Ferrum is a sophisticated log management system built in Rust, designed to handle log ingestion from opentelemetry, storage, querying, and processing using modern data processing techniques. The project consists of two main Rust crates: ferum-ql (a query language parser) and logs (the main log management application).
- Custom query language (see FQL and the HTTP API)
- SQL query support (see HTTP API)
- Replication with WAL and multi-node support (via Raft)
- File compaction (configurable frequency)
- OpenTelemetry logs compatible gRPC server (see OpenTelemetry gRPC server)
- HTTP for querying data (see HTTP API)
- Object storage support (currently only AWS S3)
The logs system is built around several components:
-
Data model. Logs are stored with a rich schema including
- Timestamp (nanosecond precision)
- Log level
- Message
- Attributes (as a map)
- Day partitioning
-
Table management
- Uses Apache Arrow and DataFusion for high-performance data processing
- Implements compaction and periodic file management
- Enables efficient querying and storage of log data using parquet
-
Filesystems
- Local
- S3
Located in ferum-ql crate, this is a custom query language parser build with LALRPOP . It allows users to:
- Filter logs by level, message, and custom attributes
- Apply operations like equality, inequality, and regex matching
- Perform functions like counting and JSON transformation (message field)
Example query syntax:
{level="Error", message~="connection.*", myattribute="something"} | count
This query would:
- Filter logs with Error level
- Match messages with a "connection" regex pattern
- Count the results
- Strongly typed parsing
- Supports multiple filter operations
- Flexible attribute filtering
- Function extensions (count, JSON conversion for message fields)
The application provides three server interfaces:
- Implements the OpenTelemetry
LogsService - Receives log entries from distributed systems
- Transforms incoming logs into the internal data model
- High-performance log ingestion
Handles replication and internode communication
External API for querying data with the following endpoints:
/query/fql: Ferum Query Language endpoint/query/sql: Direct SQL querying/query/attributes: Query attribute keys based on FQL query/query/attributes/{attribute}/values: Query attribute values for a specific attribute
The system supports flexible configuration via YAML:
- Data directory configuration
- Log table settings (e.g., compaction frequency)
- Server port configurations
- Replication settings
See example config for details.
- Uses jemallocator for memory management
- Leverages Apache Arrow for columnar data processing
- Implements zero-copy data transformations
- Supports parallel processing
- Supports graceful shutdown
- Configurable log levels
- Environment-aware configuration loading
- Handles system signals (SIGTERM, CTRL+C)
- S3 storage backend
- Improve compaction strategy for better disk usage
- Docker support
- Distributed queries on multi-node setups
- Refactor into multiple crates for better benchmarking and testing
- Add functions to FQL (sum, rate etc.)
- Kubernetes operator
- Data retention policies and TTL's
- Query caching for improved performance