logging: Add ability to deduplicate log messages

[ekimekim]

Motivating example is to not excessively log the same http 4xx code over and over from the same ip,
as this doesn't add info and bloats our log volume.

This requires some abuse of logrus to work, but we do this via a formatter which can either emit the original message,
or the empty string to log no message (this is harmless). Later, a seperate goroutine will emit a new log
that logs the original log and how many times it occurred.

We always log the first time we see a given message, then start a timer. If we see the message again at least once in that
time frame, we log at the end of the time frame how many times.
Note this means we can say "repeated once", which is a little confusing but preferable to displaying the original message
unchanged but time delayed, which can be very misleading as there's no indication of the time delay.

Fixes https://github.com/weaveworks/service-conf/issues/968

[jml]

Most of my comments are just about linter errors. One bit I'm unsure about.

Rest looks great, thanks.

[leth]

IIRC the motivator for this was the 429 logs coming from cortex.
We've since added the series name to the log
Would each different series log message be throttled separately?
Would that mean that this doesn't help with the 429s?

[ekimekim]

Yes, this would mean each series is still logged, though if the same series were logged more than once per minute it would still help. We could:

• Increase the dedup interval in authfe so that the same series won't be logged again for, say, 10 minutes instead of 1. That's probably a larger latency than I'm comfortable with, however.
• Add some functionality to specify 'fields to ignore' in the dedup, though that massively complicates things and could result in surprising behaviour, and we'd still need to refactor the logs in question to only include the series in the field data and NOT the message, since we really do need to discriminate on the message text.

[ekimekim]

@jml PTAL, and what are your thoughts on #48 (comment)?

[jml]

what are your thoughts on #48 (comment)?

First, that merging this PR as-is is an incremental improvement so we should just do it.

I think @ekimekim's analysis is spot on.

The recent change adds both the series name (e.g. http_request_duration_seconds) and the full metric label set (e.g. http_request_duration_seconds{path="/foo/bar",method="get"}) in the log. The latter was extremely useful in diagnosing the client-side issue and communicating that to the customer, but I only really needed a couple of examples.

I'd be happy to refactor the logging code in Cortex to work with whatever we decide.

I wonder if we can get away with something simpler than a 'fields to ignore' that massively complicates things, e.g.

• a whitelist of fields to respect, rather than a blacklist of things to ignore. Sure, this will cause us to miss some things, but we can iterate as we discover them.
• a convention such that fields beginning with _ get ignored (I like this less, because it's harder to explain for open source projects like Cortex, but maybe it could be a thing)

[jml]

Does that help at all?

[ekimekim]

The latter was extremely useful in diagnosing the client-side issue and communicating that to the customer, but I only really needed a couple of examples.

Sounds like a good use case for a DEBUG level log instead of an INFO, surely?

As an aside, do we have the capability to, say, log at DEBUG at the service but only forward INFO and above to loggly? Then we could still get debug logs with kubectl if needed.

Anyway, merging this.