; paragraph below;  We are sending the logs to OCI object storage, the @type s3 works perfectly in this situation as OCI offers s3 compatible APIs. The &lt;buffer&gt; configuration allows you to change multiple output parameters and in my config the agent outputs .json files onto my &#8216;compute_log_bucket&#8217; bucket storage. Change aws_key_id and aws_sec_key with the corresponding entries from OCI, instructions are <a href=\"https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/access\/working-with-customer-secret-keys.htm\">here.<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;source&gt;\n  @type tail\n  format apache2\n  path \/var\/log\/httpd\/access_log\n  pos_file \/var\/log\/fluent\/httpd.access_log.pos\n  tag s3.apache.access\n&lt;\/source&gt;\n\n&lt;match s3.*.*&gt;\n  @type s3\n\n  aws_key_id key\n  aws_sec_key secret\n  s3_bucket compute_log_bucket\n  s3_region uk-london-1\n  s3_endpoint https:\/\/namespace.compat.objectstorage.uk-london-1.oci.customer-oci.com\n  path logs5\/\n  store_as json\n\n  &lt;format&gt;\n    @type json\n  &lt;\/format&gt;\n\n  &lt;buffer&gt;\n    @type file\n    path \/var\/log\/fluent\/s3\n    timekey 1h\n    timekey_wait 5m\n    chunk_limit_size 128m\n    timekey_use_utc true\n  &lt;\/buffer&gt;\n\n  time_slice_format %Y%m%d%H%M\n&lt;\/match&gt;\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lastly enable<a href=\"https:\/\/blogs.oracle.com\/developers\/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals\"> auth principal<\/a> with a dynamic group and the corresponding policy so your source VMs can write onto an Object storage bucket. That&#8217;s what the result would look like:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"824\" src=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/list_json_files_in_bucket-1024x824.png\" alt=\"\" class=\"wp-image-581\" srcset=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/list_json_files_in_bucket-1024x824.png 1024w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/list_json_files_in_bucket-300x241.png 300w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/list_json_files_in_bucket-768x618.png 768w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/list_json_files_in_bucket.png 1120w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And that&#8217;s great, because now you&#8217;ve got tons of log data dumped into cheap storage. The idea then is to have this raw data available to perform any type of analysis and unlock the power of a Lakehouse platform. In this case I will use the Oracle AIDP (AI Data platform), which is an all in one big data and AI toolbox.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"762\" src=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/aidp_homepage-1024x762.png\" alt=\"\" class=\"wp-image-585\" srcset=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/aidp_homepage-1024x762.png 1024w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/aidp_homepage-300x223.png 300w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/aidp_homepage-768x571.png 768w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/aidp_homepage-1200x893.png 1200w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/aidp_homepage.png 1234w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On this toolbox you can organise your data sources, assign ownerships, spin up Spark clusters, layout governance, all in the click of a button and it will abstract the complex set-ups in the back-end to get it running, also call in AI models directly.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s spin up a Spark cluster and analyse the logs coming from my VMs, and again these are webserver access log, so why not have a look at where the requests come from. We&#8217;ve got to imagine that at scale we would monitor hundred or thousands of machines and join together a lot of data to perform our analysis, hence the requirement for Spark. Also, this model could serve as a basis for a <em>near<\/em> real-time monitoring cockpit, so we could ban troublesome clients.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The code is <a href=\"https:\/\/github.com\/geddegda\/aidp-example0\/blob\/main\/main.py\">here<\/a> if you are curious&#8230; but in a nutshell &#8211; We put together a dataframe and aggregate the number of visits by hosts<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/agg-1024x486.png\" alt=\"\" class=\"wp-image-587\" srcset=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/agg-1024x486.png 1024w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/agg-300x142.png 300w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/agg-768x364.png 768w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/agg-1200x569.png 1200w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/agg.png 1492w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s now have a look at where the mystery visitors come from<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"313\" src=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/scan-1024x313.png\" alt=\"\" class=\"wp-image-588\" srcset=\"https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/scan-1024x313.png 1024w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/scan-300x92.png 300w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/scan-768x235.png 768w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/scan-1536x470.png 1536w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/scan-1200x367.png 1200w, https:\/\/guillaumesblog.net\/wp-content\/uploads\/2025\/12\/scan.png 1915w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And we have got as top three, drumroll please:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Host is 139.87.112.28 visits are 7069 from Montreal<\/strong> located in Canada with details: Oracle Corporation, AS6142 Oracle Corporation<\/li>\n\n\n\n<li><strong>Host is 95.24.78.78 visits are 1060 from Moscow<\/strong> located in Russia with details: CORBINA-BROADBAND, AS8402 PJSC &#8220;Vimpelcom&#8221;<\/li>\n\n\n\n<li><strong>Host is 138.201.207.117 visits are 71 from Falkenstein<\/strong> located in Germany with details: Hetzner Online GmbH, AS24940 Hetzner Online GmbH<br><br>It is likely we see as a first entry an automated scanning machine from the infrastructure owner, and also on second and third position we can see a fair amount of internet probing (likely?)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In conclusion, we installed fluentd on a fleet of machines and it was easy to consolidate logs into object storage. We leveraged these logs for analysis and worked on them from an end-to-end toolbox like AIDP to detect unusual patterns or data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Talk soon!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One way to get your logs back into OCI is to use the out of the box Custom Log Monitoring agent. The other way is to install Fluentd manually, and that is what we are going to do so we can keep control of the output my way and get it onto Object Storage for &hellip; <a href=\"https:\/\/guillaumesblog.net\/index.php\/analysing-vm-logs-at-scale-with-ai-big-data-toolset-like-aidp\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Analysing VM logs at scale with AI-big data toolset like AIDP&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-569","post","type-post","status-publish","format-standard","hentry","category-conversation"],"_links":{"self":[{"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/posts\/569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/comments?post=569"}],"version-history":[{"count":25,"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/posts\/569\/revisions"}],"predecessor-version":[{"id":600,"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/posts\/569\/revisions\/600"}],"wp:attachment":[{"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/media?parent=569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/categories?post=569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/guillaumesblog.net\/index.php\/wp-json\/wp\/v2\/tags?post=569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}